Analysis
-
max time kernel
114s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-09-2024 23:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fd5a5545a9a4110587bd00b3e7187a90N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
fd5a5545a9a4110587bd00b3e7187a90N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
fd5a5545a9a4110587bd00b3e7187a90N.exe
-
Size
64KB
-
MD5
fd5a5545a9a4110587bd00b3e7187a90
-
SHA1
58f6d742ce99eea547c91b4e5f380d6ab4ada94e
-
SHA256
068821fb02a32382e1893de3dada62ed19ec218c347f1e6a6b77d5875caffecc
-
SHA512
406494c60eb4ecb6e215f1feb9fffa2f2b0bc863c1a609c8b332259a7bca67c0de0d1c15bae60e952f229b1b4590ba5035cb83b3049bb254b50497a7e21095dd
-
SSDEEP
1536:ij2DmjVO0pGUolcNmGvIaDtoaGhYQD773BWstwJQ:ij2DmI0pG1lKvIaDtIhYKNwJQ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oookgbpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceehcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abdfkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cccppgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hccomh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpjgpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgqehgco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfbbdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhelddln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqioqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iacepmik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmcnap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aikijjon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iajkohmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipohpdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omgjhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhnec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggfobofl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haafnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdgjgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcfocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbnbhfde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eflceb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjcccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfanbpjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bchgnoai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 3960 Loniiflo.exe 1520 Malefbkc.exe 3528 Mhfmbl32.exe 1756 Mopeofjl.exe 1688 Maoakaip.exe 1812 Mobbdf32.exe 5656 Mdokmm32.exe 1432 Moeoje32.exe 5788 Meoggpmd.exe 5012 Mgpcohcb.exe 5880 Moglpedd.exe 5492 Meadlo32.exe 5940 Nmlhaa32.exe 784 Necqbo32.exe 5192 Nolekd32.exe 5152 Najagp32.exe 4660 Ndinck32.exe 3400 Nkbfpeec.exe 6076 Namnmp32.exe 4748 Nhffijdm.exe 2460 Nkebee32.exe 5408 Naokbokn.exe 1548 Ndmgnkja.exe 4816 Nglcjfie.exe 3484 Nnfkgp32.exe 320 Nhkpdi32.exe 5028 Nkjlqd32.exe 888 Onhhmpoo.exe 4900 Oeopnmoa.exe 3344 Onjebpml.exe 5312 Oddmoj32.exe 1004 Oojalb32.exe 3220 Odgjdibf.exe 5740 Ogefqeaj.exe 3408 Ononmo32.exe 5696 Oeffnl32.exe 4608 Oggbfdog.exe 3212 Oookgbpj.exe 2520 Ofhcdlgg.exe 2316 Ohgopgfj.exe 4000 Okeklcen.exe 5688 Paocim32.exe 4128 Philfgdh.exe 1620 Pkhhbbck.exe 5684 Pfmlok32.exe 2532 Pgoigcip.exe 2664 Pnhacn32.exe 3192 Pdbiphhi.exe 1956 Pklamb32.exe 1500 Pbfjjlgc.exe 2952 Pfbfjk32.exe 4132 Pgcbbc32.exe 3224 Pbifol32.exe 2936 Phbolflm.exe 2688 Qnpgdmjd.exe 2904 Qdipag32.exe 1984 Qghlmbae.exe 5776 Qoocnpag.exe 1136 Qbmpjkqk.exe 4528 Qdllffpo.exe 3688 Akfdcq32.exe 5824 Andqol32.exe 4616 Anfmeldl.exe 5588 Abbiej32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pohfblha.dll Process not Found File created C:\Windows\SysWOW64\Gdfhil32.exe Gechnpid.exe File created C:\Windows\SysWOW64\Jqaoii32.dll Process not Found File created C:\Windows\SysWOW64\Cajqng32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mgpcohcb.exe Meoggpmd.exe File created C:\Windows\SysWOW64\Kkjoha32.dll Agikne32.exe File opened for modification C:\Windows\SysWOW64\Cdpckbli.exe Process not Found File created C:\Windows\SysWOW64\Ghlpioak.dll Process not Found File opened for modification C:\Windows\SysWOW64\Akiijq32.exe Process not Found File created C:\Windows\SysWOW64\Hjmchc32.dll Process not Found File created C:\Windows\SysWOW64\Jckcfocl.dll Ifhibhfc.exe File created C:\Windows\SysWOW64\Hiipnb32.dll Fifdqhal.exe File opened for modification C:\Windows\SysWOW64\Kanffogf.exe Jbmfig32.exe File opened for modification C:\Windows\SysWOW64\Hkhkdjkl.exe Process not Found File created C:\Windows\SysWOW64\Ejbkao32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cqfahh32.exe Cnhell32.exe File created C:\Windows\SysWOW64\Mkeodcom.dll Process not Found File created C:\Windows\SysWOW64\Kpldpddh.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hccomh32.exe Hklglk32.exe File opened for modification C:\Windows\SysWOW64\Dqhpjohb.exe Dmmdjp32.exe File created C:\Windows\SysWOW64\Fofigd32.exe Ejiqom32.exe File created C:\Windows\SysWOW64\Hpogkd32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Iiaggc32.exe Iqfcbahb.exe File opened for modification C:\Windows\SysWOW64\Faamghko.exe Flddoa32.exe File created C:\Windows\SysWOW64\Nbepdfnc.exe Npfchkop.exe File created C:\Windows\SysWOW64\Dcbckk32.exe Dofgklcb.exe File opened for modification C:\Windows\SysWOW64\Hihbco32.exe Process not Found File created C:\Windows\SysWOW64\Ommjipel.exe Process not Found File created C:\Windows\SysWOW64\Pklamb32.exe Pdbiphhi.exe File created C:\Windows\SysWOW64\Abflab32.dll Ckfofe32.exe File opened for modification C:\Windows\SysWOW64\Aobieq32.exe Process not Found File created C:\Windows\SysWOW64\Eflceb32.exe Eoekde32.exe File opened for modification C:\Windows\SysWOW64\Nmmgae32.exe Njokei32.exe File created C:\Windows\SysWOW64\Gmhfbf32.exe Gbcaemdg.exe File created C:\Windows\SysWOW64\Lgmbmn32.exe Process not Found File created C:\Windows\SysWOW64\Apgmfh32.dll Process not Found File created C:\Windows\SysWOW64\Qeomnh32.dll Mglhgg32.exe File created C:\Windows\SysWOW64\Ihdjfhhc.exe Iajbinaf.exe File created C:\Windows\SysWOW64\Pbdcac32.dll Process not Found File created C:\Windows\SysWOW64\Qpmmfbfl.exe Qnopjfgi.exe File created C:\Windows\SysWOW64\Anjifbpg.exe Process not Found File created C:\Windows\SysWOW64\Plgpjhnf.exe Pfjgbapo.exe File created C:\Windows\SysWOW64\Dmppgb32.dll Anmagenh.exe File created C:\Windows\SysWOW64\Ejglcq32.exe Eieplhlf.exe File opened for modification C:\Windows\SysWOW64\Idpdfija.exe Inflio32.exe File opened for modification C:\Windows\SysWOW64\Agnkck32.exe Ahkkhnpg.exe File created C:\Windows\SysWOW64\Gklnem32.exe Gikbneio.exe File created C:\Windows\SysWOW64\Nehekq32.exe Nmmqgo32.exe File created C:\Windows\SysWOW64\Bmfjodgc.exe Process not Found File created C:\Windows\SysWOW64\Ddbohb32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fffqjfom.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oaajoj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qkhjim32.exe Process not Found File created C:\Windows\SysWOW64\Bdndik32.exe Process not Found File created C:\Windows\SysWOW64\Faopah32.exe Fkehdnee.exe File created C:\Windows\SysWOW64\Jjgcgo32.exe Jkfcigkm.exe File opened for modification C:\Windows\SysWOW64\Jpgmaf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cabfagee.exe Process not Found File created C:\Windows\SysWOW64\Mpnngh32.exe Lhcjbfag.exe File created C:\Windows\SysWOW64\Emjgcc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Emldhb32.exe Process not Found File created C:\Windows\SysWOW64\Inogbj32.dll Loniiflo.exe File created C:\Windows\SysWOW64\Bjhkaf32.dll Kbfjljhf.exe File opened for modification C:\Windows\SysWOW64\Ajikhfpg.exe Aelcooap.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6960 2936 Process not Found 2219 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcdbmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acaanp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odhiemil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmlhpaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahkkhnpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkadam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgoigcip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ailabddb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Occkhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdokmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdllffpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgpobmca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okaabg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gndpkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjgmpkfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kinefp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmmkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdhgaid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gechnpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Galfhpmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcgemhic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofalfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljcjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdahek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onklkhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peodcmeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oddmoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehnpmkbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hklglk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npldnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifipmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agcdnjcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhcmbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppccemjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqifkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 12232 Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqhpjohb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bedcpnmi.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfkclp32.dll" Bgkaip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikpjmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njfafhjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Libnapmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haaidh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlfbgp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdpbope.dll" Ejiiippb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bppjhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apjppniq.dll" Dbijinfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bijfpm32.dll" Okiefn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glhgojef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mebncnbm.dll" Qmkfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odejmglm.dll" Joikdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mobbdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gffkpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdhigk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pljcjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihbeo32.dll" Odgjdibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fepbfj32.dll" Mmdlflki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmghklif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjnjammf.dll" Meoggpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhghjpod.dll" Olmficce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giagjn32.dll" Hdfapjbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Demikn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofmcfq32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cebaafpc.dll" Hmifcjif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adkghk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfmlok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmjjqhpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Incpdodg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkqepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbmffqbg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aojabkqc.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nffljjfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmqgdhfa.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Limdkpgg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dolpli32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odgjdibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nopkoobi.dll" Dlobmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fagcfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illiee32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhfinh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apncei32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkfpcj32.dll" Gooqfkan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lddqbbco.dll" Adnbapjp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2512 wrote to memory of 3960 2512 fd5a5545a9a4110587bd00b3e7187a90N.exe 90 PID 2512 wrote to memory of 3960 2512 fd5a5545a9a4110587bd00b3e7187a90N.exe 90 PID 2512 wrote to memory of 3960 2512 fd5a5545a9a4110587bd00b3e7187a90N.exe 90 PID 3960 wrote to memory of 1520 3960 Loniiflo.exe 91 PID 3960 wrote to memory of 1520 3960 Loniiflo.exe 91 PID 3960 wrote to memory of 1520 3960 Loniiflo.exe 91 PID 1520 wrote to memory of 3528 1520 Malefbkc.exe 92 PID 1520 wrote to memory of 3528 1520 Malefbkc.exe 92 PID 1520 wrote to memory of 3528 1520 Malefbkc.exe 92 PID 3528 wrote to memory of 1756 3528 Mhfmbl32.exe 93 PID 3528 wrote to memory of 1756 3528 Mhfmbl32.exe 93 PID 3528 wrote to memory of 1756 3528 Mhfmbl32.exe 93 PID 1756 wrote to memory of 1688 1756 Mopeofjl.exe 94 PID 1756 wrote to memory of 1688 1756 Mopeofjl.exe 94 PID 1756 wrote to memory of 1688 1756 Mopeofjl.exe 94 PID 1688 wrote to memory of 1812 1688 Maoakaip.exe 95 PID 1688 wrote to memory of 1812 1688 Maoakaip.exe 95 PID 1688 wrote to memory of 1812 1688 Maoakaip.exe 95 PID 1812 wrote to memory of 5656 1812 Mobbdf32.exe 96 PID 1812 wrote to memory of 5656 1812 Mobbdf32.exe 96 PID 1812 wrote to memory of 5656 1812 Mobbdf32.exe 96 PID 5656 wrote to memory of 1432 5656 Mdokmm32.exe 97 PID 5656 wrote to memory of 1432 5656 Mdokmm32.exe 97 PID 5656 wrote to memory of 1432 5656 Mdokmm32.exe 97 PID 1432 wrote to memory of 5788 1432 Moeoje32.exe 98 PID 1432 wrote to memory of 5788 1432 Moeoje32.exe 98 PID 1432 wrote to memory of 5788 1432 Moeoje32.exe 98 PID 5788 wrote to memory of 5012 5788 Meoggpmd.exe 100 PID 5788 wrote to memory of 5012 5788 Meoggpmd.exe 100 PID 5788 wrote to memory of 5012 5788 Meoggpmd.exe 100 PID 5012 wrote to memory of 5880 5012 Mgpcohcb.exe 101 PID 5012 wrote to memory of 5880 5012 Mgpcohcb.exe 101 PID 5012 wrote to memory of 5880 5012 Mgpcohcb.exe 101 PID 5880 wrote to memory of 5492 5880 Moglpedd.exe 102 PID 5880 wrote to memory of 5492 5880 Moglpedd.exe 102 PID 5880 wrote to memory of 5492 5880 Moglpedd.exe 102 PID 5492 wrote to memory of 5940 5492 Meadlo32.exe 103 PID 5492 wrote to memory of 5940 5492 Meadlo32.exe 103 PID 5492 wrote to memory of 5940 5492 Meadlo32.exe 103 PID 5940 wrote to memory of 784 5940 Nmlhaa32.exe 105 PID 5940 wrote to memory of 784 5940 Nmlhaa32.exe 105 PID 5940 wrote to memory of 784 5940 Nmlhaa32.exe 105 PID 784 wrote to memory of 5192 784 Necqbo32.exe 106 PID 784 wrote to memory of 5192 784 Necqbo32.exe 106 PID 784 wrote to memory of 5192 784 Necqbo32.exe 106 PID 5192 wrote to memory of 5152 5192 Nolekd32.exe 107 PID 5192 wrote to memory of 5152 5192 Nolekd32.exe 107 PID 5192 wrote to memory of 5152 5192 Nolekd32.exe 107 PID 5152 wrote to memory of 4660 5152 Najagp32.exe 108 PID 5152 wrote to memory of 4660 5152 Najagp32.exe 108 PID 5152 wrote to memory of 4660 5152 Najagp32.exe 108 PID 4660 wrote to memory of 3400 4660 Ndinck32.exe 109 PID 4660 wrote to memory of 3400 4660 Ndinck32.exe 109 PID 4660 wrote to memory of 3400 4660 Ndinck32.exe 109 PID 3400 wrote to memory of 6076 3400 Nkbfpeec.exe 111 PID 3400 wrote to memory of 6076 3400 Nkbfpeec.exe 111 PID 3400 wrote to memory of 6076 3400 Nkbfpeec.exe 111 PID 6076 wrote to memory of 4748 6076 Namnmp32.exe 112 PID 6076 wrote to memory of 4748 6076 Namnmp32.exe 112 PID 6076 wrote to memory of 4748 6076 Namnmp32.exe 112 PID 4748 wrote to memory of 2460 4748 Nhffijdm.exe 113 PID 4748 wrote to memory of 2460 4748 Nhffijdm.exe 113 PID 4748 wrote to memory of 2460 4748 Nhffijdm.exe 113 PID 2460 wrote to memory of 5408 2460 Nkebee32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd5a5545a9a4110587bd00b3e7187a90N.exe"C:\Users\Admin\AppData\Local\Temp\fd5a5545a9a4110587bd00b3e7187a90N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Loniiflo.exeC:\Windows\system32\Loniiflo.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Malefbkc.exeC:\Windows\system32\Malefbkc.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Mhfmbl32.exeC:\Windows\system32\Mhfmbl32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Mopeofjl.exeC:\Windows\system32\Mopeofjl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Maoakaip.exeC:\Windows\system32\Maoakaip.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Mobbdf32.exeC:\Windows\system32\Mobbdf32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Mdokmm32.exeC:\Windows\system32\Mdokmm32.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5656 -
C:\Windows\SysWOW64\Moeoje32.exeC:\Windows\system32\Moeoje32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Meoggpmd.exeC:\Windows\system32\Meoggpmd.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5788 -
C:\Windows\SysWOW64\Mgpcohcb.exeC:\Windows\system32\Mgpcohcb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Moglpedd.exeC:\Windows\system32\Moglpedd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5880 -
C:\Windows\SysWOW64\Meadlo32.exeC:\Windows\system32\Meadlo32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5492 -
C:\Windows\SysWOW64\Nmlhaa32.exeC:\Windows\system32\Nmlhaa32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5940 -
C:\Windows\SysWOW64\Necqbo32.exeC:\Windows\system32\Necqbo32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\Nolekd32.exeC:\Windows\system32\Nolekd32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5192 -
C:\Windows\SysWOW64\Najagp32.exeC:\Windows\system32\Najagp32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5152 -
C:\Windows\SysWOW64\Ndinck32.exeC:\Windows\system32\Ndinck32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Nkbfpeec.exeC:\Windows\system32\Nkbfpeec.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\Namnmp32.exeC:\Windows\system32\Namnmp32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6076 -
C:\Windows\SysWOW64\Nhffijdm.exeC:\Windows\system32\Nhffijdm.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Nkebee32.exeC:\Windows\system32\Nkebee32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Naokbokn.exeC:\Windows\system32\Naokbokn.exe23⤵
- Executes dropped EXE
PID:5408 -
C:\Windows\SysWOW64\Ndmgnkja.exeC:\Windows\system32\Ndmgnkja.exe24⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Nglcjfie.exeC:\Windows\system32\Nglcjfie.exe25⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Nnfkgp32.exeC:\Windows\system32\Nnfkgp32.exe26⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Nhkpdi32.exeC:\Windows\system32\Nhkpdi32.exe27⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Nkjlqd32.exeC:\Windows\system32\Nkjlqd32.exe28⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Onhhmpoo.exeC:\Windows\system32\Onhhmpoo.exe29⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Oeopnmoa.exeC:\Windows\system32\Oeopnmoa.exe30⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Onjebpml.exeC:\Windows\system32\Onjebpml.exe31⤵
- Executes dropped EXE
PID:3344 -
C:\Windows\SysWOW64\Oddmoj32.exeC:\Windows\system32\Oddmoj32.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5312 -
C:\Windows\SysWOW64\Oojalb32.exeC:\Windows\system32\Oojalb32.exe33⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Odgjdibf.exeC:\Windows\system32\Odgjdibf.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:3220 -
C:\Windows\SysWOW64\Ogefqeaj.exeC:\Windows\system32\Ogefqeaj.exe35⤵
- Executes dropped EXE
PID:5740 -
C:\Windows\SysWOW64\Ononmo32.exeC:\Windows\system32\Ononmo32.exe36⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Oeffnl32.exeC:\Windows\system32\Oeffnl32.exe37⤵
- Executes dropped EXE
PID:5696 -
C:\Windows\SysWOW64\Oggbfdog.exeC:\Windows\system32\Oggbfdog.exe38⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Oookgbpj.exeC:\Windows\system32\Oookgbpj.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3212 -
C:\Windows\SysWOW64\Ofhcdlgg.exeC:\Windows\system32\Ofhcdlgg.exe40⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Ohgopgfj.exeC:\Windows\system32\Ohgopgfj.exe41⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Okeklcen.exeC:\Windows\system32\Okeklcen.exe42⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Paocim32.exeC:\Windows\system32\Paocim32.exe43⤵
- Executes dropped EXE
PID:5688 -
C:\Windows\SysWOW64\Philfgdh.exeC:\Windows\system32\Philfgdh.exe44⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Pkhhbbck.exeC:\Windows\system32\Pkhhbbck.exe45⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Pfmlok32.exeC:\Windows\system32\Pfmlok32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:5684 -
C:\Windows\SysWOW64\Pgoigcip.exeC:\Windows\system32\Pgoigcip.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\Pnhacn32.exeC:\Windows\system32\Pnhacn32.exe48⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Pdbiphhi.exeC:\Windows\system32\Pdbiphhi.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3192 -
C:\Windows\SysWOW64\Pklamb32.exeC:\Windows\system32\Pklamb32.exe50⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Pbfjjlgc.exeC:\Windows\system32\Pbfjjlgc.exe51⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Pfbfjk32.exeC:\Windows\system32\Pfbfjk32.exe52⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Pgcbbc32.exeC:\Windows\system32\Pgcbbc32.exe53⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Pbifol32.exeC:\Windows\system32\Pbifol32.exe54⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Phbolflm.exeC:\Windows\system32\Phbolflm.exe55⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Qnpgdmjd.exeC:\Windows\system32\Qnpgdmjd.exe56⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Qdipag32.exeC:\Windows\system32\Qdipag32.exe57⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Qghlmbae.exeC:\Windows\system32\Qghlmbae.exe58⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Qoocnpag.exeC:\Windows\system32\Qoocnpag.exe59⤵
- Executes dropped EXE
PID:5776 -
C:\Windows\SysWOW64\Qbmpjkqk.exeC:\Windows\system32\Qbmpjkqk.exe60⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Qdllffpo.exeC:\Windows\system32\Qdllffpo.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4528 -
C:\Windows\SysWOW64\Akfdcq32.exeC:\Windows\system32\Akfdcq32.exe62⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Andqol32.exeC:\Windows\system32\Andqol32.exe63⤵
- Executes dropped EXE
PID:5824 -
C:\Windows\SysWOW64\Anfmeldl.exeC:\Windows\system32\Anfmeldl.exe64⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Abbiej32.exeC:\Windows\system32\Abbiej32.exe65⤵
- Executes dropped EXE
PID:5588 -
C:\Windows\SysWOW64\Ailabddb.exeC:\Windows\system32\Ailabddb.exe66⤵
- System Location Discovery: System Language Discovery
PID:4940 -
C:\Windows\SysWOW64\Abdfkj32.exeC:\Windows\system32\Abdfkj32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5764 -
C:\Windows\SysWOW64\Ainnhdbp.exeC:\Windows\system32\Ainnhdbp.exe68⤵PID:2776
-
C:\Windows\SysWOW64\Akmjdpac.exeC:\Windows\system32\Akmjdpac.exe69⤵PID:4976
-
C:\Windows\SysWOW64\Abgcqjhp.exeC:\Windows\system32\Abgcqjhp.exe70⤵PID:5420
-
C:\Windows\SysWOW64\Aiqkmd32.exeC:\Windows\system32\Aiqkmd32.exe71⤵PID:3056
-
C:\Windows\SysWOW64\Anncek32.exeC:\Windows\system32\Anncek32.exe72⤵PID:5840
-
C:\Windows\SysWOW64\Aeglbeea.exeC:\Windows\system32\Aeglbeea.exe73⤵PID:1140
-
C:\Windows\SysWOW64\Bkadoo32.exeC:\Windows\system32\Bkadoo32.exe74⤵PID:2164
-
C:\Windows\SysWOW64\Bbklli32.exeC:\Windows\system32\Bbklli32.exe75⤵PID:5256
-
C:\Windows\SysWOW64\Bbniai32.exeC:\Windows\system32\Bbniai32.exe76⤵PID:4712
-
C:\Windows\SysWOW64\Bgkaip32.exeC:\Windows\system32\Bgkaip32.exe77⤵
- Modifies registry class
PID:4476 -
C:\Windows\SysWOW64\Bpaikm32.exeC:\Windows\system32\Bpaikm32.exe78⤵PID:4444
-
C:\Windows\SysWOW64\Bflagg32.exeC:\Windows\system32\Bflagg32.exe79⤵PID:5744
-
C:\Windows\SysWOW64\Bkhjpn32.exeC:\Windows\system32\Bkhjpn32.exe80⤵PID:4548
-
C:\Windows\SysWOW64\Bpdfpmoo.exeC:\Windows\system32\Bpdfpmoo.exe81⤵PID:748
-
C:\Windows\SysWOW64\Biljib32.exeC:\Windows\system32\Biljib32.exe82⤵PID:6084
-
C:\Windows\SysWOW64\Bpfcelml.exeC:\Windows\system32\Bpfcelml.exe83⤵PID:2168
-
C:\Windows\SysWOW64\Bbeobhlp.exeC:\Windows\system32\Bbeobhlp.exe84⤵PID:2676
-
C:\Windows\SysWOW64\Ciogobcm.exeC:\Windows\system32\Ciogobcm.exe85⤵PID:5360
-
C:\Windows\SysWOW64\Cnlpgibd.exeC:\Windows\system32\Cnlpgibd.exe86⤵PID:1044
-
C:\Windows\SysWOW64\Ceehcc32.exeC:\Windows\system32\Ceehcc32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3888 -
C:\Windows\SysWOW64\Clpppmqn.exeC:\Windows\system32\Clpppmqn.exe88⤵PID:1368
-
C:\Windows\SysWOW64\Cpklql32.exeC:\Windows\system32\Cpklql32.exe89⤵PID:1568
-
C:\Windows\SysWOW64\Cbihmg32.exeC:\Windows\system32\Cbihmg32.exe90⤵PID:2104
-
C:\Windows\SysWOW64\Cicqja32.exeC:\Windows\system32\Cicqja32.exe91⤵PID:1220
-
C:\Windows\SysWOW64\Clbmfm32.exeC:\Windows\system32\Clbmfm32.exe92⤵PID:1496
-
C:\Windows\SysWOW64\Cnpibh32.exeC:\Windows\system32\Cnpibh32.exe93⤵PID:2452
-
C:\Windows\SysWOW64\Cfgace32.exeC:\Windows\system32\Cfgace32.exe94⤵PID:2084
-
C:\Windows\SysWOW64\Cifmoa32.exeC:\Windows\system32\Cifmoa32.exe95⤵PID:2108
-
C:\Windows\SysWOW64\Cldjkl32.exeC:\Windows\system32\Cldjkl32.exe96⤵PID:5916
-
C:\Windows\SysWOW64\Cbnbhfde.exeC:\Windows\system32\Cbnbhfde.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4208 -
C:\Windows\SysWOW64\Cemndbci.exeC:\Windows\system32\Cemndbci.exe98⤵PID:2380
-
C:\Windows\SysWOW64\Chkjpm32.exeC:\Windows\system32\Chkjpm32.exe99⤵PID:4964
-
C:\Windows\SysWOW64\Cbqonf32.exeC:\Windows\system32\Cbqonf32.exe100⤵PID:1480
-
C:\Windows\SysWOW64\Dlicflic.exeC:\Windows\system32\Dlicflic.exe101⤵PID:5432
-
C:\Windows\SysWOW64\Dimcppgm.exeC:\Windows\system32\Dimcppgm.exe102⤵PID:4892
-
C:\Windows\SysWOW64\Dhpdkm32.exeC:\Windows\system32\Dhpdkm32.exe103⤵PID:5636
-
C:\Windows\SysWOW64\Dbehienn.exeC:\Windows\system32\Dbehienn.exe104⤵PID:3468
-
C:\Windows\SysWOW64\Dhbqalle.exeC:\Windows\system32\Dhbqalle.exe105⤵PID:3100
-
C:\Windows\SysWOW64\Dolinf32.exeC:\Windows\system32\Dolinf32.exe106⤵PID:4636
-
C:\Windows\SysWOW64\Diamko32.exeC:\Windows\system32\Diamko32.exe107⤵PID:4272
-
C:\Windows\SysWOW64\Dpkehi32.exeC:\Windows\system32\Dpkehi32.exe108⤵PID:2992
-
C:\Windows\SysWOW64\Dehnpp32.exeC:\Windows\system32\Dehnpp32.exe109⤵PID:432
-
C:\Windows\SysWOW64\Dpnbmi32.exeC:\Windows\system32\Dpnbmi32.exe110⤵PID:5292
-
C:\Windows\SysWOW64\Efhjjcpo.exeC:\Windows\system32\Efhjjcpo.exe111⤵PID:3248
-
C:\Windows\SysWOW64\Ehifak32.exeC:\Windows\system32\Ehifak32.exe112⤵PID:220
-
C:\Windows\SysWOW64\Eoconenj.exeC:\Windows\system32\Eoconenj.exe113⤵PID:436
-
C:\Windows\SysWOW64\Ebokodfc.exeC:\Windows\system32\Ebokodfc.exe114⤵PID:5968
-
C:\Windows\SysWOW64\Eemgkpef.exeC:\Windows\system32\Eemgkpef.exe115⤵PID:1236
-
C:\Windows\SysWOW64\Elgohj32.exeC:\Windows\system32\Elgohj32.exe116⤵PID:5456
-
C:\Windows\SysWOW64\Eoekde32.exeC:\Windows\system32\Eoekde32.exe117⤵
- Drops file in System32 directory
PID:4928 -
C:\Windows\SysWOW64\Eflceb32.exeC:\Windows\system32\Eflceb32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3652 -
C:\Windows\SysWOW64\Eikpan32.exeC:\Windows\system32\Eikpan32.exe119⤵PID:1852
-
C:\Windows\SysWOW64\Ehnpmkbg.exeC:\Windows\system32\Ehnpmkbg.exe120⤵
- System Location Discovery: System Language Discovery
PID:1184 -
C:\Windows\SysWOW64\Epehnhbj.exeC:\Windows\system32\Epehnhbj.exe121⤵PID:3592
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-