Analysis
-
max time kernel
94s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-09-2024 19:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a05805fdc475b8920831d5620e5a3790N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
a05805fdc475b8920831d5620e5a3790N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
a05805fdc475b8920831d5620e5a3790N.exe
-
Size
121KB
-
MD5
a05805fdc475b8920831d5620e5a3790
-
SHA1
a8c8ddd4205162223194e53a70fa8ac94de26711
-
SHA256
0d7f2f5c989af74356fb2bacf0f1f72956d93d86c6b370891054839fc3e34eee
-
SHA512
26a8da7e3999b15e382909ceb69d3f45657a0ad2251e35a6bd9e8959ca138e8cbae7448ac30f9ed8f58897e3bad82a801693e455031a53c5e19a3e742500a2b5
-
SSDEEP
1536:GvBupg28wnni5ZsPDI5HP1r0SKZU8pYz0bFCnCV19zQYOd5ijJnD5ir3oGuiWDD:ABupEynCZIDOv1r07KzM8uO7AJnD5tvv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibkljmlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfhjif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmgegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oljnjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjgbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdkplj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aciiho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehhlcgfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Facnalkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndfnjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngoipcco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dogloi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekkdcod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfleildl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abhckmhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bejedfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Deadkccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfencg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leodob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgffjdli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hefhjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnmfqe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poafal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjmaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbilbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmgegn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfjedic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddcnli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmjnfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnhplg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eonkeabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbiilk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfleildl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aglkjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcgejm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cccdeldn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodlni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfngbhpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmkpgcia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emeeknda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oglpfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcamgcif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mghcpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aglkjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opbfja32.exe -
Executes dropped EXE 64 IoCs
pid Process 5176 Kjkjnm32.exe 668 Kadbjgcf.exe 5556 Kdcofbbi.exe 1288 Kbfobo32.exe 5412 Kipgoiqa.exe 2716 Kpjpkchn.exe 5628 Kbhlgoga.exe 4396 Kmnpehgg.exe 6032 Kbjhmoeo.exe 5124 Lkaqnlfa.exe 6064 Lmpmjgee.exe 5912 Lpoifc32.exe 5972 Lbmebn32.exe 6132 Ligmohki.exe 5840 Lpaflb32.exe 808 Lcobhn32.exe 5784 Lkfjik32.exe 2256 Lapbfeih.exe 3588 Ldonbq32.exe 3336 Lilgjh32.exe 5048 Lpeoganq.exe 1720 Lgpgdl32.exe 3168 Lmipqfmj.exe 3804 Lphlmaln.exe 3300 Mkmpjj32.exe 5724 Mpjhba32.exe 5368 Mcienm32.exe 5720 Mibmkfql.exe 3644 Mnnile32.exe 4524 Mdhahppa.exe 436 Mkbieihn.exe 2312 Mpobmqff.exe 1620 Mgijjj32.exe 1320 Mjgfff32.exe 3676 Mpaocpdc.exe 1956 Mjjclejc.exe 5000 Maqkmckf.exe 948 Ndoginji.exe 4508 Ngncejim.exe 1048 Nkipfh32.exe 2236 Nnglbd32.exe 5392 Ndadonhg.exe 64 Ngppkigk.exe 1096 Nnjhgcog.exe 1480 Ncgapjmo.exe 1740 Njqild32.exe 1824 Nnlemcme.exe 2040 Ndfnjm32.exe 2460 Ngdjfi32.exe 3388 Nqmnon32.exe 5476 Nggfkhab.exe 3452 Nnaohb32.exe 3516 Oqokdn32.exe 5600 Ogicahop.exe 1448 Oncknb32.exe 812 Odmcjl32.exe 868 Oglpfh32.exe 4360 Ojjlbc32.exe 5160 Onehcbdj.exe 4788 Odpppl32.exe 5536 Ognmlg32.exe 4400 Obcaip32.exe 368 Ocemah32.exe 1952 Ojoenbhl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Clmpgo32.exe Chadfp32.exe File created C:\Windows\SysWOW64\Phlgpa32.exe Pjigddgg.exe File created C:\Windows\SysWOW64\Cpgmeihm.dll Fedjhpcg.exe File opened for modification C:\Windows\SysWOW64\Iojmnk32.exe Iknqnlcp.exe File created C:\Windows\SysWOW64\Cimdflkj.dll Process not Found File created C:\Windows\SysWOW64\Fdnnpkme.dll Process not Found File opened for modification C:\Windows\SysWOW64\Icfpipgn.exe Iokcia32.exe File created C:\Windows\SysWOW64\Odbajafe.dll Odmmpfjn.exe File opened for modification C:\Windows\SysWOW64\Bcbedhoe.exe Bofici32.exe File opened for modification C:\Windows\SysWOW64\Oddjkkha.exe Obfnopin.exe File created C:\Windows\SysWOW64\Gpipmh32.dll Ldlkbkgc.exe File created C:\Windows\SysWOW64\Naenoo32.dll Fklieh32.exe File opened for modification C:\Windows\SysWOW64\Agindm32.exe Acnbco32.exe File opened for modification C:\Windows\SysWOW64\Igeabm32.exe Ihbagqbi.exe File created C:\Windows\SysWOW64\Aobojhnj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Poiifg32.exe Process not Found File created C:\Windows\SysWOW64\Objnnh32.dll Lkaqnlfa.exe File opened for modification C:\Windows\SysWOW64\Bjdafm32.exe Blaqkqaf.exe File created C:\Windows\SysWOW64\Ghmhkmqf.exe Process not Found File created C:\Windows\SysWOW64\Jnjbqp32.exe Process not Found File created C:\Windows\SysWOW64\Cckmcj32.dll Likppach.exe File created C:\Windows\SysWOW64\Jfpdgc32.exe Jbdhfe32.exe File opened for modification C:\Windows\SysWOW64\Jgbgjeih.exe Process not Found File created C:\Windows\SysWOW64\Mbbgdj32.exe Process not Found File created C:\Windows\SysWOW64\Hehgbi32.dll Pgebmf32.exe File created C:\Windows\SysWOW64\Efccjb32.dll Anodpn32.exe File opened for modification C:\Windows\SysWOW64\Nogkdpoa.exe Nhmbhehd.exe File opened for modification C:\Windows\SysWOW64\Bifcmngd.exe Process not Found File created C:\Windows\SysWOW64\Ebbjei32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cbbohj32.exe Cjkggl32.exe File created C:\Windows\SysWOW64\Fgghedca.dll Cekkopah.exe File opened for modification C:\Windows\SysWOW64\Pfeohm32.exe Ogbomqci.exe File created C:\Windows\SysWOW64\Ajegpcmi.exe Afikpd32.exe File opened for modification C:\Windows\SysWOW64\Cmkbdk32.exe Process not Found File created C:\Windows\SysWOW64\Bndakklo.dll Accbid32.exe File opened for modification C:\Windows\SysWOW64\Likppach.exe Leodob32.exe File opened for modification C:\Windows\SysWOW64\Iohpik32.exe Ikldhm32.exe File created C:\Windows\SysWOW64\Nhmbhehd.exe Neofljiq.exe File created C:\Windows\SysWOW64\Igggng32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fmnhalmf.exe Folgfp32.exe File created C:\Windows\SysWOW64\Afbggg32.dll Hhgakblg.exe File created C:\Windows\SysWOW64\Lkfjik32.exe Lcobhn32.exe File opened for modification C:\Windows\SysWOW64\Ddodajjq.exe Deldfm32.exe File created C:\Windows\SysWOW64\Ekpboc32.exe Efdfnd32.exe File opened for modification C:\Windows\SysWOW64\Iddaflhg.exe Process not Found File created C:\Windows\SysWOW64\Cceakkbk.exe Cebapo32.exe File created C:\Windows\SysWOW64\Chamlj32.exe Cceakkbk.exe File created C:\Windows\SysWOW64\Gnenbk32.exe Gobngopc.exe File created C:\Windows\SysWOW64\Qlimimnj.dll Ghpkkc32.exe File opened for modification C:\Windows\SysWOW64\Oimhif32.exe Oeblhghk.exe File created C:\Windows\SysWOW64\Hngkhh32.dll Process not Found File created C:\Windows\SysWOW64\Onphnl32.exe Oidlmnmk.exe File opened for modification C:\Windows\SysWOW64\Feccmjok.exe Fahgmk32.exe File created C:\Windows\SysWOW64\Najiadgc.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fknopa32.exe Fgbbpbgl.exe File created C:\Windows\SysWOW64\Cccbhmlj.dll Process not Found File created C:\Windows\SysWOW64\Ggnedn32.dll Faejglie.exe File created C:\Windows\SysWOW64\Kmmdbebg.dll Jkafjjck.exe File opened for modification C:\Windows\SysWOW64\Dpnhkfba.exe Process not Found File opened for modification C:\Windows\SysWOW64\Piondp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Aqmibc32.exe Amamaeal.exe File opened for modification C:\Windows\SysWOW64\Bcehdn32.exe Bebhiajc.exe File opened for modification C:\Windows\SysWOW64\Gejini32.exe Gncaml32.exe File created C:\Windows\SysWOW64\Ldaeec32.dll Phbejb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1568 26076 Process not Found 1567 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phbejb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmmmmcgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkcabnmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikldhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inoiogpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lflmipph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbmhkka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjabhac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmlklm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdbdbpoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phlgpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnlemcme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nchgkdgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opnmoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lehnocqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgffjdli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajqdpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkeeaoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogokmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ichlop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnjmaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eophja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geaoohck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mplnmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcdajg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnlgik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djkicdpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfqfdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocofam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pipdnfoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Accbid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdllej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmmpccan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dankpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehafbhma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhndfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imlgmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdgjnimf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpnkcjbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidlmnmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqcfle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Penkdfnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhjgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fchjadaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icfpipgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlelhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjamfgfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdkekc32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imiknn32.dll" Igjknmdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnqano32.dll" Phikkapd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkdjmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgiipaad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgkbcoko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccgnqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eieipl32.dll" Oghellhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phikkapd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjijnn32.dll" Aqoomm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejalb32.dll" Agigjgkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afkabd32.dll" Onehcbdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akcdjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amamaeal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekieebck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Feoibk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdpfblm.dll" Acllhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhphjp32.dll" Pmfnef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqcfle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khdnbiic.dll" Aggaonaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnhicddc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfokpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajmfhmkl.dll" Meajjleq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbjdop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlipcg32.dll" Odmcjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lblnhhpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijggmf32.dll" Agdnoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Leaqebil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgffjdli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mempqqoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmmdfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nekobedl.dll" Embhfngc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alafgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmghgi32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klnmpnli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmkelo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jildmojo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmpge32.dll" Cfcnggao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eejpgkgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fehlhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anfledlo.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ponddm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iflbfkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcaodgkp.dll" Ceenenjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaeqgi32.dll" Nlnhcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpaahled.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Limmea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihbagqbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ieeoki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjnke32.dll" Bmbfhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfcnggao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Effccdai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkdeqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmchmgaj.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjcoib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcaglo32.dll" Acoineja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdoblcjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcblonbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekmfahb.dll" Nnglbd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3984 wrote to memory of 5176 3984 a05805fdc475b8920831d5620e5a3790N.exe 85 PID 3984 wrote to memory of 5176 3984 a05805fdc475b8920831d5620e5a3790N.exe 85 PID 3984 wrote to memory of 5176 3984 a05805fdc475b8920831d5620e5a3790N.exe 85 PID 5176 wrote to memory of 668 5176 Kjkjnm32.exe 86 PID 5176 wrote to memory of 668 5176 Kjkjnm32.exe 86 PID 5176 wrote to memory of 668 5176 Kjkjnm32.exe 86 PID 668 wrote to memory of 5556 668 Kadbjgcf.exe 87 PID 668 wrote to memory of 5556 668 Kadbjgcf.exe 87 PID 668 wrote to memory of 5556 668 Kadbjgcf.exe 87 PID 5556 wrote to memory of 1288 5556 Kdcofbbi.exe 88 PID 5556 wrote to memory of 1288 5556 Kdcofbbi.exe 88 PID 5556 wrote to memory of 1288 5556 Kdcofbbi.exe 88 PID 1288 wrote to memory of 5412 1288 Kbfobo32.exe 90 PID 1288 wrote to memory of 5412 1288 Kbfobo32.exe 90 PID 1288 wrote to memory of 5412 1288 Kbfobo32.exe 90 PID 5412 wrote to memory of 2716 5412 Kipgoiqa.exe 91 PID 5412 wrote to memory of 2716 5412 Kipgoiqa.exe 91 PID 5412 wrote to memory of 2716 5412 Kipgoiqa.exe 91 PID 2716 wrote to memory of 5628 2716 Kpjpkchn.exe 92 PID 2716 wrote to memory of 5628 2716 Kpjpkchn.exe 92 PID 2716 wrote to memory of 5628 2716 Kpjpkchn.exe 92 PID 5628 wrote to memory of 4396 5628 Kbhlgoga.exe 93 PID 5628 wrote to memory of 4396 5628 Kbhlgoga.exe 93 PID 5628 wrote to memory of 4396 5628 Kbhlgoga.exe 93 PID 4396 wrote to memory of 6032 4396 Kmnpehgg.exe 94 PID 4396 wrote to memory of 6032 4396 Kmnpehgg.exe 94 PID 4396 wrote to memory of 6032 4396 Kmnpehgg.exe 94 PID 6032 wrote to memory of 5124 6032 Kbjhmoeo.exe 95 PID 6032 wrote to memory of 5124 6032 Kbjhmoeo.exe 95 PID 6032 wrote to memory of 5124 6032 Kbjhmoeo.exe 95 PID 5124 wrote to memory of 6064 5124 Lkaqnlfa.exe 96 PID 5124 wrote to memory of 6064 5124 Lkaqnlfa.exe 96 PID 5124 wrote to memory of 6064 5124 Lkaqnlfa.exe 96 PID 6064 wrote to memory of 5912 6064 Lmpmjgee.exe 97 PID 6064 wrote to memory of 5912 6064 Lmpmjgee.exe 97 PID 6064 wrote to memory of 5912 6064 Lmpmjgee.exe 97 PID 5912 wrote to memory of 5972 5912 Lpoifc32.exe 98 PID 5912 wrote to memory of 5972 5912 Lpoifc32.exe 98 PID 5912 wrote to memory of 5972 5912 Lpoifc32.exe 98 PID 5972 wrote to memory of 6132 5972 Lbmebn32.exe 99 PID 5972 wrote to memory of 6132 5972 Lbmebn32.exe 99 PID 5972 wrote to memory of 6132 5972 Lbmebn32.exe 99 PID 6132 wrote to memory of 5840 6132 Ligmohki.exe 100 PID 6132 wrote to memory of 5840 6132 Ligmohki.exe 100 PID 6132 wrote to memory of 5840 6132 Ligmohki.exe 100 PID 5840 wrote to memory of 808 5840 Lpaflb32.exe 101 PID 5840 wrote to memory of 808 5840 Lpaflb32.exe 101 PID 5840 wrote to memory of 808 5840 Lpaflb32.exe 101 PID 808 wrote to memory of 5784 808 Lcobhn32.exe 102 PID 808 wrote to memory of 5784 808 Lcobhn32.exe 102 PID 808 wrote to memory of 5784 808 Lcobhn32.exe 102 PID 5784 wrote to memory of 2256 5784 Lkfjik32.exe 103 PID 5784 wrote to memory of 2256 5784 Lkfjik32.exe 103 PID 5784 wrote to memory of 2256 5784 Lkfjik32.exe 103 PID 2256 wrote to memory of 3588 2256 Lapbfeih.exe 104 PID 2256 wrote to memory of 3588 2256 Lapbfeih.exe 104 PID 2256 wrote to memory of 3588 2256 Lapbfeih.exe 104 PID 3588 wrote to memory of 3336 3588 Ldonbq32.exe 105 PID 3588 wrote to memory of 3336 3588 Ldonbq32.exe 105 PID 3588 wrote to memory of 3336 3588 Ldonbq32.exe 105 PID 3336 wrote to memory of 5048 3336 Lilgjh32.exe 106 PID 3336 wrote to memory of 5048 3336 Lilgjh32.exe 106 PID 3336 wrote to memory of 5048 3336 Lilgjh32.exe 106 PID 5048 wrote to memory of 1720 5048 Lpeoganq.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\a05805fdc475b8920831d5620e5a3790N.exe"C:\Users\Admin\AppData\Local\Temp\a05805fdc475b8920831d5620e5a3790N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\Kjkjnm32.exeC:\Windows\system32\Kjkjnm32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5176 -
C:\Windows\SysWOW64\Kadbjgcf.exeC:\Windows\system32\Kadbjgcf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\Kdcofbbi.exeC:\Windows\system32\Kdcofbbi.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5556 -
C:\Windows\SysWOW64\Kbfobo32.exeC:\Windows\system32\Kbfobo32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Kipgoiqa.exeC:\Windows\system32\Kipgoiqa.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5412 -
C:\Windows\SysWOW64\Kpjpkchn.exeC:\Windows\system32\Kpjpkchn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Kbhlgoga.exeC:\Windows\system32\Kbhlgoga.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5628 -
C:\Windows\SysWOW64\Kmnpehgg.exeC:\Windows\system32\Kmnpehgg.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\Kbjhmoeo.exeC:\Windows\system32\Kbjhmoeo.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6032 -
C:\Windows\SysWOW64\Lkaqnlfa.exeC:\Windows\system32\Lkaqnlfa.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5124 -
C:\Windows\SysWOW64\Lmpmjgee.exeC:\Windows\system32\Lmpmjgee.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6064 -
C:\Windows\SysWOW64\Lpoifc32.exeC:\Windows\system32\Lpoifc32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5912 -
C:\Windows\SysWOW64\Lbmebn32.exeC:\Windows\system32\Lbmebn32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5972 -
C:\Windows\SysWOW64\Ligmohki.exeC:\Windows\system32\Ligmohki.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6132 -
C:\Windows\SysWOW64\Lpaflb32.exeC:\Windows\system32\Lpaflb32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5840 -
C:\Windows\SysWOW64\Lcobhn32.exeC:\Windows\system32\Lcobhn32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Lkfjik32.exeC:\Windows\system32\Lkfjik32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5784 -
C:\Windows\SysWOW64\Lapbfeih.exeC:\Windows\system32\Lapbfeih.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Ldonbq32.exeC:\Windows\system32\Ldonbq32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\Lilgjh32.exeC:\Windows\system32\Lilgjh32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\Lpeoganq.exeC:\Windows\system32\Lpeoganq.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Lgpgdl32.exeC:\Windows\system32\Lgpgdl32.exe23⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Lmipqfmj.exeC:\Windows\system32\Lmipqfmj.exe24⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Lphlmaln.exeC:\Windows\system32\Lphlmaln.exe25⤵
- Executes dropped EXE
PID:3804 -
C:\Windows\SysWOW64\Mkmpjj32.exeC:\Windows\system32\Mkmpjj32.exe26⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Mpjhba32.exeC:\Windows\system32\Mpjhba32.exe27⤵
- Executes dropped EXE
PID:5724 -
C:\Windows\SysWOW64\Mcienm32.exeC:\Windows\system32\Mcienm32.exe28⤵
- Executes dropped EXE
PID:5368 -
C:\Windows\SysWOW64\Mibmkfql.exeC:\Windows\system32\Mibmkfql.exe29⤵
- Executes dropped EXE
PID:5720 -
C:\Windows\SysWOW64\Mnnile32.exeC:\Windows\system32\Mnnile32.exe30⤵
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\Mdhahppa.exeC:\Windows\system32\Mdhahppa.exe31⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Mkbieihn.exeC:\Windows\system32\Mkbieihn.exe32⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Mpobmqff.exeC:\Windows\system32\Mpobmqff.exe33⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Mgijjj32.exeC:\Windows\system32\Mgijjj32.exe34⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Mjgfff32.exeC:\Windows\system32\Mjgfff32.exe35⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Mpaocpdc.exeC:\Windows\system32\Mpaocpdc.exe36⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Mjjclejc.exeC:\Windows\system32\Mjjclejc.exe37⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Maqkmckf.exeC:\Windows\system32\Maqkmckf.exe38⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Ndoginji.exeC:\Windows\system32\Ndoginji.exe39⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Ngncejim.exeC:\Windows\system32\Ngncejim.exe40⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Nkipfh32.exeC:\Windows\system32\Nkipfh32.exe41⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Nnglbd32.exeC:\Windows\system32\Nnglbd32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Ndadonhg.exeC:\Windows\system32\Ndadonhg.exe43⤵
- Executes dropped EXE
PID:5392 -
C:\Windows\SysWOW64\Ngppkigk.exeC:\Windows\system32\Ngppkigk.exe44⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Nnjhgcog.exeC:\Windows\system32\Nnjhgcog.exe45⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Ncgapjmo.exeC:\Windows\system32\Ncgapjmo.exe46⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Njqild32.exeC:\Windows\system32\Njqild32.exe47⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Nnlemcme.exeC:\Windows\system32\Nnlemcme.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1824 -
C:\Windows\SysWOW64\Ndfnjm32.exeC:\Windows\system32\Ndfnjm32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Ngdjfi32.exeC:\Windows\system32\Ngdjfi32.exe50⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Nqmnon32.exeC:\Windows\system32\Nqmnon32.exe51⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Nggfkhab.exeC:\Windows\system32\Nggfkhab.exe52⤵
- Executes dropped EXE
PID:5476 -
C:\Windows\SysWOW64\Nnaohb32.exeC:\Windows\system32\Nnaohb32.exe53⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Oqokdn32.exeC:\Windows\system32\Oqokdn32.exe54⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Ogicahop.exeC:\Windows\system32\Ogicahop.exe55⤵
- Executes dropped EXE
PID:5600 -
C:\Windows\SysWOW64\Oncknb32.exeC:\Windows\system32\Oncknb32.exe56⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Odmcjl32.exeC:\Windows\system32\Odmcjl32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\Oglpfh32.exeC:\Windows\system32\Oglpfh32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Ojjlbc32.exeC:\Windows\system32\Ojjlbc32.exe59⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Onehcbdj.exeC:\Windows\system32\Onehcbdj.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:5160 -
C:\Windows\SysWOW64\Odpppl32.exeC:\Windows\system32\Odpppl32.exe61⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Ognmlg32.exeC:\Windows\system32\Ognmlg32.exe62⤵
- Executes dropped EXE
PID:5536 -
C:\Windows\SysWOW64\Obcaip32.exeC:\Windows\system32\Obcaip32.exe63⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Ocemah32.exeC:\Windows\system32\Ocemah32.exe64⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Ojoenbhl.exeC:\Windows\system32\Ojoenbhl.exe65⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Obfnopin.exeC:\Windows\system32\Obfnopin.exe66⤵
- Drops file in System32 directory
PID:5020 -
C:\Windows\SysWOW64\Oddjkkha.exeC:\Windows\system32\Oddjkkha.exe67⤵PID:6000
-
C:\Windows\SysWOW64\Ogbfggge.exeC:\Windows\system32\Ogbfggge.exe68⤵PID:1816
-
C:\Windows\SysWOW64\Ojabcbfi.exeC:\Windows\system32\Ojabcbfi.exe69⤵PID:6004
-
C:\Windows\SysWOW64\Pbhjdpgk.exeC:\Windows\system32\Pbhjdpgk.exe70⤵PID:5028
-
C:\Windows\SysWOW64\Pgebmf32.exeC:\Windows\system32\Pgebmf32.exe71⤵
- Drops file in System32 directory
PID:1468 -
C:\Windows\SysWOW64\Pjcoib32.exeC:\Windows\system32\Pjcoib32.exe72⤵
- Modifies registry class
PID:5640 -
C:\Windows\SysWOW64\Pnokiqlo.exeC:\Windows\system32\Pnokiqlo.exe73⤵PID:5444
-
C:\Windows\SysWOW64\Pqmgelkc.exeC:\Windows\system32\Pqmgelkc.exe74⤵PID:3868
-
C:\Windows\SysWOW64\Pggobf32.exeC:\Windows\system32\Pggobf32.exe75⤵PID:4692
-
C:\Windows\SysWOW64\Pnahopjm.exeC:\Windows\system32\Pnahopjm.exe76⤵PID:5528
-
C:\Windows\SysWOW64\Pbmcpo32.exeC:\Windows\system32\Pbmcpo32.exe77⤵PID:4496
-
C:\Windows\SysWOW64\Pdkplj32.exeC:\Windows\system32\Pdkplj32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5612 -
C:\Windows\SysWOW64\Pkehhd32.exeC:\Windows\system32\Pkehhd32.exe79⤵PID:5304
-
C:\Windows\SysWOW64\Pbopeoqc.exeC:\Windows\system32\Pbopeoqc.exe80⤵PID:5700
-
C:\Windows\SysWOW64\Pdnmajpg.exeC:\Windows\system32\Pdnmajpg.exe81⤵PID:5292
-
C:\Windows\SysWOW64\Pkgend32.exeC:\Windows\system32\Pkgend32.exe82⤵PID:2944
-
C:\Windows\SysWOW64\Pbamknoq.exeC:\Windows\system32\Pbamknoq.exe83⤵PID:640
-
C:\Windows\SysWOW64\Pepigjnd.exeC:\Windows\system32\Pepigjnd.exe84⤵PID:5636
-
C:\Windows\SysWOW64\Pjmaoq32.exeC:\Windows\system32\Pjmaoq32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1472 -
C:\Windows\SysWOW64\Qebfli32.exeC:\Windows\system32\Qebfli32.exe86⤵PID:4244
-
C:\Windows\SysWOW64\Qklniccn.exeC:\Windows\system32\Qklniccn.exe87⤵PID:4736
-
C:\Windows\SysWOW64\Qnkjeobb.exeC:\Windows\system32\Qnkjeobb.exe88⤵PID:4740
-
C:\Windows\SysWOW64\Qgcond32.exeC:\Windows\system32\Qgcond32.exe89⤵PID:5240
-
C:\Windows\SysWOW64\Anmgko32.exeC:\Windows\system32\Anmgko32.exe90⤵PID:1256
-
C:\Windows\SysWOW64\Abhckmhh.exeC:\Windows\system32\Abhckmhh.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1532 -
C:\Windows\SysWOW64\Aegogihl.exeC:\Windows\system32\Aegogihl.exe92⤵PID:4768
-
C:\Windows\SysWOW64\Acjpce32.exeC:\Windows\system32\Acjpce32.exe93⤵PID:2432
-
C:\Windows\SysWOW64\Akahdc32.exeC:\Windows\system32\Akahdc32.exe94⤵PID:2948
-
C:\Windows\SysWOW64\Anodpn32.exeC:\Windows\system32\Anodpn32.exe95⤵
- Drops file in System32 directory
PID:5936 -
C:\Windows\SysWOW64\Abkpamff.exeC:\Windows\system32\Abkpamff.exe96⤵PID:3960
-
C:\Windows\SysWOW64\Aeilmhei.exeC:\Windows\system32\Aeilmhei.exe97⤵PID:452
-
C:\Windows\SysWOW64\Acllhe32.exeC:\Windows\system32\Acllhe32.exe98⤵
- Modifies registry class
PID:1436 -
C:\Windows\SysWOW64\Akcdjb32.exeC:\Windows\system32\Akcdjb32.exe99⤵
- Modifies registry class
PID:4344 -
C:\Windows\SysWOW64\Ajfdeoda.exeC:\Windows\system32\Ajfdeoda.exe100⤵PID:1428
-
C:\Windows\SysWOW64\Anaqfnlj.exeC:\Windows\system32\Anaqfnlj.exe101⤵PID:5520
-
C:\Windows\SysWOW64\Aapmbikn.exeC:\Windows\system32\Aapmbikn.exe102⤵PID:2984
-
C:\Windows\SysWOW64\Acoineja.exeC:\Windows\system32\Acoineja.exe103⤵
- Modifies registry class
PID:5920 -
C:\Windows\SysWOW64\Akeaobkc.exeC:\Windows\system32\Akeaobkc.exe104⤵PID:5928
-
C:\Windows\SysWOW64\Andmknjg.exeC:\Windows\system32\Andmknjg.exe105⤵PID:2332
-
C:\Windows\SysWOW64\Abpill32.exeC:\Windows\system32\Abpill32.exe106⤵PID:5616
-
C:\Windows\SysWOW64\Aenehh32.exeC:\Windows\system32\Aenehh32.exe107⤵PID:2812
-
C:\Windows\SysWOW64\Acafcdho.exeC:\Windows\system32\Acafcdho.exe108⤵PID:3756
-
C:\Windows\SysWOW64\Alhnebia.exeC:\Windows\system32\Alhnebia.exe109⤵PID:1696
-
C:\Windows\SysWOW64\Ajknpo32.exeC:\Windows\system32\Ajknpo32.exe110⤵PID:4560
-
C:\Windows\SysWOW64\Abbfalpn.exeC:\Windows\system32\Abbfalpn.exe111⤵PID:4784
-
C:\Windows\SysWOW64\Aaefmi32.exeC:\Windows\system32\Aaefmi32.exe112⤵PID:5296
-
C:\Windows\SysWOW64\Accbid32.exeC:\Windows\system32\Accbid32.exe113⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Aljjja32.exeC:\Windows\system32\Aljjja32.exe114⤵PID:5424
-
C:\Windows\SysWOW64\Bjmkfnni.exeC:\Windows\system32\Bjmkfnni.exe115⤵PID:2144
-
C:\Windows\SysWOW64\Bbdbglnk.exeC:\Windows\system32\Bbdbglnk.exe116⤵PID:5104
-
C:\Windows\SysWOW64\Bebocgmo.exeC:\Windows\system32\Bebocgmo.exe117⤵PID:1588
-
C:\Windows\SysWOW64\Bceood32.exeC:\Windows\system32\Bceood32.exe118⤵PID:1380
-
C:\Windows\SysWOW64\Bhakobmb.exeC:\Windows\system32\Bhakobmb.exe119⤵PID:976
-
C:\Windows\SysWOW64\Bjpgknlf.exeC:\Windows\system32\Bjpgknlf.exe120⤵PID:4308
-
C:\Windows\SysWOW64\Bnkclm32.exeC:\Windows\system32\Bnkclm32.exe121⤵PID:3524
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-