Analysis
-
max time kernel
115s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-09-2024 22:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a5b9b27a38bb82305e99ee3250ffb920N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
a5b9b27a38bb82305e99ee3250ffb920N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
a5b9b27a38bb82305e99ee3250ffb920N.exe
-
Size
360KB
-
MD5
a5b9b27a38bb82305e99ee3250ffb920
-
SHA1
6857cc1f19ecd652f0dbac1a6c9e293b0a48427c
-
SHA256
c40e334d4e96c3392df2fdef882b02cae6a8703be7817a7bed0e66dde8bc0258
-
SHA512
0d48e069bd72d68f198628b59c1b53f1fb1f8a9b31a2f1b2fd774ae54c5150df7788912cfab9688f2b127f609d85a3353b4fde889723351cc6679505720e297f
-
SSDEEP
6144:ODSdIE9CpX2/mnbzvdLaD6OkPgl6bmIjlQFxU:OcCpXImbzQD6OkPgl6bmIjKxU
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jacpcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehhpge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjmmfq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pokanf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmddihfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eebgqe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biedhclh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blnoad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkjjdmaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohaokbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjlnhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nboiekjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oheienli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkakhakq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phmnfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Femigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgkimn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbhbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggldde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kknhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olnmdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pikqcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpgihh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khifno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okceaikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clgmkbna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akopoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeailhme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aamipe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhgbomfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oapllk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aecialmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqbpahpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfngcdhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gledpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnnoip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qciebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpnoigpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcddkggf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgmllpng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kclnfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpelqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obqopddf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pddokabk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abflfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajnmjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkhidaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfnooe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bplhhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idmafc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khihld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkcccn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbdip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnpami32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jldkeeig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goadfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hladlc32.exe -
Executes dropped EXE 64 IoCs
pid Process 4120 Hgeihiac.exe 720 Hcljmj32.exe 2296 Ibnjkbog.exe 3032 Icogcjde.exe 1312 Iabglnco.exe 1032 Ibbcfa32.exe 1760 Iccpniqp.exe 3868 Iagqgn32.exe 4000 Ijpepcfj.exe 2392 Ieeimlep.exe 5040 Ijbbfc32.exe 4660 Jlanpfkj.exe 3168 Jnpjlajn.exe 384 Jldkeeig.exe 1844 Jaqcnl32.exe 668 Jacpcl32.exe 2372 Jlidpe32.exe 4784 Jbbmmo32.exe 3416 Jjnaaa32.exe 2692 Kdffjgpj.exe 3944 Koljgppp.exe 2520 Klpjad32.exe 1568 Kbjbnnfg.exe 3408 Khfkfedn.exe 1756 Kblpcndd.exe 2868 Kejloi32.exe 2316 Khihld32.exe 2340 Ldbefe32.exe 216 Lklnconj.exe 2172 Logicn32.exe 3724 Llkjmb32.exe 3940 Ledoegkm.exe 3068 Lkqgno32.exe 3004 Lajokiaa.exe 2436 Lkcccn32.exe 4716 Loopdmpk.exe 4792 Ldkhlcnb.exe 4528 Mkepineo.exe 4428 Maoifh32.exe 1804 Mhiabbdi.exe 4028 Mociol32.exe 2456 Mdpagc32.exe 2596 Mkjjdmaj.exe 4116 Mcabej32.exe 4244 Mhnjna32.exe 1068 Mklfjm32.exe 3832 Mccokj32.exe 3400 Mebkge32.exe 4136 Mkocol32.exe 2352 Medglemj.exe 4284 Nlnpio32.exe 2524 Nchhfild.exe 4156 Ndidna32.exe 3348 Nooikj32.exe 1976 Ndlacapp.exe 456 Nlcidopb.exe 1628 Ncmaai32.exe 380 Ndnnianm.exe 2836 Nlefjnno.exe 2420 Nconfh32.exe 2712 Ndpjnq32.exe 1764 Nlgbon32.exe 5144 Nofoki32.exe 5184 Nfpghccm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kmeiie32.exe Kjfmminc.exe File created C:\Windows\SysWOW64\Lfpkhjae.exe Lmgfod32.exe File created C:\Windows\SysWOW64\Qhbkhpqq.dll Qdipag32.exe File created C:\Windows\SysWOW64\Icakofel.exe Ikjcmi32.exe File created C:\Windows\SysWOW64\Cmqqnelh.dll Olndnp32.exe File opened for modification C:\Windows\SysWOW64\Bpggbm32.exe Process not Found File created C:\Windows\SysWOW64\Iboogh32.dll Process not Found File created C:\Windows\SysWOW64\Ndidna32.exe Nchhfild.exe File opened for modification C:\Windows\SysWOW64\Edcgnmml.exe Eebgqe32.exe File opened for modification C:\Windows\SysWOW64\Qciebg32.exe Qipqibmf.exe File created C:\Windows\SysWOW64\Cnmoglij.exe Ccgjjc32.exe File created C:\Windows\SysWOW64\Fchlhnlo.exe Fmndkd32.exe File created C:\Windows\SysWOW64\Mdibplaf.exe Mdgejmdi.exe File created C:\Windows\SysWOW64\Oiojmgcb.exe Process not Found File created C:\Windows\SysWOW64\Mdkhkflh.exe Process not Found File created C:\Windows\SysWOW64\Cboibm32.exe Cpqlfa32.exe File created C:\Windows\SysWOW64\Agaoca32.exe Ainnhdbp.exe File created C:\Windows\SysWOW64\Alihodif.dll Gaffbg32.exe File opened for modification C:\Windows\SysWOW64\Lpdefc32.exe Lmfhjhdm.exe File opened for modification C:\Windows\SysWOW64\Ndlacapp.exe Nooikj32.exe File created C:\Windows\SysWOW64\Bnclamqe.exe Bkepeaaa.exe File opened for modification C:\Windows\SysWOW64\Dmnkdfce.exe Djoohk32.exe File created C:\Windows\SysWOW64\Fngpnm32.dll Nfnooe32.exe File opened for modification C:\Windows\SysWOW64\Ongpeejj.exe Olidijjf.exe File created C:\Windows\SysWOW64\Kmeeafnb.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bekfkc32.exe Process not Found File created C:\Windows\SysWOW64\Amfemoei.dll Ebcdjc32.exe File opened for modification C:\Windows\SysWOW64\Nkpbpp32.exe Nhafcd32.exe File created C:\Windows\SysWOW64\Haeadi32.exe Hmifcjif.exe File created C:\Windows\SysWOW64\Mgjkag32.exe Mbmbiqqp.exe File opened for modification C:\Windows\SysWOW64\Ojhijjll.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ljleil32.exe Lfqjhmhk.exe File created C:\Windows\SysWOW64\Beoeaj32.dll Bjqjpp32.exe File opened for modification C:\Windows\SysWOW64\Bjcmpepm.exe Bdgehobe.exe File created C:\Windows\SysWOW64\Kblpcndd.exe Khfkfedn.exe File created C:\Windows\SysWOW64\Ggbmafnm.exe Gjnlha32.exe File created C:\Windows\SysWOW64\Mmpbkm32.exe Mffjnc32.exe File created C:\Windows\SysWOW64\Bfffkmlb.dll Mfomda32.exe File created C:\Windows\SysWOW64\Kcbded32.exe Kkkldg32.exe File opened for modification C:\Windows\SysWOW64\Mmlhpaji.exe Lfbpcgbl.exe File created C:\Windows\SysWOW64\Lckmpaek.dll Process not Found File created C:\Windows\SysWOW64\Jpdbjleo.exe Jmffnq32.exe File created C:\Windows\SysWOW64\Ojkbfc32.dll Ghadjkhh.exe File opened for modification C:\Windows\SysWOW64\Lalchm32.exe Process not Found File created C:\Windows\SysWOW64\Jgnhmn32.dll Ljncnhhk.exe File created C:\Windows\SysWOW64\Kifjip32.exe Kciaqi32.exe File created C:\Windows\SysWOW64\Gaobmboi.dll Omlkmign.exe File opened for modification C:\Windows\SysWOW64\Alcfpm32.exe Agfnhf32.exe File created C:\Windows\SysWOW64\Aikbpckb.exe Process not Found File created C:\Windows\SysWOW64\Aecialmb.exe Alkeifga.exe File created C:\Windows\SysWOW64\Emfbmcph.dll Jggapj32.exe File created C:\Windows\SysWOW64\Njogdldg.exe Process not Found File created C:\Windows\SysWOW64\Blgeik32.dll Kciaqi32.exe File created C:\Windows\SysWOW64\Femigg32.exe Fkgejncb.exe File created C:\Windows\SysWOW64\Fmbflm32.exe Fgencf32.exe File created C:\Windows\SysWOW64\Enaaiifb.exe Ekcemmgo.exe File created C:\Windows\SysWOW64\Fkloka32.dll Hfhbipdb.exe File opened for modification C:\Windows\SysWOW64\Dgnolj32.exe Dmhkoaco.exe File created C:\Windows\SysWOW64\Pkogmihf.dll Process not Found File created C:\Windows\SysWOW64\Lhfcek32.dll Jjcqffkm.exe File opened for modification C:\Windows\SysWOW64\Hjimaole.exe Hfmqapcl.exe File created C:\Windows\SysWOW64\Agjbnd32.dll Process not Found File created C:\Windows\SysWOW64\Kkfkod32.exe Process not Found File created C:\Windows\SysWOW64\Lndkebgi.dll Jlanpfkj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14260 13908 Process not Found 1329 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmkipncc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Canocm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diafqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjlbag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccipelcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnjqhcno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dedkogqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nalgbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcfkiock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgeihiac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjcmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmlhpaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oianmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjldocde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jolhjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgnleiid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaefne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okiefn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emikpeig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pemhmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfonfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqgiel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfncia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjhgke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaffbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhihkjfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abpmpkoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnokjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kagbdenk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaqejcep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Becknc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giboijgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdhgaid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjnlha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kimgba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjphoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmndkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bboplo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olidijjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abodhpic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddpjjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifaepolg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcjodbgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logbigbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gekeie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcngddao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apnkfelb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odljjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okbhlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjgemi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omigmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonilenb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahedoci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idmafc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbbdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghgljg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfaglf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhcmbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eimlgnij.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqddqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcoioabf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmhhbnla.dll" Bkfmjnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epeademe.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfncia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnclamqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejhanj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mejfbf32.dll" Nhdicjfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hohcmjic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmdhnhkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmaakpfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfnooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lklnconj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbieebha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pphckb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhachh32.dll" Dmhkoaco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moiheebb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onbiicqa.dll" Okbhlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goahpc32.dll" Bnfoac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgcmeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkggfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpaifo32.dll" Hgeihiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfbbdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bckddn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogcike32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaefne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cemndbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meahle32.dll" Elilmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifpjgg32.dll" Jmffnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmefiakh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpgihh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npjpkn32.dll" Fjeibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbjade32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jikjlg32.dll" Agobna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhpdkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glbapoqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hembndee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aiabhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdhdbhl.dll" Ofcaab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oohkai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbehienn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhcbidcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeneidji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpdefc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akgcdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfmahknh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nheeabjo.dll" Lcbmlbig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjehok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lilbdcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ainfpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfbcfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohncdobq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkpdnm32.dll" Pmmeak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkpbpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pphlpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icnbdlfc.dll" Nehjmnei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gledpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pddokabk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpmmfbfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loancd32.dll" Iqbpahpc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4416 wrote to memory of 4120 4416 a5b9b27a38bb82305e99ee3250ffb920N.exe 90 PID 4416 wrote to memory of 4120 4416 a5b9b27a38bb82305e99ee3250ffb920N.exe 90 PID 4416 wrote to memory of 4120 4416 a5b9b27a38bb82305e99ee3250ffb920N.exe 90 PID 4120 wrote to memory of 720 4120 Hgeihiac.exe 91 PID 4120 wrote to memory of 720 4120 Hgeihiac.exe 91 PID 4120 wrote to memory of 720 4120 Hgeihiac.exe 91 PID 720 wrote to memory of 2296 720 Hcljmj32.exe 92 PID 720 wrote to memory of 2296 720 Hcljmj32.exe 92 PID 720 wrote to memory of 2296 720 Hcljmj32.exe 92 PID 2296 wrote to memory of 3032 2296 Ibnjkbog.exe 93 PID 2296 wrote to memory of 3032 2296 Ibnjkbog.exe 93 PID 2296 wrote to memory of 3032 2296 Ibnjkbog.exe 93 PID 3032 wrote to memory of 1312 3032 Icogcjde.exe 95 PID 3032 wrote to memory of 1312 3032 Icogcjde.exe 95 PID 3032 wrote to memory of 1312 3032 Icogcjde.exe 95 PID 1312 wrote to memory of 1032 1312 Iabglnco.exe 96 PID 1312 wrote to memory of 1032 1312 Iabglnco.exe 96 PID 1312 wrote to memory of 1032 1312 Iabglnco.exe 96 PID 1032 wrote to memory of 1760 1032 Ibbcfa32.exe 97 PID 1032 wrote to memory of 1760 1032 Ibbcfa32.exe 97 PID 1032 wrote to memory of 1760 1032 Ibbcfa32.exe 97 PID 1760 wrote to memory of 3868 1760 Iccpniqp.exe 99 PID 1760 wrote to memory of 3868 1760 Iccpniqp.exe 99 PID 1760 wrote to memory of 3868 1760 Iccpniqp.exe 99 PID 3868 wrote to memory of 4000 3868 Iagqgn32.exe 100 PID 3868 wrote to memory of 4000 3868 Iagqgn32.exe 100 PID 3868 wrote to memory of 4000 3868 Iagqgn32.exe 100 PID 4000 wrote to memory of 2392 4000 Ijpepcfj.exe 102 PID 4000 wrote to memory of 2392 4000 Ijpepcfj.exe 102 PID 4000 wrote to memory of 2392 4000 Ijpepcfj.exe 102 PID 2392 wrote to memory of 5040 2392 Ieeimlep.exe 103 PID 2392 wrote to memory of 5040 2392 Ieeimlep.exe 103 PID 2392 wrote to memory of 5040 2392 Ieeimlep.exe 103 PID 5040 wrote to memory of 4660 5040 Ijbbfc32.exe 104 PID 5040 wrote to memory of 4660 5040 Ijbbfc32.exe 104 PID 5040 wrote to memory of 4660 5040 Ijbbfc32.exe 104 PID 4660 wrote to memory of 3168 4660 Jlanpfkj.exe 105 PID 4660 wrote to memory of 3168 4660 Jlanpfkj.exe 105 PID 4660 wrote to memory of 3168 4660 Jlanpfkj.exe 105 PID 3168 wrote to memory of 384 3168 Jnpjlajn.exe 106 PID 3168 wrote to memory of 384 3168 Jnpjlajn.exe 106 PID 3168 wrote to memory of 384 3168 Jnpjlajn.exe 106 PID 384 wrote to memory of 1844 384 Jldkeeig.exe 107 PID 384 wrote to memory of 1844 384 Jldkeeig.exe 107 PID 384 wrote to memory of 1844 384 Jldkeeig.exe 107 PID 1844 wrote to memory of 668 1844 Jaqcnl32.exe 108 PID 1844 wrote to memory of 668 1844 Jaqcnl32.exe 108 PID 1844 wrote to memory of 668 1844 Jaqcnl32.exe 108 PID 668 wrote to memory of 2372 668 Jacpcl32.exe 109 PID 668 wrote to memory of 2372 668 Jacpcl32.exe 109 PID 668 wrote to memory of 2372 668 Jacpcl32.exe 109 PID 2372 wrote to memory of 4784 2372 Jlidpe32.exe 110 PID 2372 wrote to memory of 4784 2372 Jlidpe32.exe 110 PID 2372 wrote to memory of 4784 2372 Jlidpe32.exe 110 PID 4784 wrote to memory of 3416 4784 Jbbmmo32.exe 111 PID 4784 wrote to memory of 3416 4784 Jbbmmo32.exe 111 PID 4784 wrote to memory of 3416 4784 Jbbmmo32.exe 111 PID 3416 wrote to memory of 2692 3416 Jjnaaa32.exe 112 PID 3416 wrote to memory of 2692 3416 Jjnaaa32.exe 112 PID 3416 wrote to memory of 2692 3416 Jjnaaa32.exe 112 PID 2692 wrote to memory of 3944 2692 Kdffjgpj.exe 113 PID 2692 wrote to memory of 3944 2692 Kdffjgpj.exe 113 PID 2692 wrote to memory of 3944 2692 Kdffjgpj.exe 113 PID 3944 wrote to memory of 2520 3944 Koljgppp.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5b9b27a38bb82305e99ee3250ffb920N.exe"C:\Users\Admin\AppData\Local\Temp\a5b9b27a38bb82305e99ee3250ffb920N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Hgeihiac.exeC:\Windows\system32\Hgeihiac.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\Hcljmj32.exeC:\Windows\system32\Hcljmj32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\SysWOW64\Ibnjkbog.exeC:\Windows\system32\Ibnjkbog.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Icogcjde.exeC:\Windows\system32\Icogcjde.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Iabglnco.exeC:\Windows\system32\Iabglnco.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Ibbcfa32.exeC:\Windows\system32\Ibbcfa32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Iccpniqp.exeC:\Windows\system32\Iccpniqp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Iagqgn32.exeC:\Windows\system32\Iagqgn32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\Ijpepcfj.exeC:\Windows\system32\Ijpepcfj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\Ieeimlep.exeC:\Windows\system32\Ieeimlep.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Ijbbfc32.exeC:\Windows\system32\Ijbbfc32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Jlanpfkj.exeC:\Windows\system32\Jlanpfkj.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Jnpjlajn.exeC:\Windows\system32\Jnpjlajn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\Jldkeeig.exeC:\Windows\system32\Jldkeeig.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Jaqcnl32.exeC:\Windows\system32\Jaqcnl32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Jacpcl32.exeC:\Windows\system32\Jacpcl32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\Jlidpe32.exeC:\Windows\system32\Jlidpe32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Jbbmmo32.exeC:\Windows\system32\Jbbmmo32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Jjnaaa32.exeC:\Windows\system32\Jjnaaa32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\Kdffjgpj.exeC:\Windows\system32\Kdffjgpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Koljgppp.exeC:\Windows\system32\Koljgppp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Klpjad32.exeC:\Windows\system32\Klpjad32.exe23⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Kbjbnnfg.exeC:\Windows\system32\Kbjbnnfg.exe24⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Khfkfedn.exeC:\Windows\system32\Khfkfedn.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3408 -
C:\Windows\SysWOW64\Kblpcndd.exeC:\Windows\system32\Kblpcndd.exe26⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Kejloi32.exeC:\Windows\system32\Kejloi32.exe27⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Khihld32.exeC:\Windows\system32\Khihld32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Ldbefe32.exeC:\Windows\system32\Ldbefe32.exe29⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Lklnconj.exeC:\Windows\system32\Lklnconj.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:216 -
C:\Windows\SysWOW64\Logicn32.exeC:\Windows\system32\Logicn32.exe31⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Llkjmb32.exeC:\Windows\system32\Llkjmb32.exe32⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Ledoegkm.exeC:\Windows\system32\Ledoegkm.exe33⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Lkqgno32.exeC:\Windows\system32\Lkqgno32.exe34⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Lajokiaa.exeC:\Windows\system32\Lajokiaa.exe35⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Lkcccn32.exeC:\Windows\system32\Lkcccn32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Loopdmpk.exeC:\Windows\system32\Loopdmpk.exe37⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Ldkhlcnb.exeC:\Windows\system32\Ldkhlcnb.exe38⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Mkepineo.exeC:\Windows\system32\Mkepineo.exe39⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Maoifh32.exeC:\Windows\system32\Maoifh32.exe40⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Mhiabbdi.exeC:\Windows\system32\Mhiabbdi.exe41⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Mociol32.exeC:\Windows\system32\Mociol32.exe42⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\Mdpagc32.exeC:\Windows\system32\Mdpagc32.exe43⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Mkjjdmaj.exeC:\Windows\system32\Mkjjdmaj.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Mcabej32.exeC:\Windows\system32\Mcabej32.exe45⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Mhnjna32.exeC:\Windows\system32\Mhnjna32.exe46⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Mklfjm32.exeC:\Windows\system32\Mklfjm32.exe47⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Mccokj32.exeC:\Windows\system32\Mccokj32.exe48⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Mebkge32.exeC:\Windows\system32\Mebkge32.exe49⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Mkocol32.exeC:\Windows\system32\Mkocol32.exe50⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Medglemj.exeC:\Windows\system32\Medglemj.exe51⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Nlnpio32.exeC:\Windows\system32\Nlnpio32.exe52⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Nchhfild.exeC:\Windows\system32\Nchhfild.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Ndidna32.exeC:\Windows\system32\Ndidna32.exe54⤵
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\Nooikj32.exeC:\Windows\system32\Nooikj32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3348 -
C:\Windows\SysWOW64\Ndlacapp.exeC:\Windows\system32\Ndlacapp.exe56⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Nlcidopb.exeC:\Windows\system32\Nlcidopb.exe57⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Ncmaai32.exeC:\Windows\system32\Ncmaai32.exe58⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Ndnnianm.exeC:\Windows\system32\Ndnnianm.exe59⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Nlefjnno.exeC:\Windows\system32\Nlefjnno.exe60⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Nconfh32.exeC:\Windows\system32\Nconfh32.exe61⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Ndpjnq32.exeC:\Windows\system32\Ndpjnq32.exe62⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Nlgbon32.exeC:\Windows\system32\Nlgbon32.exe63⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Nofoki32.exeC:\Windows\system32\Nofoki32.exe64⤵
- Executes dropped EXE
PID:5144 -
C:\Windows\SysWOW64\Nfpghccm.exeC:\Windows\system32\Nfpghccm.exe65⤵
- Executes dropped EXE
PID:5184 -
C:\Windows\SysWOW64\Ohncdobq.exeC:\Windows\system32\Ohncdobq.exe66⤵
- Modifies registry class
PID:5224 -
C:\Windows\SysWOW64\Oohkai32.exeC:\Windows\system32\Oohkai32.exe67⤵
- Modifies registry class
PID:5264 -
C:\Windows\SysWOW64\Odedipge.exeC:\Windows\system32\Odedipge.exe68⤵PID:5304
-
C:\Windows\SysWOW64\Okolfj32.exeC:\Windows\system32\Okolfj32.exe69⤵PID:5344
-
C:\Windows\SysWOW64\Obidcdfo.exeC:\Windows\system32\Obidcdfo.exe70⤵PID:5384
-
C:\Windows\SysWOW64\Odgqopeb.exeC:\Windows\system32\Odgqopeb.exe71⤵PID:5424
-
C:\Windows\SysWOW64\Obkahddl.exeC:\Windows\system32\Obkahddl.exe72⤵PID:5464
-
C:\Windows\SysWOW64\Oheienli.exeC:\Windows\system32\Oheienli.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5504 -
C:\Windows\SysWOW64\Okceaikl.exeC:\Windows\system32\Okceaikl.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5544 -
C:\Windows\SysWOW64\Obnnnc32.exeC:\Windows\system32\Obnnnc32.exe75⤵PID:5584
-
C:\Windows\SysWOW64\Odljjo32.exeC:\Windows\system32\Odljjo32.exe76⤵
- System Location Discovery: System Language Discovery
PID:5624 -
C:\Windows\SysWOW64\Omcbkl32.exeC:\Windows\system32\Omcbkl32.exe77⤵PID:5664
-
C:\Windows\SysWOW64\Oflfdbip.exeC:\Windows\system32\Oflfdbip.exe78⤵PID:5704
-
C:\Windows\SysWOW64\Pijcpmhc.exeC:\Windows\system32\Pijcpmhc.exe79⤵PID:5744
-
C:\Windows\SysWOW64\Podkmgop.exeC:\Windows\system32\Podkmgop.exe80⤵PID:5784
-
C:\Windows\SysWOW64\Pfncia32.exeC:\Windows\system32\Pfncia32.exe81⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5820 -
C:\Windows\SysWOW64\Pmhkflnj.exeC:\Windows\system32\Pmhkflnj.exe82⤵PID:5868
-
C:\Windows\SysWOW64\Pbddobla.exeC:\Windows\system32\Pbddobla.exe83⤵PID:5916
-
C:\Windows\SysWOW64\Pkmhgh32.exeC:\Windows\system32\Pkmhgh32.exe84⤵PID:5988
-
C:\Windows\SysWOW64\Pbgqdb32.exeC:\Windows\system32\Pbgqdb32.exe85⤵PID:6048
-
C:\Windows\SysWOW64\Pmmeak32.exeC:\Windows\system32\Pmmeak32.exe86⤵
- Modifies registry class
PID:6092 -
C:\Windows\SysWOW64\Pokanf32.exeC:\Windows\system32\Pokanf32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6136 -
C:\Windows\SysWOW64\Pfeijqqe.exeC:\Windows\system32\Pfeijqqe.exe88⤵PID:5168
-
C:\Windows\SysWOW64\Pkabbgol.exeC:\Windows\system32\Pkabbgol.exe89⤵PID:5260
-
C:\Windows\SysWOW64\Qejfkmem.exeC:\Windows\system32\Qejfkmem.exe90⤵PID:5328
-
C:\Windows\SysWOW64\Qkdohg32.exeC:\Windows\system32\Qkdohg32.exe91⤵PID:5392
-
C:\Windows\SysWOW64\Qckfid32.exeC:\Windows\system32\Qckfid32.exe92⤵PID:5476
-
C:\Windows\SysWOW64\Qfjcep32.exeC:\Windows\system32\Qfjcep32.exe93⤵PID:5620
-
C:\Windows\SysWOW64\Qihoak32.exeC:\Windows\system32\Qihoak32.exe94⤵PID:5676
-
C:\Windows\SysWOW64\Qpbgnecp.exeC:\Windows\system32\Qpbgnecp.exe95⤵PID:5752
-
C:\Windows\SysWOW64\Aeopfl32.exeC:\Windows\system32\Aeopfl32.exe96⤵PID:5816
-
C:\Windows\SysWOW64\Apddce32.exeC:\Windows\system32\Apddce32.exe97⤵PID:5912
-
C:\Windows\SysWOW64\Acppddig.exeC:\Windows\system32\Acppddig.exe98⤵PID:5936
-
C:\Windows\SysWOW64\Aealll32.exeC:\Windows\system32\Aealll32.exe99⤵PID:6084
-
C:\Windows\SysWOW64\Alkeifga.exeC:\Windows\system32\Alkeifga.exe100⤵
- Drops file in System32 directory
PID:3932 -
C:\Windows\SysWOW64\Aecialmb.exeC:\Windows\system32\Aecialmb.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5236 -
C:\Windows\SysWOW64\Abgjkpll.exeC:\Windows\system32\Abgjkpll.exe102⤵PID:5320
-
C:\Windows\SysWOW64\Aiabhj32.exeC:\Windows\system32\Aiabhj32.exe103⤵
- Modifies registry class
PID:5448 -
C:\Windows\SysWOW64\Apkjddke.exeC:\Windows\system32\Apkjddke.exe104⤵PID:5640
-
C:\Windows\SysWOW64\Abjfqpji.exeC:\Windows\system32\Abjfqpji.exe105⤵PID:5760
-
C:\Windows\SysWOW64\Aehbmk32.exeC:\Windows\system32\Aehbmk32.exe106⤵PID:5904
-
C:\Windows\SysWOW64\Albkieqj.exeC:\Windows\system32\Albkieqj.exe107⤵PID:6088
-
C:\Windows\SysWOW64\Apngjd32.exeC:\Windows\system32\Apngjd32.exe108⤵PID:5256
-
C:\Windows\SysWOW64\Bfhofnpp.exeC:\Windows\system32\Bfhofnpp.exe109⤵PID:5488
-
C:\Windows\SysWOW64\Bmagch32.exeC:\Windows\system32\Bmagch32.exe110⤵PID:5888
-
C:\Windows\SysWOW64\Bppcpc32.exeC:\Windows\system32\Bppcpc32.exe111⤵PID:5472
-
C:\Windows\SysWOW64\Bboplo32.exeC:\Windows\system32\Bboplo32.exe112⤵
- System Location Discovery: System Language Discovery
PID:5612 -
C:\Windows\SysWOW64\Bemlhj32.exeC:\Windows\system32\Bemlhj32.exe113⤵PID:6164
-
C:\Windows\SysWOW64\Bmddihfj.exeC:\Windows\system32\Bmddihfj.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6208 -
C:\Windows\SysWOW64\Bbalaoda.exeC:\Windows\system32\Bbalaoda.exe115⤵PID:6252
-
C:\Windows\SysWOW64\Beoimjce.exeC:\Windows\system32\Beoimjce.exe116⤵PID:6300
-
C:\Windows\SysWOW64\Bikeni32.exeC:\Windows\system32\Bikeni32.exe117⤵PID:6344
-
C:\Windows\SysWOW64\Bliajd32.exeC:\Windows\system32\Bliajd32.exe118⤵PID:6408
-
C:\Windows\SysWOW64\Bbcignbo.exeC:\Windows\system32\Bbcignbo.exe119⤵PID:6452
-
C:\Windows\SysWOW64\Bimach32.exeC:\Windows\system32\Bimach32.exe120⤵PID:6496
-
C:\Windows\SysWOW64\Bpgjpb32.exeC:\Windows\system32\Bpgjpb32.exe121⤵PID:6540
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-