Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/09/2024, 04:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
26338db4b30913e8c87d2a84c8365290N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
26338db4b30913e8c87d2a84c8365290N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
26338db4b30913e8c87d2a84c8365290N.exe
-
Size
96KB
-
MD5
26338db4b30913e8c87d2a84c8365290
-
SHA1
30af49004a1d5014d0935b4cb9f17a8ed56fdb54
-
SHA256
72a8bb2f3d64a3daf02007a1ae28a39ad1b6958aeb47fcefd2ee2fe2a185b4e4
-
SHA512
dfb457bd537581a5c64d288922a1e624e7c96d87afb3b045eeab687cbed62fd5d532d7f6a5c4421ac6f3a1938fda728a83d013135b8281ac1d50b26bff521721
-
SSDEEP
1536:gcklx8G14xdQQraFko88zMdoRhm7VJRXz8cKHVN9FLqFFfUN1Avhw6JCMd:gLlmG14xdrfghkVJO1qFFfUrQlMW
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpmoiof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oafcqcea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnhidk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiahnnph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieliebnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqbbpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlgpod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keonap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdmmbq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgkkkcbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boeebnhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cleegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmbphg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihphkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdlop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdpiid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjjghcfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knooej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emanjldl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmniml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcphab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pknqoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iohejo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjdebfnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jeekkafl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfadkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkmec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdnldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijadbdoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nolgijpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjodjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmeakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fafdkmap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fplpll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iggjga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdhbmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dobfld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diffglam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajpqnneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmggfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hekgfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbdjchgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflibgil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cofecami.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhnikc32.exe -
Executes dropped EXE 64 IoCs
pid Process 772 Acjclpcf.exe 1648 Ageolo32.exe 4156 Anogiicl.exe 4916 Aqncedbp.exe 1464 Aclpap32.exe 2852 Anadoi32.exe 2904 Aqppkd32.exe 2936 Agjhgngj.exe 372 Andqdh32.exe 3756 Aeniabfd.exe 3476 Afoeiklb.exe 432 Anfmjhmd.exe 2324 Accfbokl.exe 3496 Agoabn32.exe 4336 Bnhjohkb.exe 2548 Bebblb32.exe 400 Bganhm32.exe 2376 Bmngqdpj.exe 3852 Beeoaapl.exe 1684 Bgcknmop.exe 2624 Bnmcjg32.exe 2980 Beglgani.exe 3148 Bfhhoi32.exe 4420 Bnpppgdj.exe 3736 Beihma32.exe 3600 Bhhdil32.exe 3696 Bnbmefbg.exe 2028 Belebq32.exe 1312 Chjaol32.exe 5060 Cenahpha.exe 4004 Chmndlge.exe 1800 Cjkjpgfi.exe 3268 Caebma32.exe 2912 Cdcoim32.exe 2964 Cfbkeh32.exe 4108 Cnicfe32.exe 4048 Ceckcp32.exe 1324 Chagok32.exe 4232 Cnkplejl.exe 1660 Ceehho32.exe 1760 Chcddk32.exe 3472 Cjbpaf32.exe 4500 Cmqmma32.exe 3060 Cegdnopg.exe 2512 Dfiafg32.exe 3920 Dmcibama.exe 4708 Dejacond.exe 1864 Dfknkg32.exe 5052 Dobfld32.exe 920 Daqbip32.exe 3976 Dhkjej32.exe 4632 Dkifae32.exe 4460 Dmgbnq32.exe 2184 Ddakjkqi.exe 652 Dkkcge32.exe 4924 Daekdooc.exe 2900 Dknpmdfc.exe 4188 Doilmc32.exe 1020 Eecdjmfi.exe 4348 Egdqae32.exe 1848 Eolhbc32.exe 1068 Eefaomcg.exe 4732 Ehdmlhcj.exe 3228 Eonehbjg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hlmjfa32.dll Cidjbmcp.exe File created C:\Windows\SysWOW64\Hbceobam.dll Nccokk32.exe File created C:\Windows\SysWOW64\Jfdnfdoa.dll Ndflak32.exe File opened for modification C:\Windows\SysWOW64\Eiahnnph.exe Efblbbqd.exe File created C:\Windows\SysWOW64\Nadleilm.exe Process not Found File created C:\Windows\SysWOW64\Ldlghq32.dll Hoogfnnb.exe File opened for modification C:\Windows\SysWOW64\Loglacfo.exe Llipehgk.exe File opened for modification C:\Windows\SysWOW64\Aehgnied.exe Anaomkdb.exe File created C:\Windows\SysWOW64\Hkehkocf.exe Hdlpneli.exe File created C:\Windows\SysWOW64\Idqionfg.dll Bcelmhen.exe File created C:\Windows\SysWOW64\Boflmdkk.exe Bhldpj32.exe File created C:\Windows\SysWOW64\Cmmbbejp.exe Cjnffjkl.exe File created C:\Windows\SysWOW64\Lgjijmin.exe Lekmnajj.exe File opened for modification C:\Windows\SysWOW64\Holfoqcm.exe Hlnjbedi.exe File created C:\Windows\SysWOW64\Fgppmd32.exe Feocelll.exe File opened for modification C:\Windows\SysWOW64\Lacdmh32.exe Lndham32.exe File created C:\Windows\SysWOW64\Negcig32.dll Ahjgjj32.exe File opened for modification C:\Windows\SysWOW64\Kjjiej32.exe Kcpahpmd.exe File created C:\Windows\SysWOW64\Kmieae32.exe Kjjiej32.exe File opened for modification C:\Windows\SysWOW64\Impliekg.exe Iidphgcn.exe File opened for modification C:\Windows\SysWOW64\Egdqae32.exe Eecdjmfi.exe File opened for modification C:\Windows\SysWOW64\Ccqkigkp.exe Cikglnkj.exe File created C:\Windows\SysWOW64\Hhoneioi.dll Jkgpbp32.exe File created C:\Windows\SysWOW64\Blciboie.dll Pkgcea32.exe File opened for modification C:\Windows\SysWOW64\Ibpiogmp.exe Ikfabm32.exe File created C:\Windows\SysWOW64\Plagcbdn.exe Phelcc32.exe File created C:\Windows\SysWOW64\Hgdlndji.dll Aompak32.exe File created C:\Windows\SysWOW64\Paoinm32.dll Process not Found File created C:\Windows\SysWOW64\Hecjke32.exe Process not Found File created C:\Windows\SysWOW64\Aofcga32.dll Jfbkpd32.exe File created C:\Windows\SysWOW64\Qabjcina.dll Gmiclo32.exe File created C:\Windows\SysWOW64\Paedlhhc.dll Maiccajf.exe File created C:\Windows\SysWOW64\Qimkic32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Meamcg32.exe Mbbagk32.exe File created C:\Windows\SysWOW64\Gjfnedho.exe Gbofcghl.exe File opened for modification C:\Windows\SysWOW64\Lkchelci.exe Lggldm32.exe File opened for modification C:\Windows\SysWOW64\Fpgpgfmh.exe Fmhdkknd.exe File opened for modification C:\Windows\SysWOW64\Dqbcbkab.exe Process not Found File created C:\Windows\SysWOW64\Nholna32.dll Hnoklk32.exe File created C:\Windows\SysWOW64\Kpamdcha.dll Ncjginjn.exe File opened for modification C:\Windows\SysWOW64\Emmkiclm.exe Efccmidp.exe File opened for modification C:\Windows\SysWOW64\Kpmdfonj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ogekbb32.exe Process not Found File created C:\Windows\SysWOW64\Lcafnn32.dll Hbpphi32.exe File created C:\Windows\SysWOW64\Bjjhhfnd.dll Bkaobnio.exe File created C:\Windows\SysWOW64\Epllglpf.dll Ebejfk32.exe File created C:\Windows\SysWOW64\Omfmcjlk.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pfdjinjo.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cidjbmcp.exe Cgcmjd32.exe File created C:\Windows\SysWOW64\Dlmmaqlm.dll Hildmn32.exe File created C:\Windows\SysWOW64\Fkdjqkoj.dll Process not Found File created C:\Windows\SysWOW64\Ceknlgnl.dll Process not Found File created C:\Windows\SysWOW64\Hnodaecc.exe Hkpheidp.exe File created C:\Windows\SysWOW64\Hhknpmma.exe Hnfjbdmk.exe File opened for modification C:\Windows\SysWOW64\Lojmcdgl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Chmndlge.exe Cenahpha.exe File created C:\Windows\SysWOW64\Egjogddi.dll Piphgq32.exe File created C:\Windows\SysWOW64\Noomkkpc.dll Dfefkkqp.exe File created C:\Windows\SysWOW64\Inqbclob.exe Ikbfgppo.exe File opened for modification C:\Windows\SysWOW64\Ckbemgcp.exe Process not Found File created C:\Windows\SysWOW64\Mcgiefen.exe Process not Found File created C:\Windows\SysWOW64\Anogiicl.exe Ageolo32.exe File created C:\Windows\SysWOW64\Nlnkmnah.exe Niooqcad.exe File created C:\Windows\SysWOW64\Dpgnjo32.exe Dmhand32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11268 12064 Process not Found 1573 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bidqko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odoogi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fealin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iplkpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjodjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gilapgqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdkidohn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhdlao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpphjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phodcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Accfbokl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ackbmcjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nccokk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodjjimm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oadfkdgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdmoohbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnhidk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcikgacl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amaqjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcaofebg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhldpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkmioc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meamcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aednci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqbkfkal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpjoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niooqcad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqknkedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnmepn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbmcbime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcbfakec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embkoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmadco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kijchhbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpaleglc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdpmbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaindh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooejohhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfgjjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfbibikg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpobg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqkill32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnkmnah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akcjkfij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idcepgmg.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Maggnali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjokgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mibime32.dll" Giqkkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhbkinel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkhjph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cimmggfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghjnkpdc.dll" Gbalopbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjgeopm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll" Cmgjgcgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfnkkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qhlkilba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpecbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onpjichj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lidmhmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akqfkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimhbfpl.dll" Ffnknafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dohjem32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfpihkg.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbiipkjk.dll" Maggnali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chjjqebm.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgflqkdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gndcedao.dll" Kaehljpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcdikecn.dll" Ohjlgefb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nknobkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichelm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhhpb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbejk32.dll" Hdnldd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imgicgca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihjoke32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnaggngj.dll" Emcbio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjahlgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aafemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll" Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpebke32.dll" Jicdap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbadcpbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phjenbhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nghekkmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memicmfo.dll" Bjfjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olanmgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plmmif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajcdnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgbdcgld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgejpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhblffgn.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Leadnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjjiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khfclo32.dll" Cljobphg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbelcblk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfaajnfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ioolkncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiikeffm.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1692 wrote to memory of 772 1692 26338db4b30913e8c87d2a84c8365290N.exe 83 PID 1692 wrote to memory of 772 1692 26338db4b30913e8c87d2a84c8365290N.exe 83 PID 1692 wrote to memory of 772 1692 26338db4b30913e8c87d2a84c8365290N.exe 83 PID 772 wrote to memory of 1648 772 Acjclpcf.exe 84 PID 772 wrote to memory of 1648 772 Acjclpcf.exe 84 PID 772 wrote to memory of 1648 772 Acjclpcf.exe 84 PID 1648 wrote to memory of 4156 1648 Ageolo32.exe 85 PID 1648 wrote to memory of 4156 1648 Ageolo32.exe 85 PID 1648 wrote to memory of 4156 1648 Ageolo32.exe 85 PID 4156 wrote to memory of 4916 4156 Anogiicl.exe 86 PID 4156 wrote to memory of 4916 4156 Anogiicl.exe 86 PID 4156 wrote to memory of 4916 4156 Anogiicl.exe 86 PID 4916 wrote to memory of 1464 4916 Aqncedbp.exe 87 PID 4916 wrote to memory of 1464 4916 Aqncedbp.exe 87 PID 4916 wrote to memory of 1464 4916 Aqncedbp.exe 87 PID 1464 wrote to memory of 2852 1464 Aclpap32.exe 88 PID 1464 wrote to memory of 2852 1464 Aclpap32.exe 88 PID 1464 wrote to memory of 2852 1464 Aclpap32.exe 88 PID 2852 wrote to memory of 2904 2852 Anadoi32.exe 90 PID 2852 wrote to memory of 2904 2852 Anadoi32.exe 90 PID 2852 wrote to memory of 2904 2852 Anadoi32.exe 90 PID 2904 wrote to memory of 2936 2904 Aqppkd32.exe 91 PID 2904 wrote to memory of 2936 2904 Aqppkd32.exe 91 PID 2904 wrote to memory of 2936 2904 Aqppkd32.exe 91 PID 2936 wrote to memory of 372 2936 Agjhgngj.exe 92 PID 2936 wrote to memory of 372 2936 Agjhgngj.exe 92 PID 2936 wrote to memory of 372 2936 Agjhgngj.exe 92 PID 372 wrote to memory of 3756 372 Andqdh32.exe 93 PID 372 wrote to memory of 3756 372 Andqdh32.exe 93 PID 372 wrote to memory of 3756 372 Andqdh32.exe 93 PID 3756 wrote to memory of 3476 3756 Aeniabfd.exe 94 PID 3756 wrote to memory of 3476 3756 Aeniabfd.exe 94 PID 3756 wrote to memory of 3476 3756 Aeniabfd.exe 94 PID 3476 wrote to memory of 432 3476 Afoeiklb.exe 96 PID 3476 wrote to memory of 432 3476 Afoeiklb.exe 96 PID 3476 wrote to memory of 432 3476 Afoeiklb.exe 96 PID 432 wrote to memory of 2324 432 Anfmjhmd.exe 97 PID 432 wrote to memory of 2324 432 Anfmjhmd.exe 97 PID 432 wrote to memory of 2324 432 Anfmjhmd.exe 97 PID 2324 wrote to memory of 3496 2324 Accfbokl.exe 98 PID 2324 wrote to memory of 3496 2324 Accfbokl.exe 98 PID 2324 wrote to memory of 3496 2324 Accfbokl.exe 98 PID 3496 wrote to memory of 4336 3496 Agoabn32.exe 99 PID 3496 wrote to memory of 4336 3496 Agoabn32.exe 99 PID 3496 wrote to memory of 4336 3496 Agoabn32.exe 99 PID 4336 wrote to memory of 2548 4336 Bnhjohkb.exe 100 PID 4336 wrote to memory of 2548 4336 Bnhjohkb.exe 100 PID 4336 wrote to memory of 2548 4336 Bnhjohkb.exe 100 PID 2548 wrote to memory of 400 2548 Bebblb32.exe 101 PID 2548 wrote to memory of 400 2548 Bebblb32.exe 101 PID 2548 wrote to memory of 400 2548 Bebblb32.exe 101 PID 400 wrote to memory of 2376 400 Bganhm32.exe 102 PID 400 wrote to memory of 2376 400 Bganhm32.exe 102 PID 400 wrote to memory of 2376 400 Bganhm32.exe 102 PID 2376 wrote to memory of 3852 2376 Bmngqdpj.exe 104 PID 2376 wrote to memory of 3852 2376 Bmngqdpj.exe 104 PID 2376 wrote to memory of 3852 2376 Bmngqdpj.exe 104 PID 3852 wrote to memory of 1684 3852 Beeoaapl.exe 105 PID 3852 wrote to memory of 1684 3852 Beeoaapl.exe 105 PID 3852 wrote to memory of 1684 3852 Beeoaapl.exe 105 PID 1684 wrote to memory of 2624 1684 Bgcknmop.exe 106 PID 1684 wrote to memory of 2624 1684 Bgcknmop.exe 106 PID 1684 wrote to memory of 2624 1684 Bgcknmop.exe 106 PID 2624 wrote to memory of 2980 2624 Bnmcjg32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\26338db4b30913e8c87d2a84c8365290N.exe"C:\Users\Admin\AppData\Local\Temp\26338db4b30913e8c87d2a84c8365290N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Acjclpcf.exeC:\Windows\system32\Acjclpcf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\Aqncedbp.exeC:\Windows\system32\Aqncedbp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Aqppkd32.exeC:\Windows\system32\Aqppkd32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Agoabn32.exeC:\Windows\system32\Agoabn32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Bebblb32.exeC:\Windows\system32\Bebblb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Bmngqdpj.exeC:\Windows\system32\Bmngqdpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe23⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe24⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe25⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe26⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe27⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe28⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe29⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe30⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe31⤵
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5060 -
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe33⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe34⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe35⤵
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe36⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe37⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe38⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:4048 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe40⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe41⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe42⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe43⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe44⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe45⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe46⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe47⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe48⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe49⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe50⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe52⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe53⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe55⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe56⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe57⤵
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe58⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe59⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe60⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Eecdjmfi.exeC:\Windows\system32\Eecdjmfi.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1020 -
C:\Windows\SysWOW64\Egdqae32.exeC:\Windows\system32\Egdqae32.exe62⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Eolhbc32.exeC:\Windows\system32\Eolhbc32.exe63⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Eefaomcg.exeC:\Windows\system32\Eefaomcg.exe64⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Ehdmlhcj.exeC:\Windows\system32\Ehdmlhcj.exe65⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Eonehbjg.exeC:\Windows\system32\Eonehbjg.exe66⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\Ealadnik.exeC:\Windows\system32\Ealadnik.exe67⤵PID:4224
-
C:\Windows\SysWOW64\Ehfjah32.exeC:\Windows\system32\Ehfjah32.exe68⤵PID:2456
-
C:\Windows\SysWOW64\Eopbnbhd.exeC:\Windows\system32\Eopbnbhd.exe69⤵PID:4064
-
C:\Windows\SysWOW64\Emcbio32.exeC:\Windows\system32\Emcbio32.exe70⤵
- Modifies registry class
PID:4720 -
C:\Windows\SysWOW64\Eejjjl32.exeC:\Windows\system32\Eejjjl32.exe71⤵PID:4868
-
C:\Windows\SysWOW64\Eglgbdep.exeC:\Windows\system32\Eglgbdep.exe72⤵PID:404
-
C:\Windows\SysWOW64\Emeoooml.exeC:\Windows\system32\Emeoooml.exe73⤵PID:4448
-
C:\Windows\SysWOW64\Eemgplno.exeC:\Windows\system32\Eemgplno.exe74⤵PID:2452
-
C:\Windows\SysWOW64\Edpgli32.exeC:\Windows\system32\Edpgli32.exe75⤵PID:4892
-
C:\Windows\SysWOW64\Egnchd32.exeC:\Windows\system32\Egnchd32.exe76⤵PID:3124
-
C:\Windows\SysWOW64\Emhldnkj.exeC:\Windows\system32\Emhldnkj.exe77⤵PID:4536
-
C:\Windows\SysWOW64\Feocelll.exeC:\Windows\system32\Feocelll.exe78⤵
- Drops file in System32 directory
PID:924 -
C:\Windows\SysWOW64\Fgppmd32.exeC:\Windows\system32\Fgppmd32.exe79⤵PID:2276
-
C:\Windows\SysWOW64\Foghnabl.exeC:\Windows\system32\Foghnabl.exe80⤵PID:1056
-
C:\Windows\SysWOW64\Fafdkmap.exeC:\Windows\system32\Fafdkmap.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3704 -
C:\Windows\SysWOW64\Fgbmccpg.exeC:\Windows\system32\Fgbmccpg.exe82⤵PID:3216
-
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe83⤵
- System Location Discovery: System Language Discovery
PID:636 -
C:\Windows\SysWOW64\Fdfmlhna.exeC:\Windows\system32\Fdfmlhna.exe84⤵PID:4488
-
C:\Windows\SysWOW64\Fkqeib32.exeC:\Windows\system32\Fkqeib32.exe85⤵PID:1720
-
C:\Windows\SysWOW64\Fnobem32.exeC:\Windows\system32\Fnobem32.exe86⤵PID:2320
-
C:\Windows\SysWOW64\Fhdfbfdh.exeC:\Windows\system32\Fhdfbfdh.exe87⤵PID:1284
-
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe88⤵PID:2196
-
C:\Windows\SysWOW64\Fehfljca.exeC:\Windows\system32\Fehfljca.exe89⤵PID:4088
-
C:\Windows\SysWOW64\Fgjccb32.exeC:\Windows\system32\Fgjccb32.exe90⤵PID:1796
-
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe91⤵PID:4824
-
C:\Windows\SysWOW64\Gkglja32.exeC:\Windows\system32\Gkglja32.exe92⤵PID:228
-
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe93⤵PID:4512
-
C:\Windows\SysWOW64\Gempgj32.exeC:\Windows\system32\Gempgj32.exe94⤵PID:1016
-
C:\Windows\SysWOW64\Ghklce32.exeC:\Windows\system32\Ghklce32.exe95⤵PID:4800
-
C:\Windows\SysWOW64\Gkjhoq32.exeC:\Windows\system32\Gkjhoq32.exe96⤵PID:3692
-
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe97⤵PID:3676
-
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe98⤵PID:1768
-
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe99⤵PID:5136
-
C:\Windows\SysWOW64\Ggqida32.exeC:\Windows\system32\Ggqida32.exe100⤵PID:5180
-
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe101⤵PID:5224
-
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe102⤵PID:5268
-
C:\Windows\SysWOW64\Gfbibikg.exeC:\Windows\system32\Gfbibikg.exe103⤵
- System Location Discovery: System Language Discovery
PID:5312 -
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe104⤵PID:5356
-
C:\Windows\SysWOW64\Gkobjpin.exeC:\Windows\system32\Gkobjpin.exe105⤵PID:5400
-
C:\Windows\SysWOW64\Gnmnfkia.exeC:\Windows\system32\Gnmnfkia.exe106⤵PID:5460
-
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe107⤵PID:5504
-
C:\Windows\SysWOW64\Ghbbcd32.exeC:\Windows\system32\Ghbbcd32.exe108⤵PID:5568
-
C:\Windows\SysWOW64\Gkaopp32.exeC:\Windows\system32\Gkaopp32.exe109⤵PID:5624
-
C:\Windows\SysWOW64\Hnoklk32.exeC:\Windows\system32\Hnoklk32.exe110⤵
- Drops file in System32 directory
PID:5680 -
C:\Windows\SysWOW64\Hdicienl.exeC:\Windows\system32\Hdicienl.exe111⤵PID:5740
-
C:\Windows\SysWOW64\Hheoid32.exeC:\Windows\system32\Hheoid32.exe112⤵PID:5788
-
C:\Windows\SysWOW64\Hkckeo32.exeC:\Windows\system32\Hkckeo32.exe113⤵PID:5840
-
C:\Windows\SysWOW64\Hoogfnnb.exeC:\Windows\system32\Hoogfnnb.exe114⤵
- Drops file in System32 directory
PID:5880 -
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe115⤵
- System Location Discovery: System Language Discovery
PID:5944 -
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe116⤵PID:5996
-
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe117⤵
- Drops file in System32 directory
PID:6068 -
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe118⤵PID:6124
-
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe119⤵PID:5144
-
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe120⤵
- Drops file in System32 directory
PID:5232 -
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:688
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-