Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-09-2024 03:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
325fd993bfad2c7f43d3054e016cd3d0N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
325fd993bfad2c7f43d3054e016cd3d0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
325fd993bfad2c7f43d3054e016cd3d0N.exe
-
Size
107KB
-
MD5
325fd993bfad2c7f43d3054e016cd3d0
-
SHA1
d914426cc07ac7cbf60b6d8f2dbf0723bae85230
-
SHA256
4124d3909ca0f46968e0e4c41489f4e8a671577bb0a9daf7b089261a4690ab38
-
SHA512
87cd772e1955f95437a0722405ed68e3126e3b2ab8244543c3d6b5bea94d650c06f52688af63c28c150c7349173c0ba5471e4e47743d11d21d5970d7f6fb018a
-
SSDEEP
1536:Kcp2+cu9qk8uT0y43nlQk98pH37Pe2LZaIZTJ+7LhkiB0MPiKeEAgHD/Chx3y:zp3cW8uIZ4X7LZaMU7uihJ5233y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cibmlmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdodkebj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gijekg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgaijaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeokal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggbook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdmoohbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oldjcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnaokmco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alqjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdkpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikpjbq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlmbfqoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehdmlhcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elbhjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meiioonj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehhaaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmemac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfelogp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plkpcfal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lacdmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Majjng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nihipdhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdjapgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llflea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgeihcme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqfngd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pddhbipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqoiqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjopcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eleepoob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohbhmfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmjaphek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbajbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gekcaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klkcdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 4840 Qjoankoi.exe 4316 Qddfkd32.exe 2700 Qffbbldm.exe 5008 Anmjcieo.exe 432 Aqkgpedc.exe 2272 Ageolo32.exe 4628 Ajckij32.exe 1568 Ambgef32.exe 1988 Aeiofcji.exe 2860 Agglboim.exe 3420 Ajfhnjhq.exe 3880 Amddjegd.exe 4704 Aqppkd32.exe 2200 Aeklkchg.exe 4884 Agjhgngj.exe 3028 Afmhck32.exe 1608 Ajkaii32.exe 3968 Aminee32.exe 2172 Agoabn32.exe 868 Bnhjohkb.exe 2964 Bebblb32.exe 4080 Bganhm32.exe 112 Bjokdipf.exe 1708 Beeoaapl.exe 1080 Bgcknmop.exe 3440 Bnmcjg32.exe 232 Bcjlcn32.exe 4800 Bfhhoi32.exe 1284 Bjddphlq.exe 5024 Bclhhnca.exe 116 Bmemac32.exe 2848 Bcoenmao.exe 4212 Cfmajipb.exe 4996 Cmgjgcgo.exe 2024 Cenahpha.exe 4592 Cfpnph32.exe 3448 Cmiflbel.exe 5108 Cdcoim32.exe 4732 Cfbkeh32.exe 2640 Cmlcbbcj.exe 3680 Cagobalc.exe 3572 Cfdhkhjj.exe 4808 Cnkplejl.exe 1588 Cmnpgb32.exe 2744 Cdhhdlid.exe 3112 Cffdpghg.exe 3744 Cmqmma32.exe 2812 Calhnpgn.exe 4304 Ddjejl32.exe 1648 Djdmffnn.exe 4364 Danecp32.exe 3800 Ddmaok32.exe 1748 Dfknkg32.exe 3916 Daqbip32.exe 3988 Ddonekbl.exe 4504 Dfnjafap.exe 2128 Dodbbdbb.exe 4948 Dmgbnq32.exe 3472 Daconoae.exe 2608 Ddakjkqi.exe 4860 Dogogcpo.exe 916 Dknpmdfc.exe 4296 Ehapfiem.exe 3484 Ekpmbddq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Baegibae.exe Process not Found File created C:\Windows\SysWOW64\Cgnomg32.exe Process not Found File created C:\Windows\SysWOW64\Lpepbgbd.exe Process not Found File created C:\Windows\SysWOW64\Pjphcf32.dll Process not Found File created C:\Windows\SysWOW64\Gigheh32.exe Fdkpma32.exe File created C:\Windows\SysWOW64\Qdhogopn.dll Blielbfi.exe File created C:\Windows\SysWOW64\Eicedn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Albpkc32.exe Adkgje32.exe File created C:\Windows\SysWOW64\Lhnhajba.exe Process not Found File created C:\Windows\SysWOW64\Mckmcadl.dll Process not Found File created C:\Windows\SysWOW64\Jmqgabec.dll Ddcqedkk.exe File created C:\Windows\SysWOW64\Meamcg32.exe Mbbagk32.exe File created C:\Windows\SysWOW64\Lmafqb32.dll Madjhb32.exe File created C:\Windows\SysWOW64\Aoqqpnlk.dll Cdnmfclj.exe File created C:\Windows\SysWOW64\Gpkpbaea.dll Process not Found File created C:\Windows\SysWOW64\Ieccbbkn.exe Process not Found File created C:\Windows\SysWOW64\Dinael32.exe Process not Found File created C:\Windows\SysWOW64\Bfddbh32.dll Ajkaii32.exe File created C:\Windows\SysWOW64\Iipejo32.dll Cpeohh32.exe File opened for modification C:\Windows\SysWOW64\Adkqoohc.exe Process not Found File created C:\Windows\SysWOW64\Jeqbpb32.exe Jbbfdfkn.exe File opened for modification C:\Windows\SysWOW64\Mehjol32.exe Mbjnbqhp.exe File created C:\Windows\SysWOW64\Bcbohigp.exe Bqdblmhl.exe File created C:\Windows\SysWOW64\Pjcikejg.exe Process not Found File created C:\Windows\SysWOW64\Ddcqedkk.exe Daediilg.exe File created C:\Windows\SysWOW64\Plkcijka.dll Plpqil32.exe File created C:\Windows\SysWOW64\Njhgbp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fnbcgn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pmhbqbae.exe Process not Found File created C:\Windows\SysWOW64\Aeklkchg.exe Aqppkd32.exe File created C:\Windows\SysWOW64\Dhkehk32.dll Ifbbig32.exe File opened for modification C:\Windows\SysWOW64\Ikaggmii.exe Iickkbje.exe File created C:\Windows\SysWOW64\Leeigm32.dll Process not Found File created C:\Windows\SysWOW64\Clomci32.dll Jibmgi32.exe File created C:\Windows\SysWOW64\Cfapoa32.dll Bfbaonae.exe File created C:\Windows\SysWOW64\Ciafbg32.exe Cfcjfk32.exe File opened for modification C:\Windows\SysWOW64\Gdcliikj.exe Glldgljg.exe File created C:\Windows\SysWOW64\Jpenfp32.exe Process not Found File created C:\Windows\SysWOW64\Calhnpgn.exe Cmqmma32.exe File opened for modification C:\Windows\SysWOW64\Ghklce32.exe Gempgj32.exe File opened for modification C:\Windows\SysWOW64\Iqklon32.exe Inmpcc32.exe File created C:\Windows\SysWOW64\Ihpcinld.exe Process not Found File created C:\Windows\SysWOW64\Dbqqkkbo.exe Dpbdopck.exe File opened for modification C:\Windows\SysWOW64\Knhakh32.exe Kkjeomld.exe File created C:\Windows\SysWOW64\Jinboekc.exe Process not Found File created C:\Windows\SysWOW64\Bkfmmb32.dll Process not Found File created C:\Windows\SysWOW64\Mhgfkg32.exe Mehjol32.exe File created C:\Windows\SysWOW64\Okilfdgl.dll Dhjckcgi.exe File created C:\Windows\SysWOW64\Hhfedm32.exe Hpomcp32.exe File created C:\Windows\SysWOW64\Ibcaknbi.exe Process not Found File created C:\Windows\SysWOW64\Biiobo32.exe Process not Found File created C:\Windows\SysWOW64\Emmoafdl.dll Iddljmpc.exe File created C:\Windows\SysWOW64\Ggamph32.dll Dmfeidbe.exe File created C:\Windows\SysWOW64\Kckqbj32.exe Process not Found File created C:\Windows\SysWOW64\Gemdebha.dll Process not Found File created C:\Windows\SysWOW64\Qffbbldm.exe Qddfkd32.exe File opened for modification C:\Windows\SysWOW64\Hnagak32.exe Hheoid32.exe File opened for modification C:\Windows\SysWOW64\Ocmconhk.exe Opogbbig.exe File created C:\Windows\SysWOW64\Ddgplado.exe Process not Found File created C:\Windows\SysWOW64\Plpodked.dll Process not Found File created C:\Windows\SysWOW64\Lemkcnaa.exe Lbnngbbn.exe File created C:\Windows\SysWOW64\Npjnhc32.exe Nhbfff32.exe File created C:\Windows\SysWOW64\Jklinohd.exe Jgpmmp32.exe File created C:\Windows\SysWOW64\Mqdcnl32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 14312 14672 Process not Found 1880 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjkpoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pedlgbkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmlilh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgepom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paoollik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbghfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfodbqfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npjnhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idghpmnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbaojpgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikaggmii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqjpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchppmij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bheplb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdbfab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkkeclfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aanbhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibafp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhilfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpbed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blielbfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clgbmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpajgmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldamm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmalne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bohibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odhifjkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggnlobej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mimpolee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coknoaic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgninn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmhhefi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efffmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahbjoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poaqemao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijegcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knalji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnhkbfme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keqdmihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipamlopb.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdbmhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkjgegae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajpqnneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qimkic32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgbdcgld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mekgdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqdblmhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjeehbgh.dll" Alelqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehojko32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efehkimj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkaqnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmbbhkjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjopcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niooqcad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqhejb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niklpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kicpplqn.dll" Fhabbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cihclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aljejh32.dll" Kmieae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajbfciej.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdhao32.dll" Ieliebnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bifmqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doogdl32.dll" Ncofplba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qemhbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll" Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enkjji32.dll" Mhafeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiidnkam.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhihdcbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbileede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbgpnkdm.dll" Nihipdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afkknogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennamn32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhdfbfdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfnkkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddadpdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibodeh32.dll" Dbjkkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cenahpha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggamph32.dll" Dmfeidbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pocpfphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enhodk32.dll" Ahbjoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkmnpkk.dll" Afghneoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggbook32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plejdkmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcgnbaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blciboie.dll" Pkgcea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klqcmdnk.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4192 wrote to memory of 4840 4192 325fd993bfad2c7f43d3054e016cd3d0N.exe 83 PID 4192 wrote to memory of 4840 4192 325fd993bfad2c7f43d3054e016cd3d0N.exe 83 PID 4192 wrote to memory of 4840 4192 325fd993bfad2c7f43d3054e016cd3d0N.exe 83 PID 4840 wrote to memory of 4316 4840 Qjoankoi.exe 84 PID 4840 wrote to memory of 4316 4840 Qjoankoi.exe 84 PID 4840 wrote to memory of 4316 4840 Qjoankoi.exe 84 PID 4316 wrote to memory of 2700 4316 Qddfkd32.exe 85 PID 4316 wrote to memory of 2700 4316 Qddfkd32.exe 85 PID 4316 wrote to memory of 2700 4316 Qddfkd32.exe 85 PID 2700 wrote to memory of 5008 2700 Qffbbldm.exe 86 PID 2700 wrote to memory of 5008 2700 Qffbbldm.exe 86 PID 2700 wrote to memory of 5008 2700 Qffbbldm.exe 86 PID 5008 wrote to memory of 432 5008 Anmjcieo.exe 87 PID 5008 wrote to memory of 432 5008 Anmjcieo.exe 87 PID 5008 wrote to memory of 432 5008 Anmjcieo.exe 87 PID 432 wrote to memory of 2272 432 Aqkgpedc.exe 88 PID 432 wrote to memory of 2272 432 Aqkgpedc.exe 88 PID 432 wrote to memory of 2272 432 Aqkgpedc.exe 88 PID 2272 wrote to memory of 4628 2272 Ageolo32.exe 89 PID 2272 wrote to memory of 4628 2272 Ageolo32.exe 89 PID 2272 wrote to memory of 4628 2272 Ageolo32.exe 89 PID 4628 wrote to memory of 1568 4628 Ajckij32.exe 90 PID 4628 wrote to memory of 1568 4628 Ajckij32.exe 90 PID 4628 wrote to memory of 1568 4628 Ajckij32.exe 90 PID 1568 wrote to memory of 1988 1568 Ambgef32.exe 91 PID 1568 wrote to memory of 1988 1568 Ambgef32.exe 91 PID 1568 wrote to memory of 1988 1568 Ambgef32.exe 91 PID 1988 wrote to memory of 2860 1988 Aeiofcji.exe 93 PID 1988 wrote to memory of 2860 1988 Aeiofcji.exe 93 PID 1988 wrote to memory of 2860 1988 Aeiofcji.exe 93 PID 2860 wrote to memory of 3420 2860 Agglboim.exe 94 PID 2860 wrote to memory of 3420 2860 Agglboim.exe 94 PID 2860 wrote to memory of 3420 2860 Agglboim.exe 94 PID 3420 wrote to memory of 3880 3420 Ajfhnjhq.exe 95 PID 3420 wrote to memory of 3880 3420 Ajfhnjhq.exe 95 PID 3420 wrote to memory of 3880 3420 Ajfhnjhq.exe 95 PID 3880 wrote to memory of 4704 3880 Amddjegd.exe 96 PID 3880 wrote to memory of 4704 3880 Amddjegd.exe 96 PID 3880 wrote to memory of 4704 3880 Amddjegd.exe 96 PID 4704 wrote to memory of 2200 4704 Aqppkd32.exe 97 PID 4704 wrote to memory of 2200 4704 Aqppkd32.exe 97 PID 4704 wrote to memory of 2200 4704 Aqppkd32.exe 97 PID 2200 wrote to memory of 4884 2200 Aeklkchg.exe 98 PID 2200 wrote to memory of 4884 2200 Aeklkchg.exe 98 PID 2200 wrote to memory of 4884 2200 Aeklkchg.exe 98 PID 4884 wrote to memory of 3028 4884 Agjhgngj.exe 99 PID 4884 wrote to memory of 3028 4884 Agjhgngj.exe 99 PID 4884 wrote to memory of 3028 4884 Agjhgngj.exe 99 PID 3028 wrote to memory of 1608 3028 Afmhck32.exe 102 PID 3028 wrote to memory of 1608 3028 Afmhck32.exe 102 PID 3028 wrote to memory of 1608 3028 Afmhck32.exe 102 PID 1608 wrote to memory of 3968 1608 Ajkaii32.exe 103 PID 1608 wrote to memory of 3968 1608 Ajkaii32.exe 103 PID 1608 wrote to memory of 3968 1608 Ajkaii32.exe 103 PID 3968 wrote to memory of 2172 3968 Aminee32.exe 104 PID 3968 wrote to memory of 2172 3968 Aminee32.exe 104 PID 3968 wrote to memory of 2172 3968 Aminee32.exe 104 PID 2172 wrote to memory of 868 2172 Agoabn32.exe 105 PID 2172 wrote to memory of 868 2172 Agoabn32.exe 105 PID 2172 wrote to memory of 868 2172 Agoabn32.exe 105 PID 868 wrote to memory of 2964 868 Bnhjohkb.exe 106 PID 868 wrote to memory of 2964 868 Bnhjohkb.exe 106 PID 868 wrote to memory of 2964 868 Bnhjohkb.exe 106 PID 2964 wrote to memory of 4080 2964 Bebblb32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\325fd993bfad2c7f43d3054e016cd3d0N.exe"C:\Users\Admin\AppData\Local\Temp\325fd993bfad2c7f43d3054e016cd3d0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\Qjoankoi.exeC:\Windows\system32\Qjoankoi.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Qddfkd32.exeC:\Windows\system32\Qddfkd32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\Qffbbldm.exeC:\Windows\system32\Qffbbldm.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Anmjcieo.exeC:\Windows\system32\Anmjcieo.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Agglboim.exeC:\Windows\system32\Agglboim.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Ajfhnjhq.exeC:\Windows\system32\Ajfhnjhq.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\Aqppkd32.exeC:\Windows\system32\Aqppkd32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Ajkaii32.exeC:\Windows\system32\Ajkaii32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\Agoabn32.exeC:\Windows\system32\Agoabn32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Bebblb32.exeC:\Windows\system32\Bebblb32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe23⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe24⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe25⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe26⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe27⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe28⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe29⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe30⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Bclhhnca.exeC:\Windows\system32\Bclhhnca.exe31⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Bmemac32.exeC:\Windows\system32\Bmemac32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe33⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe34⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe35⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe37⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe38⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe39⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe40⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Cmlcbbcj.exeC:\Windows\system32\Cmlcbbcj.exe41⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:3680 -
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe43⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe44⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Cmnpgb32.exeC:\Windows\system32\Cmnpgb32.exe45⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe46⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe47⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3744 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe49⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe50⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe51⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe52⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe53⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe54⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe55⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe56⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe57⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe58⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe59⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe60⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe61⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe62⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe63⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Ehapfiem.exeC:\Windows\system32\Ehapfiem.exe64⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Ekpmbddq.exeC:\Windows\system32\Ekpmbddq.exe65⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Emoinpcd.exeC:\Windows\system32\Emoinpcd.exe66⤵PID:4804
-
C:\Windows\SysWOW64\Ehdmlhcj.exeC:\Windows\system32\Ehdmlhcj.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:712 -
C:\Windows\SysWOW64\Eonehbjg.exeC:\Windows\system32\Eonehbjg.exe68⤵PID:2120
-
C:\Windows\SysWOW64\Eehnem32.exeC:\Windows\system32\Eehnem32.exe69⤵PID:384
-
C:\Windows\SysWOW64\Ehfjah32.exeC:\Windows\system32\Ehfjah32.exe70⤵PID:4608
-
C:\Windows\SysWOW64\Ekefmc32.exeC:\Windows\system32\Ekefmc32.exe71⤵PID:2220
-
C:\Windows\SysWOW64\Emcbio32.exeC:\Windows\system32\Emcbio32.exe72⤵PID:2108
-
C:\Windows\SysWOW64\Eejjjl32.exeC:\Windows\system32\Eejjjl32.exe73⤵PID:4688
-
C:\Windows\SysWOW64\Ehiffh32.exeC:\Windows\system32\Ehiffh32.exe74⤵PID:860
-
C:\Windows\SysWOW64\Ekgbccni.exeC:\Windows\system32\Ekgbccni.exe75⤵PID:4448
-
C:\Windows\SysWOW64\Eaakpm32.exeC:\Windows\system32\Eaakpm32.exe76⤵PID:548
-
C:\Windows\SysWOW64\Egnchd32.exeC:\Windows\system32\Egnchd32.exe77⤵PID:4464
-
C:\Windows\SysWOW64\Feocelll.exeC:\Windows\system32\Feocelll.exe78⤵PID:1688
-
C:\Windows\SysWOW64\Fgppmd32.exeC:\Windows\system32\Fgppmd32.exe79⤵PID:3388
-
C:\Windows\SysWOW64\Fafdkmap.exeC:\Windows\system32\Fafdkmap.exe80⤵PID:2316
-
C:\Windows\SysWOW64\Fhpmgg32.exeC:\Windows\system32\Fhpmgg32.exe81⤵PID:1028
-
C:\Windows\SysWOW64\Fknicb32.exeC:\Windows\system32\Fknicb32.exe82⤵PID:5000
-
C:\Windows\SysWOW64\Fahaplon.exeC:\Windows\system32\Fahaplon.exe83⤵PID:2544
-
C:\Windows\SysWOW64\Fdfmlhna.exeC:\Windows\system32\Fdfmlhna.exe84⤵PID:2940
-
C:\Windows\SysWOW64\Fgeihcme.exeC:\Windows\system32\Fgeihcme.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2980 -
C:\Windows\SysWOW64\Fefjfked.exeC:\Windows\system32\Fefjfked.exe86⤵PID:4980
-
C:\Windows\SysWOW64\Fhdfbfdh.exeC:\Windows\system32\Fhdfbfdh.exe87⤵
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1168 -
C:\Windows\SysWOW64\Fnckpmql.exeC:\Windows\system32\Fnckpmql.exe89⤵PID:4880
-
C:\Windows\SysWOW64\Gekcaj32.exeC:\Windows\system32\Gekcaj32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1816 -
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe91⤵PID:3160
-
C:\Windows\SysWOW64\Gochjpho.exeC:\Windows\system32\Gochjpho.exe92⤵PID:3604
-
C:\Windows\SysWOW64\Gaadfkgc.exeC:\Windows\system32\Gaadfkgc.exe93⤵PID:1656
-
C:\Windows\SysWOW64\Gempgj32.exeC:\Windows\system32\Gempgj32.exe94⤵
- Drops file in System32 directory
PID:4572 -
C:\Windows\SysWOW64\Ghklce32.exeC:\Windows\system32\Ghklce32.exe95⤵PID:5132
-
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe96⤵
- System Location Discovery: System Language Discovery
PID:5200 -
C:\Windows\SysWOW64\Goedpofl.exeC:\Windows\system32\Goedpofl.exe97⤵PID:5264
-
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe98⤵PID:5316
-
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe99⤵
- Modifies registry class
PID:5364 -
C:\Windows\SysWOW64\Ggqida32.exeC:\Windows\system32\Ggqida32.exe100⤵PID:5428
-
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe101⤵PID:5516
-
C:\Windows\SysWOW64\Gnkaalkd.exeC:\Windows\system32\Gnkaalkd.exe102⤵PID:5572
-
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe103⤵PID:5620
-
C:\Windows\SysWOW64\Gddinf32.exeC:\Windows\system32\Gddinf32.exe104⤵PID:5664
-
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe105⤵PID:5716
-
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe106⤵PID:5764
-
C:\Windows\SysWOW64\Gnmnfkia.exeC:\Windows\system32\Gnmnfkia.exe107⤵PID:5812
-
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe108⤵PID:5868
-
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe109⤵PID:5912
-
C:\Windows\SysWOW64\Hakgmjoh.exeC:\Windows\system32\Hakgmjoh.exe110⤵PID:5956
-
C:\Windows\SysWOW64\Hheoid32.exeC:\Windows\system32\Hheoid32.exe111⤵
- Drops file in System32 directory
PID:6000 -
C:\Windows\SysWOW64\Hnagak32.exeC:\Windows\system32\Hnagak32.exe112⤵PID:6044
-
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe113⤵PID:6084
-
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe114⤵PID:6128
-
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe115⤵PID:5160
-
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe116⤵PID:5248
-
C:\Windows\SysWOW64\Hhihdcbp.exeC:\Windows\system32\Hhihdcbp.exe117⤵
- Modifies registry class
PID:5300 -
C:\Windows\SysWOW64\Hkhdqoac.exeC:\Windows\system32\Hkhdqoac.exe118⤵PID:5416
-
C:\Windows\SysWOW64\Hnfamjqg.exeC:\Windows\system32\Hnfamjqg.exe119⤵PID:5524
-
C:\Windows\SysWOW64\Hfningai.exeC:\Windows\system32\Hfningai.exe120⤵PID:5592
-
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe121⤵PID:5672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-