Analysis
-
max time kernel
115s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 20:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9106cfc772c5be015eb9960b0e2ebd10N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
9106cfc772c5be015eb9960b0e2ebd10N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
9106cfc772c5be015eb9960b0e2ebd10N.exe
-
Size
96KB
-
MD5
9106cfc772c5be015eb9960b0e2ebd10
-
SHA1
fadb534d1b9e9b88509bf86bd55440a4b9e8a88f
-
SHA256
968087952506951d7b21b2098d9fdfa99e90d9ccc1c016856eb6764decdbd377
-
SHA512
15794009600097a1e07b86b9b4c549779c7b92cb957dc85110843040a9608b690df559b6cc15141fb4a809b0bdfb84ff11c3ad8e98066ef395a46f1776c44382
-
SSDEEP
1536:66riWeA26/O8v5kqkgoNpskAqla1ArKwOw6yOzu2tt74S7V+5pUMv84WMRw8Dkqq:66rG/6/V5kqkhNpskAqloArlhOKip4SN
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keghmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmpbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpaqnc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phieip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neglfq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akgcabpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdkgdhkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhmpnhkh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nelmlfpk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbiappga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmcoihcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdjhlmai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbpdnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Docapmlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnjhfoio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajpgeeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdgjmdgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gibofi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilefjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efdpmenl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqfdji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmggcqfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaooim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cknbio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpgobm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idmefogc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oolgek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efqfcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gibhlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmpmlaap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Goqkaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpmlkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbhbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkcaaihe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlignm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nepfeagl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfomkipd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Facgandk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajnkpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epgeafcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gagjbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gipkfchl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnbelq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjdhig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ameakbqq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inqqceai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fblpck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgglanlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odcohlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeimnbbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjhom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nehjkmhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjpckmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndjack32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miecpgii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjeejhgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhglncgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpqian32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nchhdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foekebeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioemcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlfbli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eiicimpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqoolh32.exe -
Executes dropped EXE 64 IoCs
pid Process 844 Kickhg32.exe 2108 Kblpalgf.exe 4492 Kejlmhfj.exe 1148 Kifhnf32.exe 220 Kbnlgled.exe 3472 Kemhcgdg.exe 4564 Ldniqolf.exe 2116 Lflemjkj.exe 4968 Llimeaia.exe 3684 Lfoabjih.exe 3208 Lmijod32.exe 3192 Ldbbln32.exe 2924 Lfanhj32.exe 2568 Lmkfddnb.exe 1216 Llngpq32.exe 1824 Lgckni32.exe 2976 Llpcfp32.exe 4624 Lgfhcicp.exe 788 Liddodbc.exe 1688 Mdjhlmai.exe 2760 Mekdde32.exe 4496 Mpqian32.exe 4344 Memajeee.exe 1448 Mlgjfo32.exe 3564 Mdnagm32.exe 4608 Mikjpc32.exe 1204 Mmgfqbdd.exe 1640 Mgokihke.exe 3064 Mmicfb32.exe 1620 Mpgobm32.exe 376 Medgjd32.exe 3920 Nlnpgngj.exe 4120 Nchhdh32.exe 2764 Nefdpdmj.exe 4900 Nlqlmn32.exe 4752 Ncjdihld.exe 1376 Neiaeckg.exe 2784 Nnpifalj.exe 3916 Ndjack32.exe 2284 Neknkcie.exe 4340 Nnbelq32.exe 3324 Ncondg32.exe 2988 Nfnjqc32.exe 232 Nlgbmmoo.exe 3316 Npconl32.exe 1644 Ncakjg32.exe 3008 Ngmgkfoe.exe 2024 Ojlcgani.exe 1984 Opekckee.exe 1136 Ojnpla32.exe 4220 Ophhikcc.exe 4144 Ofdqabaj.exe 3960 Onlhbobl.exe 1368 Odfqoiii.exe 4228 Olaeclgd.exe 1132 Odhmdigf.exe 4836 Ofijla32.exe 3560 Omcbikda.exe 4184 Ogiffd32.exe 3544 Pncocnld.exe 3016 Pqakojkh.exe 1684 Pcpgkejl.exe 4824 Pnekinjb.exe 4484 Pmhldk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pcpgkejl.exe Pqakojkh.exe File created C:\Windows\SysWOW64\Nelmlfpk.exe Nkghnmpe.exe File created C:\Windows\SysWOW64\Ekoppmcp.dll Hpgpdkci.exe File opened for modification C:\Windows\SysWOW64\Idokahad.exe Ilgcpkqb.exe File opened for modification C:\Windows\SysWOW64\Adknoi32.exe Amqfbo32.exe File opened for modification C:\Windows\SysWOW64\Jkfannfk.exe Jbmleh32.exe File created C:\Windows\SysWOW64\Ocemkpok.exe Opgaodog.exe File created C:\Windows\SysWOW64\Lkeeegbp.dll Ohaohqif.exe File created C:\Windows\SysWOW64\Dpnfbk32.dll Dlmeecce.exe File created C:\Windows\SysWOW64\Lnalgjah.exe Lggcjp32.exe File created C:\Windows\SysWOW64\Nllkhk32.exe Ncecfn32.exe File opened for modification C:\Windows\SysWOW64\Alafqf32.exe Adknoi32.exe File opened for modification C:\Windows\SysWOW64\Ngejpp32.exe Npkacf32.exe File created C:\Windows\SysWOW64\Ifkepgnf.dll Kanbhlfj.exe File created C:\Windows\SysWOW64\Ceblhaep.dll Oajcaf32.exe File created C:\Windows\SysWOW64\Fdhomnhk.dll Dafhdlho.exe File opened for modification C:\Windows\SysWOW64\Knhpkb32.exe Kgngnhfa.exe File opened for modification C:\Windows\SysWOW64\Fjooji32.exe Fcdfmo32.exe File created C:\Windows\SysWOW64\Ghmjpi32.dll Jbicjicp.exe File opened for modification C:\Windows\SysWOW64\Lflnbdgo.exe Kfiamd32.exe File opened for modification C:\Windows\SysWOW64\Olpoieci.exe Oefflkll.exe File created C:\Windows\SysWOW64\Kplloapd.dll Iiihad32.exe File created C:\Windows\SysWOW64\Mphjffkk.dll Ajfndq32.exe File opened for modification C:\Windows\SysWOW64\Mhjpad32.exe Maphdjfd.exe File created C:\Windows\SysWOW64\Onhdamml.dll Goqkaa32.exe File created C:\Windows\SysWOW64\Ohbfcgmb.exe Ocemkpok.exe File created C:\Windows\SysWOW64\Hjlamh32.exe Hgmeqm32.exe File created C:\Windows\SysWOW64\Oacacc32.dll Phfaijae.exe File created C:\Windows\SysWOW64\Efdpmenl.exe Dmlkdp32.exe File opened for modification C:\Windows\SysWOW64\Pkngfj32.exe Peaonc32.exe File created C:\Windows\SysWOW64\Gbcfdj32.exe Glingpke.exe File opened for modification C:\Windows\SysWOW64\Qdhajiml.exe Qmnimo32.exe File opened for modification C:\Windows\SysWOW64\Gbhpoinl.exe Gpiccnoi.exe File created C:\Windows\SysWOW64\Pjldgd32.dll Cdjlooel.exe File opened for modification C:\Windows\SysWOW64\Cpkloj32.exe Cmmpbo32.exe File created C:\Windows\SysWOW64\Oakpfdoe.dll Lepdij32.exe File created C:\Windows\SysWOW64\Ljaang32.dll Bdmdlfkd.exe File opened for modification C:\Windows\SysWOW64\Jncfpbac.exe Jkejdgbp.exe File created C:\Windows\SysWOW64\Oajcaf32.exe Oolgek32.exe File opened for modification C:\Windows\SysWOW64\Bolbhp32.exe Bhbjlfie.exe File created C:\Windows\SysWOW64\Nlglcfkc.exe Ngjckpml.exe File created C:\Windows\SysWOW64\Ijgjnp32.exe Icmbafld.exe File opened for modification C:\Windows\SysWOW64\Ofdqabaj.exe Ophhikcc.exe File created C:\Windows\SysWOW64\Mjhbhech.dll Gnlelogl.exe File created C:\Windows\SysWOW64\Jiijmkai.exe Jncfpbac.exe File created C:\Windows\SysWOW64\Lfpfjhen.dll Kklpdf32.exe File opened for modification C:\Windows\SysWOW64\Mbpdnm32.exe Mhjpad32.exe File created C:\Windows\SysWOW64\Allpak32.exe Ahpdqlod.exe File created C:\Windows\SysWOW64\Oljgiipf.exe Odcohlod.exe File created C:\Windows\SysWOW64\Ppempb32.exe Pfpibjca.exe File created C:\Windows\SysWOW64\Emkbhc32.dll Eiffdmbe.exe File opened for modification C:\Windows\SysWOW64\Ihknln32.exe Idobkoep.exe File opened for modification C:\Windows\SysWOW64\Dioiihda.exe Dfpmmmem.exe File created C:\Windows\SysWOW64\Dboafhmn.exe Doadjm32.exe File created C:\Windows\SysWOW64\Fhgphdlf.dll Dpnbkhkd.exe File created C:\Windows\SysWOW64\Pdhibloi.dll Ljffqbmj.exe File created C:\Windows\SysWOW64\Oioeaa32.dll Blnmgk32.exe File created C:\Windows\SysWOW64\Popqom32.dll Afekdg32.exe File created C:\Windows\SysWOW64\Fbjfbnko.dll Fkdoonmh.exe File opened for modification C:\Windows\SysWOW64\Kjqfklmd.exe Kcgnnb32.exe File opened for modification C:\Windows\SysWOW64\Ekfaqlho.exe Eelidapa.exe File opened for modification C:\Windows\SysWOW64\Qnonolag.exe Pcijacba.exe File created C:\Windows\SysWOW64\Dmhpnm32.exe Dfogackl.exe File created C:\Windows\SysWOW64\Negkhbkh.dll Fmdafcfm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5440 5568 WerFault.exe 867 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiakkbbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plcjohhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiblia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkgdhkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inkjdjmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbqkicac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkaipehb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojmgdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqfdji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifpephpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eimldl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdlchd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlamh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bappgeqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pekpgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noiaim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mglflm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeamalpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idobkoep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keghmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhicmhem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocemkpok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkabjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhcjpeci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efqfcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emjopaha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioadholg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idhepigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogfcfnco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gibofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjiegh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nblcjkcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpgpdkci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efflce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgaknngj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lechip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfopnho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelidapa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eenfia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcpgkejl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkpeec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gknipchi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnoaan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gplpimmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oapjqa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjhom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foekebeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhpnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhbdmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oahglf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikicnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjnmiim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnpcoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcilnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbicjicp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmjcmooi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oolgek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdodhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekahem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmhldk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Denada32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afekdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jncfpbac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljmmaa32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocemkpok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knjlqa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Keddmlbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbcfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhfkopma.dll" Amqfbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fokmplef.dll" Pjponhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljffqbmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldpmodeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njahih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmolli32.dll" Cfhpaghj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bijnaaje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lglocmfq.dll" Qlndpmcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mociokba.dll" Gplpimmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idhlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpfcfjp.dll" Diccdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qggbhbhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pblaignf.dll" Fkabjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohahnjek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgijqgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aafnmijl.dll" Dfmimf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhecccnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kokmgpij.dll" Knmifaii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idjgommi.dll" Ciefbill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncgplnia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnjgpaak.dll" Admkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgckni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgkpdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjnnbhog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkijkicq.dll" Pncocnld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mekdde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qmckpifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aiakkbbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akjgah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnliemdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbedkhe.dll" Akbjfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppjipd32.dll" Pqfdji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkgbod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikckbpfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deigbgpd.dll" Ohbfcgmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nielge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Admkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oeafge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmbmha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mekdde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ancgjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojmgdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekfaqlho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbnlgled.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppempb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgahaeke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpjbee32.dll" Nllkhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnopmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gglpec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnokhlgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Calchd32.dll" Phmodooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpqian32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlfbli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lepdij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmcfbjae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmnimo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pqakojkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmpcbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhecccnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipphng32.dll" Olkncpcb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 180 wrote to memory of 844 180 9106cfc772c5be015eb9960b0e2ebd10N.exe 90 PID 180 wrote to memory of 844 180 9106cfc772c5be015eb9960b0e2ebd10N.exe 90 PID 180 wrote to memory of 844 180 9106cfc772c5be015eb9960b0e2ebd10N.exe 90 PID 844 wrote to memory of 2108 844 Kickhg32.exe 91 PID 844 wrote to memory of 2108 844 Kickhg32.exe 91 PID 844 wrote to memory of 2108 844 Kickhg32.exe 91 PID 2108 wrote to memory of 4492 2108 Kblpalgf.exe 92 PID 2108 wrote to memory of 4492 2108 Kblpalgf.exe 92 PID 2108 wrote to memory of 4492 2108 Kblpalgf.exe 92 PID 4492 wrote to memory of 1148 4492 Kejlmhfj.exe 94 PID 4492 wrote to memory of 1148 4492 Kejlmhfj.exe 94 PID 4492 wrote to memory of 1148 4492 Kejlmhfj.exe 94 PID 1148 wrote to memory of 220 1148 Kifhnf32.exe 95 PID 1148 wrote to memory of 220 1148 Kifhnf32.exe 95 PID 1148 wrote to memory of 220 1148 Kifhnf32.exe 95 PID 220 wrote to memory of 3472 220 Kbnlgled.exe 97 PID 220 wrote to memory of 3472 220 Kbnlgled.exe 97 PID 220 wrote to memory of 3472 220 Kbnlgled.exe 97 PID 3472 wrote to memory of 4564 3472 Kemhcgdg.exe 98 PID 3472 wrote to memory of 4564 3472 Kemhcgdg.exe 98 PID 3472 wrote to memory of 4564 3472 Kemhcgdg.exe 98 PID 4564 wrote to memory of 2116 4564 Ldniqolf.exe 99 PID 4564 wrote to memory of 2116 4564 Ldniqolf.exe 99 PID 4564 wrote to memory of 2116 4564 Ldniqolf.exe 99 PID 2116 wrote to memory of 4968 2116 Lflemjkj.exe 101 PID 2116 wrote to memory of 4968 2116 Lflemjkj.exe 101 PID 2116 wrote to memory of 4968 2116 Lflemjkj.exe 101 PID 4968 wrote to memory of 3684 4968 Llimeaia.exe 102 PID 4968 wrote to memory of 3684 4968 Llimeaia.exe 102 PID 4968 wrote to memory of 3684 4968 Llimeaia.exe 102 PID 3684 wrote to memory of 3208 3684 Lfoabjih.exe 103 PID 3684 wrote to memory of 3208 3684 Lfoabjih.exe 103 PID 3684 wrote to memory of 3208 3684 Lfoabjih.exe 103 PID 3208 wrote to memory of 3192 3208 Lmijod32.exe 104 PID 3208 wrote to memory of 3192 3208 Lmijod32.exe 104 PID 3208 wrote to memory of 3192 3208 Lmijod32.exe 104 PID 3192 wrote to memory of 2924 3192 Ldbbln32.exe 105 PID 3192 wrote to memory of 2924 3192 Ldbbln32.exe 105 PID 3192 wrote to memory of 2924 3192 Ldbbln32.exe 105 PID 2924 wrote to memory of 2568 2924 Lfanhj32.exe 106 PID 2924 wrote to memory of 2568 2924 Lfanhj32.exe 106 PID 2924 wrote to memory of 2568 2924 Lfanhj32.exe 106 PID 2568 wrote to memory of 1216 2568 Lmkfddnb.exe 107 PID 2568 wrote to memory of 1216 2568 Lmkfddnb.exe 107 PID 2568 wrote to memory of 1216 2568 Lmkfddnb.exe 107 PID 1216 wrote to memory of 1824 1216 Llngpq32.exe 108 PID 1216 wrote to memory of 1824 1216 Llngpq32.exe 108 PID 1216 wrote to memory of 1824 1216 Llngpq32.exe 108 PID 1824 wrote to memory of 2976 1824 Lgckni32.exe 109 PID 1824 wrote to memory of 2976 1824 Lgckni32.exe 109 PID 1824 wrote to memory of 2976 1824 Lgckni32.exe 109 PID 2976 wrote to memory of 4624 2976 Llpcfp32.exe 110 PID 2976 wrote to memory of 4624 2976 Llpcfp32.exe 110 PID 2976 wrote to memory of 4624 2976 Llpcfp32.exe 110 PID 4624 wrote to memory of 788 4624 Lgfhcicp.exe 111 PID 4624 wrote to memory of 788 4624 Lgfhcicp.exe 111 PID 4624 wrote to memory of 788 4624 Lgfhcicp.exe 111 PID 788 wrote to memory of 1688 788 Liddodbc.exe 112 PID 788 wrote to memory of 1688 788 Liddodbc.exe 112 PID 788 wrote to memory of 1688 788 Liddodbc.exe 112 PID 1688 wrote to memory of 2760 1688 Mdjhlmai.exe 113 PID 1688 wrote to memory of 2760 1688 Mdjhlmai.exe 113 PID 1688 wrote to memory of 2760 1688 Mdjhlmai.exe 113 PID 2760 wrote to memory of 4496 2760 Mekdde32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\9106cfc772c5be015eb9960b0e2ebd10N.exe"C:\Users\Admin\AppData\Local\Temp\9106cfc772c5be015eb9960b0e2ebd10N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:180 -
C:\Windows\SysWOW64\Kickhg32.exeC:\Windows\system32\Kickhg32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Kblpalgf.exeC:\Windows\system32\Kblpalgf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Kejlmhfj.exeC:\Windows\system32\Kejlmhfj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\Kifhnf32.exeC:\Windows\system32\Kifhnf32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Kbnlgled.exeC:\Windows\system32\Kbnlgled.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Kemhcgdg.exeC:\Windows\system32\Kemhcgdg.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\Ldniqolf.exeC:\Windows\system32\Ldniqolf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Lflemjkj.exeC:\Windows\system32\Lflemjkj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Llimeaia.exeC:\Windows\system32\Llimeaia.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Lfoabjih.exeC:\Windows\system32\Lfoabjih.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\Lmijod32.exeC:\Windows\system32\Lmijod32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Ldbbln32.exeC:\Windows\system32\Ldbbln32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\Lfanhj32.exeC:\Windows\system32\Lfanhj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Lmkfddnb.exeC:\Windows\system32\Lmkfddnb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Llngpq32.exeC:\Windows\system32\Llngpq32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Lgckni32.exeC:\Windows\system32\Lgckni32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Llpcfp32.exeC:\Windows\system32\Llpcfp32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Lgfhcicp.exeC:\Windows\system32\Lgfhcicp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\Liddodbc.exeC:\Windows\system32\Liddodbc.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\Mdjhlmai.exeC:\Windows\system32\Mdjhlmai.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Mekdde32.exeC:\Windows\system32\Mekdde32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Mpqian32.exeC:\Windows\system32\Mpqian32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4496 -
C:\Windows\SysWOW64\Memajeee.exeC:\Windows\system32\Memajeee.exe24⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Mlgjfo32.exeC:\Windows\system32\Mlgjfo32.exe25⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Mdnagm32.exeC:\Windows\system32\Mdnagm32.exe26⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Mikjpc32.exeC:\Windows\system32\Mikjpc32.exe27⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Mmgfqbdd.exeC:\Windows\system32\Mmgfqbdd.exe28⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Mgokihke.exeC:\Windows\system32\Mgokihke.exe29⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Mmicfb32.exeC:\Windows\system32\Mmicfb32.exe30⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Mpgobm32.exeC:\Windows\system32\Mpgobm32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Medgjd32.exeC:\Windows\system32\Medgjd32.exe32⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Nlnpgngj.exeC:\Windows\system32\Nlnpgngj.exe33⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Nchhdh32.exeC:\Windows\system32\Nchhdh32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Nefdpdmj.exeC:\Windows\system32\Nefdpdmj.exe35⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Nlqlmn32.exeC:\Windows\system32\Nlqlmn32.exe36⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Ncjdihld.exeC:\Windows\system32\Ncjdihld.exe37⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Neiaeckg.exeC:\Windows\system32\Neiaeckg.exe38⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Nnpifalj.exeC:\Windows\system32\Nnpifalj.exe39⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Ndjack32.exeC:\Windows\system32\Ndjack32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Neknkcie.exeC:\Windows\system32\Neknkcie.exe41⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Nnbelq32.exeC:\Windows\system32\Nnbelq32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Ncondg32.exeC:\Windows\system32\Ncondg32.exe43⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Nfnjqc32.exeC:\Windows\system32\Nfnjqc32.exe44⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Nlgbmmoo.exeC:\Windows\system32\Nlgbmmoo.exe45⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Npconl32.exeC:\Windows\system32\Npconl32.exe46⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Ncakjg32.exeC:\Windows\system32\Ncakjg32.exe47⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Ngmgkfoe.exeC:\Windows\system32\Ngmgkfoe.exe48⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Ojlcgani.exeC:\Windows\system32\Ojlcgani.exe49⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Opekckee.exeC:\Windows\system32\Opekckee.exe50⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Ojnpla32.exeC:\Windows\system32\Ojnpla32.exe51⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Ophhikcc.exeC:\Windows\system32\Ophhikcc.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4220 -
C:\Windows\SysWOW64\Ofdqabaj.exeC:\Windows\system32\Ofdqabaj.exe53⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Onlhbobl.exeC:\Windows\system32\Onlhbobl.exe54⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Odfqoiii.exeC:\Windows\system32\Odfqoiii.exe55⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Ofgmga32.exeC:\Windows\system32\Ofgmga32.exe56⤵PID:4940
-
C:\Windows\SysWOW64\Olaeclgd.exeC:\Windows\system32\Olaeclgd.exe57⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Odhmdigf.exeC:\Windows\system32\Odhmdigf.exe58⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Ofijla32.exeC:\Windows\system32\Ofijla32.exe59⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Omcbikda.exeC:\Windows\system32\Omcbikda.exe60⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Ogiffd32.exeC:\Windows\system32\Ogiffd32.exe61⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Pncocnld.exeC:\Windows\system32\Pncocnld.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:3544 -
C:\Windows\SysWOW64\Pqakojkh.exeC:\Windows\system32\Pqakojkh.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Pcpgkejl.exeC:\Windows\system32\Pcpgkejl.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Windows\SysWOW64\Pnekinjb.exeC:\Windows\system32\Pnekinjb.exe65⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Pmhldk32.exeC:\Windows\system32\Pmhldk32.exe66⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4484 -
C:\Windows\SysWOW64\Pqfdji32.exeC:\Windows\system32\Pqfdji32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Pgbimb32.exeC:\Windows\system32\Pgbimb32.exe68⤵PID:2896
-
C:\Windows\SysWOW64\Pfeihpcg.exeC:\Windows\system32\Pfeihpcg.exe69⤵PID:3476
-
C:\Windows\SysWOW64\Pjqein32.exeC:\Windows\system32\Pjqein32.exe70⤵PID:1764
-
C:\Windows\SysWOW64\Pcijacba.exeC:\Windows\system32\Pcijacba.exe71⤵
- Drops file in System32 directory
PID:5052 -
C:\Windows\SysWOW64\Qnonolag.exeC:\Windows\system32\Qnonolag.exe72⤵PID:864
-
C:\Windows\SysWOW64\Qggbhbhh.exeC:\Windows\system32\Qggbhbhh.exe73⤵
- Modifies registry class
PID:5148 -
C:\Windows\SysWOW64\Qmckpifo.exeC:\Windows\system32\Qmckpifo.exe74⤵
- Modifies registry class
PID:5188 -
C:\Windows\SysWOW64\Aflpio32.exeC:\Windows\system32\Aflpio32.exe75⤵PID:5228
-
C:\Windows\SysWOW64\Ancgjl32.exeC:\Windows\system32\Ancgjl32.exe76⤵
- Modifies registry class
PID:5280 -
C:\Windows\SysWOW64\Acppbb32.exeC:\Windows\system32\Acppbb32.exe77⤵PID:5320
-
C:\Windows\SysWOW64\Ajjhom32.exeC:\Windows\system32\Ajjhom32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5364 -
C:\Windows\SysWOW64\Aqdqlgkc.exeC:\Windows\system32\Aqdqlgkc.exe79⤵PID:5404
-
C:\Windows\SysWOW64\Agniha32.exeC:\Windows\system32\Agniha32.exe80⤵PID:5448
-
C:\Windows\SysWOW64\Ajledl32.exeC:\Windows\system32\Ajledl32.exe81⤵PID:5484
-
C:\Windows\SysWOW64\Anhaekil.exeC:\Windows\system32\Anhaekil.exe82⤵PID:5524
-
C:\Windows\SysWOW64\Aebiae32.exeC:\Windows\system32\Aebiae32.exe83⤵PID:5568
-
C:\Windows\SysWOW64\Afcfimgg.exeC:\Windows\system32\Afcfimgg.exe84⤵PID:5628
-
C:\Windows\SysWOW64\Aaijgf32.exeC:\Windows\system32\Aaijgf32.exe85⤵PID:5672
-
C:\Windows\SysWOW64\Agbbcpnj.exeC:\Windows\system32\Agbbcpnj.exe86⤵PID:5724
-
C:\Windows\SysWOW64\Ajanplmn.exeC:\Windows\system32\Ajanplmn.exe87⤵PID:5764
-
C:\Windows\SysWOW64\Bgeoiplh.exeC:\Windows\system32\Bgeoiplh.exe88⤵PID:5812
-
C:\Windows\SysWOW64\Beiobd32.exeC:\Windows\system32\Beiobd32.exe89⤵PID:5860
-
C:\Windows\SysWOW64\Bgglop32.exeC:\Windows\system32\Bgglop32.exe90⤵PID:5912
-
C:\Windows\SysWOW64\Bjfhkk32.exeC:\Windows\system32\Bjfhkk32.exe91⤵PID:5960
-
C:\Windows\SysWOW64\Bappgeqe.exeC:\Windows\system32\Bappgeqe.exe92⤵
- System Location Discovery: System Language Discovery
PID:6004 -
C:\Windows\SysWOW64\Bflhplom.exeC:\Windows\system32\Bflhplom.exe93⤵PID:6048
-
C:\Windows\SysWOW64\Bncqqioo.exeC:\Windows\system32\Bncqqioo.exe94⤵PID:6092
-
C:\Windows\SysWOW64\Benincgl.exeC:\Windows\system32\Benincgl.exe95⤵PID:6136
-
C:\Windows\SysWOW64\Bfoeel32.exeC:\Windows\system32\Bfoeel32.exe96⤵PID:5176
-
C:\Windows\SysWOW64\Bnfmfi32.exeC:\Windows\system32\Bnfmfi32.exe97⤵PID:5224
-
C:\Windows\SysWOW64\Bfabkk32.exeC:\Windows\system32\Bfabkk32.exe98⤵PID:5316
-
C:\Windows\SysWOW64\Ccebdpia.exeC:\Windows\system32\Ccebdpia.exe99⤵PID:5396
-
C:\Windows\SysWOW64\Cfcopkie.exeC:\Windows\system32\Cfcopkie.exe100⤵PID:5476
-
C:\Windows\SysWOW64\Cjokaj32.exeC:\Windows\system32\Cjokaj32.exe101⤵PID:5556
-
C:\Windows\SysWOW64\Cdgojogo.exeC:\Windows\system32\Cdgojogo.exe102⤵PID:5644
-
C:\Windows\SysWOW64\Cnmcghgd.exeC:\Windows\system32\Cnmcghgd.exe103⤵PID:5692
-
C:\Windows\SysWOW64\Cmpcbe32.exeC:\Windows\system32\Cmpcbe32.exe104⤵
- Modifies registry class
PID:5776 -
C:\Windows\SysWOW64\Cdjlooel.exeC:\Windows\system32\Cdjlooel.exe105⤵
- Drops file in System32 directory
PID:5920 -
C:\Windows\SysWOW64\Cfhhkj32.exeC:\Windows\system32\Cfhhkj32.exe106⤵PID:5992
-
C:\Windows\SysWOW64\Cnopmh32.exeC:\Windows\system32\Cnopmh32.exe107⤵
- Modifies registry class
PID:6044 -
C:\Windows\SysWOW64\Cdlheo32.exeC:\Windows\system32\Cdlheo32.exe108⤵PID:5868
-
C:\Windows\SysWOW64\Denada32.exeC:\Windows\system32\Denada32.exe109⤵
- System Location Discovery: System Language Discovery
PID:712 -
C:\Windows\SysWOW64\Dfakaile.exeC:\Windows\system32\Dfakaile.exe110⤵PID:5184
-
C:\Windows\SysWOW64\Dfdggi32.exeC:\Windows\system32\Dfdggi32.exe111⤵PID:5304
-
C:\Windows\SysWOW64\Dalhjahe.exeC:\Windows\system32\Dalhjahe.exe112⤵PID:5432
-
C:\Windows\SysWOW64\Eobfieel.exeC:\Windows\system32\Eobfieel.exe113⤵PID:1576
-
C:\Windows\SysWOW64\Emjopaha.exeC:\Windows\system32\Emjopaha.exe114⤵
- System Location Discovery: System Language Discovery
PID:5748 -
C:\Windows\SysWOW64\Eoiljdod.exeC:\Windows\system32\Eoiljdod.exe115⤵PID:5796
-
C:\Windows\SysWOW64\Edfdbkml.exeC:\Windows\system32\Edfdbkml.exe116⤵PID:5952
-
C:\Windows\SysWOW64\Fokhodmb.exeC:\Windows\system32\Fokhodmb.exe117⤵PID:3860
-
C:\Windows\SysWOW64\Fkbidebf.exeC:\Windows\system32\Fkbidebf.exe118⤵PID:3524
-
C:\Windows\SysWOW64\Fkdfjdqc.exeC:\Windows\system32\Fkdfjdqc.exe119⤵PID:5212
-
C:\Windows\SysWOW64\Fkgbod32.exeC:\Windows\system32\Fkgbod32.exe120⤵
- Modifies registry class
PID:5348 -
C:\Windows\SysWOW64\Foekebeg.exeC:\Windows\system32\Foekebeg.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4256
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-