Analysis
-
max time kernel
96s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2024 18:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cdad38d9e68ec30ec87c254c01c2029942f5ed48011250ee9debe2029f6171d9N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
cdad38d9e68ec30ec87c254c01c2029942f5ed48011250ee9debe2029f6171d9N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
cdad38d9e68ec30ec87c254c01c2029942f5ed48011250ee9debe2029f6171d9N.exe
-
Size
64KB
-
MD5
e970ea7685942608f6c85794ad0525b0
-
SHA1
5a28bbf621dfbe9a485d1c42524de5b8ab0c24b7
-
SHA256
cdad38d9e68ec30ec87c254c01c2029942f5ed48011250ee9debe2029f6171d9
-
SHA512
8cd809bbae6f175c8c5b58c38ca66804db05c01c4f9361d6d2e81c4dbec1546a60b881f13850bd67aecb8753ed1380f38b4ea8398a389e20bde1859ebd6ab360
-
SSDEEP
1536:P1I7Nd4IORXf5UeWcRd44losC4tTUXruCHcpzt/Idn:tI7NfuXWDAxoHgvpFwn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blhpqhlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epikpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbfldf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkeldnpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnfnlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeehkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojdnid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lblaabdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efmmmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjneln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gingkqkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmkbfeab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfklhhcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpiljh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfnoqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoogfnnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhmigagd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebejfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjahlgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dapkni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgbjbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkadfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lankbigo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meepdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olbdhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmbfbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kglmio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnfgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipjoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnfnlf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njpdnedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmnqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eajeon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgnbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjdjoane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhngolpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjliajmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihphkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlkgmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfnbgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgogbgei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnlkedai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbmingjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fngcmcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcicklnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nliaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpphjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnmdme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckclhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lghcocol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pchlpfjb.exe -
Executes dropped EXE 64 IoCs
pid Process 4904 Aabmqd32.exe 512 Aglemn32.exe 744 Anfmjhmd.exe 3916 Aadifclh.exe 4580 Agoabn32.exe 2220 Bmkjkd32.exe 4424 Bebblb32.exe 4632 Bfdodjhm.exe 2012 Bnkgeg32.exe 1696 Bchomn32.exe 4484 Bgcknmop.exe 4776 Bffkij32.exe 2804 Bnmcjg32.exe 2328 Balpgb32.exe 4244 Bcjlcn32.exe 464 Bnbmefbg.exe 708 Bcoenmao.exe 804 Cjinkg32.exe 3336 Cmgjgcgo.exe 376 Chmndlge.exe 4572 Cfpnph32.exe 3024 Cmiflbel.exe 3480 Ceqnmpfo.exe 448 Chokikeb.exe 3388 Cjmgfgdf.exe 2576 Chagok32.exe 216 Cdhhdlid.exe 460 Cmqmma32.exe 4724 Dejacond.exe 220 Dobfld32.exe 2924 Dhkjej32.exe 1832 Dmgbnq32.exe 2840 Daconoae.exe 3840 Dkkcge32.exe 1912 Dddhpjof.exe 4396 Dknpmdfc.exe 2760 Eecdjmfi.exe 2240 Egdqae32.exe 3932 Eajeon32.exe 3428 Eggmge32.exe 2148 Ealadnik.exe 4200 Eaonjngh.exe 664 Eglgbdep.exe 4644 Eemgplno.exe 4084 Eoekia32.exe 1528 Fdbdah32.exe 2364 Fkllnbjc.exe 4800 Feapkk32.exe 1428 Fhpmgg32.exe 1204 Fahaplon.exe 2296 Fhbimf32.exe 3208 Folaiqng.exe 3900 Fefjfked.exe 4388 Fggfnc32.exe 4808 Fnaokmco.exe 3368 Famjkl32.exe 2744 Fdkggg32.exe 1760 Fhgbhfbe.exe 1196 Fkeodaai.exe 4748 Gaogak32.exe 2664 Gekcaj32.exe 4732 Ghipne32.exe 3596 Gkglja32.exe 4384 Gochjpho.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mkadfj32.exe Megljppl.exe File created C:\Windows\SysWOW64\Ocdjpmac.exe Opemca32.exe File created C:\Windows\SysWOW64\Igleoo32.dll Caienjfd.exe File created C:\Windows\SysWOW64\Cnaqob32.dll Process not Found File created C:\Windows\SysWOW64\Paedlhhc.dll Meepdp32.exe File created C:\Windows\SysWOW64\Coppbe32.dll Process not Found File created C:\Windows\SysWOW64\Dhdbhifj.exe Process not Found File created C:\Windows\SysWOW64\Epeqehhl.dll Ibkpcg32.exe File created C:\Windows\SysWOW64\Fqibbo32.dll Jjpode32.exe File opened for modification C:\Windows\SysWOW64\Emhkdmlg.exe Dfnbgc32.exe File opened for modification C:\Windows\SysWOW64\Ggkqgaol.exe Process not Found File opened for modification C:\Windows\SysWOW64\Loofnccf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hoogfnnb.exe Hheoid32.exe File created C:\Windows\SysWOW64\Bfpdin32.exe Boflmdkk.exe File opened for modification C:\Windows\SysWOW64\Hginecde.exe Hdjbiheb.exe File created C:\Windows\SysWOW64\Mnkggfkb.exe Mkmkkjko.exe File created C:\Windows\SysWOW64\Dgegjnih.dll Oclkgccf.exe File created C:\Windows\SysWOW64\Lqppgj32.dll Process not Found File created C:\Windows\SysWOW64\Afjpan32.dll Process not Found File created C:\Windows\SysWOW64\Jlojif32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Afghneoo.exe Aompak32.exe File created C:\Windows\SysWOW64\Ejahqlpp.dll Acpbbi32.exe File opened for modification C:\Windows\SysWOW64\Gpgind32.exe Gimqajgh.exe File opened for modification C:\Windows\SysWOW64\Apnndj32.exe Process not Found File created C:\Windows\SysWOW64\Lhlgfb32.dll Hdokdg32.exe File opened for modification C:\Windows\SysWOW64\Oocddono.exe Olehhc32.exe File opened for modification C:\Windows\SysWOW64\Dapkni32.exe Diicml32.exe File created C:\Windows\SysWOW64\Jjpode32.exe Jcfggkac.exe File opened for modification C:\Windows\SysWOW64\Kjlopc32.exe Kgnbdh32.exe File created C:\Windows\SysWOW64\Mfeeabda.exe Mcgiefen.exe File opened for modification C:\Windows\SysWOW64\Dgeenfog.exe Process not Found File opened for modification C:\Windows\SysWOW64\Olehhc32.exe Oigllh32.exe File opened for modification C:\Windows\SysWOW64\Gihgfk32.exe Gbnoiqdq.exe File opened for modification C:\Windows\SysWOW64\Emmkiclm.exe Ejoomhmi.exe File opened for modification C:\Windows\SysWOW64\Ingpmmgm.exe Hgmgqc32.exe File created C:\Windows\SysWOW64\Hjfhhm32.dll Cjinkg32.exe File created C:\Windows\SysWOW64\Knodgg32.dll Mhbmphjm.exe File created C:\Windows\SysWOW64\Pnifekmd.exe Pfandnla.exe File created C:\Windows\SysWOW64\Phlepppi.dll Process not Found File created C:\Windows\SysWOW64\Hnibokbd.exe Process not Found File created C:\Windows\SysWOW64\Mfnhfm32.exe Process not Found File created C:\Windows\SysWOW64\Kkfcndce.exe Kiggbhda.exe File created C:\Windows\SysWOW64\Ioolkncg.exe Ilqoobdd.exe File opened for modification C:\Windows\SysWOW64\Hjedffig.exe Hhdhon32.exe File created C:\Windows\SysWOW64\Aeddnp32.exe Aojlaeei.exe File created C:\Windows\SysWOW64\Ejdeelde.dll Bcfahbpo.exe File opened for modification C:\Windows\SysWOW64\Cocjiehd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Llipehgk.exe Likcilhh.exe File opened for modification C:\Windows\SysWOW64\Djklmo32.exe Dfoplpla.exe File opened for modification C:\Windows\SysWOW64\Hibjli32.exe Holfoqcm.exe File created C:\Windows\SysWOW64\Gcgplk32.dll Process not Found File created C:\Windows\SysWOW64\Bapgdm32.exe Process not Found File created C:\Windows\SysWOW64\Cimcan32.exe Cjjcfabm.exe File created C:\Windows\SysWOW64\Icahfh32.dll Kqpoakco.exe File opened for modification C:\Windows\SysWOW64\Boflmdkk.exe Blhpqhlh.exe File created C:\Windows\SysWOW64\Ggfglb32.exe Process not Found File created C:\Windows\SysWOW64\Ajbfciej.dll Process not Found File created C:\Windows\SysWOW64\Pibdmp32.exe Pchlpfjb.exe File opened for modification C:\Windows\SysWOW64\Kcmmhj32.exe Kpoalo32.exe File created C:\Windows\SysWOW64\Cippgm32.exe Cfadkb32.exe File opened for modification C:\Windows\SysWOW64\Gljgbllj.exe Gikkfqmf.exe File created C:\Windows\SysWOW64\Gdgfce32.exe Gahjgj32.exe File opened for modification C:\Windows\SysWOW64\Khmknk32.exe Kflnfcgg.exe File created C:\Windows\SysWOW64\Gelfeh32.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 11296 11660 Process not Found 1466 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhndljll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kecabifp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbgcih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdjbiheb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjeomld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlqqcnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmqnobn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbidimc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejdocm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdqfll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kggcnoic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoaojp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcoenmao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdigadjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkgpbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifmqfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobfld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gphphj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcggio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgplado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lghcocol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hglaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmaopfjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neclenfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhlejcpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aehgnied.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfandnla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akepfpcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmenca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnnjmbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpocngo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfdjinjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngcje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hplicjok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiipmhmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmndlge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emmkiclm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqjpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obafpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhoqeibl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfnbgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epmmqheb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oakbehfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgcjdd32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noehba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedobm32.dll" Bhcjqinf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgpfbjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfjfecno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcnmjgff.dll" Goedpofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neqhhf32.dll" Dcpmen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkoqgjn.dll" Gjdaodja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gimngjie.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olehhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lndham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anmfbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmaopfjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjdebfnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oclkgccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchdqkfl.dll" Nmkmjjaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Offnhpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocedcbl.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkjafn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llipehgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeodmbol.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmdcfidg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhfif32.dll" Jcdjbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjgeopm.dll" Nglhld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kebkgjkg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pofjpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjnmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icland32.dll" Cihclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmnmgnoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmaffnce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdlqqcnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feoodn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iinjhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfcabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabphdjm.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpikki32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijogmdqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohnohn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dooaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgplk32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fngbbg32.dll" Llflea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfnoqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egilaj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eafbac32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opkpck32.dll" Hmnmgnoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dflfac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pblkiipl.dll" Fhbimf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qadoba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjfmcmai.dll" Ckmonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpiaimfg.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iohjlmeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpaleglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efjbcakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpolbbim.dll" Nqpcjj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1276 wrote to memory of 4904 1276 cdad38d9e68ec30ec87c254c01c2029942f5ed48011250ee9debe2029f6171d9N.exe 82 PID 1276 wrote to memory of 4904 1276 cdad38d9e68ec30ec87c254c01c2029942f5ed48011250ee9debe2029f6171d9N.exe 82 PID 1276 wrote to memory of 4904 1276 cdad38d9e68ec30ec87c254c01c2029942f5ed48011250ee9debe2029f6171d9N.exe 82 PID 4904 wrote to memory of 512 4904 Aabmqd32.exe 83 PID 4904 wrote to memory of 512 4904 Aabmqd32.exe 83 PID 4904 wrote to memory of 512 4904 Aabmqd32.exe 83 PID 512 wrote to memory of 744 512 Aglemn32.exe 84 PID 512 wrote to memory of 744 512 Aglemn32.exe 84 PID 512 wrote to memory of 744 512 Aglemn32.exe 84 PID 744 wrote to memory of 3916 744 Anfmjhmd.exe 85 PID 744 wrote to memory of 3916 744 Anfmjhmd.exe 85 PID 744 wrote to memory of 3916 744 Anfmjhmd.exe 85 PID 3916 wrote to memory of 4580 3916 Aadifclh.exe 86 PID 3916 wrote to memory of 4580 3916 Aadifclh.exe 86 PID 3916 wrote to memory of 4580 3916 Aadifclh.exe 86 PID 4580 wrote to memory of 2220 4580 Agoabn32.exe 87 PID 4580 wrote to memory of 2220 4580 Agoabn32.exe 87 PID 4580 wrote to memory of 2220 4580 Agoabn32.exe 87 PID 2220 wrote to memory of 4424 2220 Bmkjkd32.exe 88 PID 2220 wrote to memory of 4424 2220 Bmkjkd32.exe 88 PID 2220 wrote to memory of 4424 2220 Bmkjkd32.exe 88 PID 4424 wrote to memory of 4632 4424 Bebblb32.exe 89 PID 4424 wrote to memory of 4632 4424 Bebblb32.exe 89 PID 4424 wrote to memory of 4632 4424 Bebblb32.exe 89 PID 4632 wrote to memory of 2012 4632 Bfdodjhm.exe 90 PID 4632 wrote to memory of 2012 4632 Bfdodjhm.exe 90 PID 4632 wrote to memory of 2012 4632 Bfdodjhm.exe 90 PID 2012 wrote to memory of 1696 2012 Bnkgeg32.exe 91 PID 2012 wrote to memory of 1696 2012 Bnkgeg32.exe 91 PID 2012 wrote to memory of 1696 2012 Bnkgeg32.exe 91 PID 1696 wrote to memory of 4484 1696 Bchomn32.exe 92 PID 1696 wrote to memory of 4484 1696 Bchomn32.exe 92 PID 1696 wrote to memory of 4484 1696 Bchomn32.exe 92 PID 4484 wrote to memory of 4776 4484 Bgcknmop.exe 93 PID 4484 wrote to memory of 4776 4484 Bgcknmop.exe 93 PID 4484 wrote to memory of 4776 4484 Bgcknmop.exe 93 PID 4776 wrote to memory of 2804 4776 Bffkij32.exe 94 PID 4776 wrote to memory of 2804 4776 Bffkij32.exe 94 PID 4776 wrote to memory of 2804 4776 Bffkij32.exe 94 PID 2804 wrote to memory of 2328 2804 Bnmcjg32.exe 95 PID 2804 wrote to memory of 2328 2804 Bnmcjg32.exe 95 PID 2804 wrote to memory of 2328 2804 Bnmcjg32.exe 95 PID 2328 wrote to memory of 4244 2328 Balpgb32.exe 96 PID 2328 wrote to memory of 4244 2328 Balpgb32.exe 96 PID 2328 wrote to memory of 4244 2328 Balpgb32.exe 96 PID 4244 wrote to memory of 464 4244 Bcjlcn32.exe 97 PID 4244 wrote to memory of 464 4244 Bcjlcn32.exe 97 PID 4244 wrote to memory of 464 4244 Bcjlcn32.exe 97 PID 464 wrote to memory of 708 464 Bnbmefbg.exe 98 PID 464 wrote to memory of 708 464 Bnbmefbg.exe 98 PID 464 wrote to memory of 708 464 Bnbmefbg.exe 98 PID 708 wrote to memory of 804 708 Bcoenmao.exe 99 PID 708 wrote to memory of 804 708 Bcoenmao.exe 99 PID 708 wrote to memory of 804 708 Bcoenmao.exe 99 PID 804 wrote to memory of 3336 804 Cjinkg32.exe 100 PID 804 wrote to memory of 3336 804 Cjinkg32.exe 100 PID 804 wrote to memory of 3336 804 Cjinkg32.exe 100 PID 3336 wrote to memory of 376 3336 Cmgjgcgo.exe 101 PID 3336 wrote to memory of 376 3336 Cmgjgcgo.exe 101 PID 3336 wrote to memory of 376 3336 Cmgjgcgo.exe 101 PID 376 wrote to memory of 4572 376 Chmndlge.exe 102 PID 376 wrote to memory of 4572 376 Chmndlge.exe 102 PID 376 wrote to memory of 4572 376 Chmndlge.exe 102 PID 4572 wrote to memory of 3024 4572 Cfpnph32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdad38d9e68ec30ec87c254c01c2029942f5ed48011250ee9debe2029f6171d9N.exe"C:\Users\Admin\AppData\Local\Temp\cdad38d9e68ec30ec87c254c01c2029942f5ed48011250ee9debe2029f6171d9N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Aabmqd32.exeC:\Windows\system32\Aabmqd32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\Aglemn32.exeC:\Windows\system32\Aglemn32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\Agoabn32.exeC:\Windows\system32\Agoabn32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Bmkjkd32.exeC:\Windows\system32\Bmkjkd32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Bebblb32.exeC:\Windows\system32\Bebblb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe23⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe24⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe25⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe26⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe27⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe28⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe29⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe30⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:220 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe32⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe33⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe34⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe35⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe36⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe37⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Eecdjmfi.exeC:\Windows\system32\Eecdjmfi.exe38⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Egdqae32.exeC:\Windows\system32\Egdqae32.exe39⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Eajeon32.exeC:\Windows\system32\Eajeon32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Eggmge32.exeC:\Windows\system32\Eggmge32.exe41⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Ealadnik.exeC:\Windows\system32\Ealadnik.exe42⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Eaonjngh.exeC:\Windows\system32\Eaonjngh.exe43⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Eglgbdep.exeC:\Windows\system32\Eglgbdep.exe44⤵
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\Eemgplno.exeC:\Windows\system32\Eemgplno.exe45⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe46⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Fdbdah32.exeC:\Windows\system32\Fdbdah32.exe47⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Fkllnbjc.exeC:\Windows\system32\Fkllnbjc.exe48⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Feapkk32.exeC:\Windows\system32\Feapkk32.exe49⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Fhpmgg32.exeC:\Windows\system32\Fhpmgg32.exe50⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Fahaplon.exeC:\Windows\system32\Fahaplon.exe51⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Fhbimf32.exeC:\Windows\system32\Fhbimf32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Folaiqng.exeC:\Windows\system32\Folaiqng.exe53⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Fefjfked.exeC:\Windows\system32\Fefjfked.exe54⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Fggfnc32.exeC:\Windows\system32\Fggfnc32.exe55⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe56⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Famjkl32.exeC:\Windows\system32\Famjkl32.exe57⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\Fdkggg32.exeC:\Windows\system32\Fdkggg32.exe58⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Fhgbhfbe.exeC:\Windows\system32\Fhgbhfbe.exe59⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Fkeodaai.exeC:\Windows\system32\Fkeodaai.exe60⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Gaogak32.exeC:\Windows\system32\Gaogak32.exe61⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Gekcaj32.exeC:\Windows\system32\Gekcaj32.exe62⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe63⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Gkglja32.exeC:\Windows\system32\Gkglja32.exe64⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Gochjpho.exeC:\Windows\system32\Gochjpho.exe65⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe66⤵PID:2076
-
C:\Windows\SysWOW64\Gempgj32.exeC:\Windows\system32\Gempgj32.exe67⤵PID:4052
-
C:\Windows\SysWOW64\Gdppbfff.exeC:\Windows\system32\Gdppbfff.exe68⤵PID:844
-
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe69⤵PID:4108
-
C:\Windows\SysWOW64\Goedpofl.exeC:\Windows\system32\Goedpofl.exe70⤵
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe71⤵PID:4788
-
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe72⤵PID:3612
-
C:\Windows\SysWOW64\Gfbibikg.exeC:\Windows\system32\Gfbibikg.exe73⤵PID:1372
-
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe74⤵
- Drops file in System32 directory
PID:4920 -
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe75⤵PID:1396
-
C:\Windows\SysWOW64\Gkaopp32.exeC:\Windows\system32\Gkaopp32.exe76⤵PID:3220
-
C:\Windows\SysWOW64\Hnoklk32.exeC:\Windows\system32\Hnoklk32.exe77⤵PID:2104
-
C:\Windows\SysWOW64\Hheoid32.exeC:\Windows\system32\Hheoid32.exe78⤵
- Drops file in System32 directory
PID:1068 -
C:\Windows\SysWOW64\Hoogfnnb.exeC:\Windows\system32\Hoogfnnb.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4032 -
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe80⤵PID:4016
-
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe81⤵PID:3512
-
C:\Windows\SysWOW64\Hfklhhcl.exeC:\Windows\system32\Hfklhhcl.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4804 -
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe83⤵PID:4836
-
C:\Windows\SysWOW64\Hfningai.exeC:\Windows\system32\Hfningai.exe84⤵PID:688
-
C:\Windows\SysWOW64\Hhlejcpm.exeC:\Windows\system32\Hhlejcpm.exe85⤵
- System Location Discovery: System Language Discovery
PID:3848 -
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe86⤵
- Modifies registry class
PID:4352 -
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe87⤵PID:1460
-
C:\Windows\SysWOW64\Hdbfodfa.exeC:\Windows\system32\Hdbfodfa.exe88⤵PID:4292
-
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe89⤵
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe90⤵PID:4948
-
C:\Windows\SysWOW64\Ihqoeb32.exeC:\Windows\system32\Ihqoeb32.exe91⤵PID:996
-
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe92⤵PID:532
-
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe93⤵PID:3604
-
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe94⤵PID:1752
-
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe95⤵PID:1040
-
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe96⤵PID:2916
-
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe97⤵
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe98⤵PID:840
-
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe99⤵PID:3048
-
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe100⤵PID:5052
-
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe101⤵PID:740
-
C:\Windows\SysWOW64\Igjeanmj.exeC:\Windows\system32\Igjeanmj.exe102⤵PID:5032
-
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe103⤵PID:1036
-
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe104⤵PID:896
-
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe105⤵PID:2064
-
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe106⤵PID:5140
-
C:\Windows\SysWOW64\Jbbfdfkn.exeC:\Windows\system32\Jbbfdfkn.exe107⤵PID:5184
-
C:\Windows\SysWOW64\Jeqbpb32.exeC:\Windows\system32\Jeqbpb32.exe108⤵PID:5228
-
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe109⤵PID:5272
-
C:\Windows\SysWOW64\Jbdbjf32.exeC:\Windows\system32\Jbdbjf32.exe110⤵PID:5316
-
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe111⤵PID:5360
-
C:\Windows\SysWOW64\Jgakbm32.exeC:\Windows\system32\Jgakbm32.exe112⤵PID:5404
-
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe113⤵PID:5448
-
C:\Windows\SysWOW64\Jeekkafl.exeC:\Windows\system32\Jeekkafl.exe114⤵PID:5492
-
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe115⤵PID:5536
-
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe116⤵PID:5580
-
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe117⤵PID:5624
-
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe118⤵PID:5668
-
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe119⤵PID:5712
-
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe120⤵PID:5756
-
C:\Windows\SysWOW64\Jieagojp.exeC:\Windows\system32\Jieagojp.exe121⤵PID:5800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-