Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28-09-2024 10:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
94fa2698f843e1dbe088ad8807a670de623c121eb1d4edc04cf5b9ddea2ddfa6N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
94fa2698f843e1dbe088ad8807a670de623c121eb1d4edc04cf5b9ddea2ddfa6N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
94fa2698f843e1dbe088ad8807a670de623c121eb1d4edc04cf5b9ddea2ddfa6N.exe
-
Size
89KB
-
MD5
caf0413fb0897d434f39148efe1ac310
-
SHA1
e4a731f49f861f1e26e50891c81fe60ca7a349e9
-
SHA256
94fa2698f843e1dbe088ad8807a670de623c121eb1d4edc04cf5b9ddea2ddfa6
-
SHA512
a5a638ade5b82a7e2e390dddc1998ebf0a5f0ec50935fb60ee297ac818cc6257c861f59c9374ba03cee0b6e3a7b3627c887eb9e8f9c1da65c0cf1eeee427784a
-
SSDEEP
1536:ymnP9qLnhXM8RQ8nC44JAd/aqj6iqg88cDDNMLKxtlVVUrMtcelExkg8Fk:xnMhTjnJKbljUr4celakgwk
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eaonjngh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knlleepl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jklphekp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdehlk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oocmii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkdliame.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbqqkkbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Badanigc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oblmdhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffpicn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bklfgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioopml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlmdbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adikdfna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkmmaeap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdjibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kplpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jblijebc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmnmgnoh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aehgnied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cajlhqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpbfii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqdaadln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnelok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eejeiocj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jimekgff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlmllkja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caienjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbighjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpcodihc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ageolo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhihdcbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difpmfna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbcke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpjcdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbgalmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejfeng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odmgcgbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnffqf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agbkmijg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfelogp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkgpbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgagbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkobjpin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dikihe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efafgifc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaqbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggpbjkpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgogbgei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkjlic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecbjkngo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 1452 Iicbehnq.exe 264 Icifbang.exe 3256 Iejcji32.exe 3808 Imakkfdg.exe 4032 Ickchq32.exe 1300 Ifjodl32.exe 4920 Iihkpg32.exe 3000 Ipbdmaah.exe 4488 Icnpmp32.exe 5000 Ifllil32.exe 5024 Ieolehop.exe 4192 Ilidbbgl.exe 3484 Jfoiokfb.exe 5052 Jimekgff.exe 736 Jlkagbej.exe 1496 Jbeidl32.exe 4908 Jmknaell.exe 1436 Jcefno32.exe 2644 Jfcbjk32.exe 4496 Jmmjgejj.exe 2316 Jlpkba32.exe 2260 Jcgbco32.exe 2960 Jmpgldhg.exe 3200 Jpnchp32.exe 4684 Jeklag32.exe 2104 Jmbdbd32.exe 3928 Kboljk32.exe 364 Klgqcqkl.exe 1412 Kdnidn32.exe 3756 Kmfmmcbo.exe 4080 Kimnbd32.exe 624 Kdcbom32.exe 1988 Kmkfhc32.exe 2692 Kpjcdn32.exe 3760 Kefkme32.exe 4448 Kplpjn32.exe 5032 Llcpoo32.exe 2340 Lekehdgp.exe 4640 Lenamdem.exe 3488 Lmdina32.exe 1036 Ldoaklml.exe 2904 Lepncd32.exe 4840 Likjcbkc.exe 764 Ldanqkki.exe 5100 Lebkhc32.exe 3608 Lllcen32.exe 2200 Mdckfk32.exe 4000 Mgagbf32.exe 5092 Mdehlk32.exe 3712 Mchhggno.exe 2592 Mmnldp32.exe 5104 Mplhql32.exe 4240 Mgfqmfde.exe 4812 Mmpijp32.exe 4176 Mcmabg32.exe 4768 Melnob32.exe 2764 Mpablkhc.exe 996 Mcpnhfhf.exe 3252 Miifeq32.exe 4552 Mlhbal32.exe 3104 Ngmgne32.exe 4732 Nngokoej.exe 2080 Nljofl32.exe 2092 Ndaggimg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bjfjka32.exe Bfjnjcni.exe File created C:\Windows\SysWOW64\Cpbbch32.exe Cqpbglno.exe File opened for modification C:\Windows\SysWOW64\Bkoigdom.exe Bhamkipi.exe File opened for modification C:\Windows\SysWOW64\Dkqaoe32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Imakkfdg.exe Iejcji32.exe File created C:\Windows\SysWOW64\Pqnalj32.dll Jeqbpb32.exe File created C:\Windows\SysWOW64\Odjafd32.dll Nlleaeff.exe File created C:\Windows\SysWOW64\Ajlgckkf.dll Oeaoab32.exe File opened for modification C:\Windows\SysWOW64\Ldoaklml.exe Lmdina32.exe File opened for modification C:\Windows\SysWOW64\Bjaqpbkh.exe Bfedoc32.exe File opened for modification C:\Windows\SysWOW64\Cobkhb32.exe Cihclh32.exe File opened for modification C:\Windows\SysWOW64\Gjfnedho.exe Gbofcghl.exe File created C:\Windows\SysWOW64\Kmkfhc32.exe Kdcbom32.exe File created C:\Windows\SysWOW64\Ioopml32.exe Idjlpc32.exe File opened for modification C:\Windows\SysWOW64\Amjillkj.exe Qlimed32.exe File created C:\Windows\SysWOW64\Mqpdko32.dll Cbdjeg32.exe File created C:\Windows\SysWOW64\Jiokfpph.exe Jfpojead.exe File opened for modification C:\Windows\SysWOW64\Jkimho32.exe Jgnqgqan.exe File created C:\Windows\SysWOW64\Aahbbkaq.exe Aknifq32.exe File created C:\Windows\SysWOW64\Aajohjon.exe Aolblopj.exe File opened for modification C:\Windows\SysWOW64\Lmaamn32.exe Process not Found File created C:\Windows\SysWOW64\Onapdl32.exe Process not Found File created C:\Windows\SysWOW64\Onahgf32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pfolbmje.exe Pcppfaka.exe File opened for modification C:\Windows\SysWOW64\Edjgfcec.exe Ejbbmnnb.exe File created C:\Windows\SysWOW64\Peieba32.exe Poomegpf.exe File created C:\Windows\SysWOW64\Nnafno32.exe Process not Found File created C:\Windows\SysWOW64\Klmpiiai.exe Kiodmn32.exe File created C:\Windows\SysWOW64\Heolpdjf.dll Iqpfjnba.exe File created C:\Windows\SysWOW64\Mgobel32.exe Mepfiq32.exe File created C:\Windows\SysWOW64\Obnbpa32.dll Mgobel32.exe File opened for modification C:\Windows\SysWOW64\Nlmdbh32.exe Neclenfo.exe File created C:\Windows\SysWOW64\Lgbloglj.exe Process not Found File created C:\Windows\SysWOW64\Chfegk32.exe Process not Found File created C:\Windows\SysWOW64\Pmoahijl.exe Ofeilobp.exe File created C:\Windows\SysWOW64\Accfbokl.exe Aadifclh.exe File created C:\Windows\SysWOW64\Llflea32.exe Lgkpdcmi.exe File opened for modification C:\Windows\SysWOW64\Mlbkap32.exe Mehcdfch.exe File created C:\Windows\SysWOW64\Dodjjimm.exe Dmennnni.exe File opened for modification C:\Windows\SysWOW64\Hlglidlo.exe Process not Found File created C:\Windows\SysWOW64\Ifenan32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Chmndlge.exe Cabfga32.exe File opened for modification C:\Windows\SysWOW64\Dhocqigp.exe Deagdn32.exe File created C:\Windows\SysWOW64\Qnbidcgp.dll Process not Found File opened for modification C:\Windows\SysWOW64\Qmmnjfnl.exe Qjoankoi.exe File created C:\Windows\SysWOW64\Bhoqeibl.exe Bfpdin32.exe File created C:\Windows\SysWOW64\Oaqbkn32.exe Oobfob32.exe File created C:\Windows\SysWOW64\Ngndaccj.exe Process not Found File created C:\Windows\SysWOW64\Amgapeea.exe Ajhddjfn.exe File created C:\Windows\SysWOW64\Fonahn32.dll Fkqeib32.exe File created C:\Windows\SysWOW64\Ndlapjeg.dll Jklphekp.exe File created C:\Windows\SysWOW64\Fjebhadm.dll Qohpkf32.exe File created C:\Windows\SysWOW64\Aphblj32.dll Bkaobnio.exe File created C:\Windows\SysWOW64\Qpcecb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jblijebc.exe Jpmlnjco.exe File created C:\Windows\SysWOW64\Fbgnfajk.dll Keonap32.exe File opened for modification C:\Windows\SysWOW64\Nookip32.exe Nibbqicm.exe File opened for modification C:\Windows\SysWOW64\Qoelkp32.exe Qhkdof32.exe File opened for modification C:\Windows\SysWOW64\Daconoae.exe Dkifae32.exe File opened for modification C:\Windows\SysWOW64\Llpmoiof.exe Lhdqnj32.exe File created C:\Windows\SysWOW64\Jhdnigno.dll Ipoopgnf.exe File created C:\Windows\SysWOW64\Eodolnaf.dll Feoodn32.exe File created C:\Windows\SysWOW64\Dhfajjoj.exe Ddjejl32.exe File created C:\Windows\SysWOW64\Ocffempp.exe Ollnhb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9968 10424 Process not Found 1332 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allpejfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmgfgdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lemkcnaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dheibpje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajeadd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjaqpbkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inainbcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbenmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djelgied.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqbncb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiokfpph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlklkgei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjchaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjjnae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kinmcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgaijaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mngegmbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjnqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmgjia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdcbom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijogmdqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbfdekd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coadnlnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjbcakl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbgihaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekdnei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeklag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhgfkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noehba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggnof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljhefhha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlqqcnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfoiokfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenamdem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfdie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eonehbjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokcklid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlnipg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nohehq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oofaiokl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjejl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fojedapj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnnpdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlkbjqgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmbmkpie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnlgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkhapk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anaomkdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifkpknp.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmnldp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inbqhhfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bciehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Falcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkdhjknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcjeh32.dll" Ebgpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godcje32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkeodaai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodolnaf.dll" Feoodn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eefaomcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egnchd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Leoghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqnmlj32.dll" Ijogmdqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdokpl32.dll" Mhilfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdjibj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkfglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkemhahj.dll" Nhmofj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eefaomcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdgged32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkofdbkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgefeajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll" Cabfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acfhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Namdcd32.dll" Kefkme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nolgijpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiqhki32.dll" Noehba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aekddhcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fijgdejm.dll" Oehlkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bombmcec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nenbjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Camddhoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgehcmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll" Deagdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfhnaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aqaffn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lldopb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbhpch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amddjegd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdicienl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bppfmigl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddnfmqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpnihiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddplkbaa.dll" Jdmgfedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bohbhmfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaiann32.dll" Mgfqmfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbekqdjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epikpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkjaopom.dll" Gbabigfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acnlgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njfagf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdckfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odkjng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anaomkdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnjhjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflbhhom.dll" Fiaael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjgeopm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aopmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkpool32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkjlic32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2288 wrote to memory of 1452 2288 94fa2698f843e1dbe088ad8807a670de623c121eb1d4edc04cf5b9ddea2ddfa6N.exe 82 PID 2288 wrote to memory of 1452 2288 94fa2698f843e1dbe088ad8807a670de623c121eb1d4edc04cf5b9ddea2ddfa6N.exe 82 PID 2288 wrote to memory of 1452 2288 94fa2698f843e1dbe088ad8807a670de623c121eb1d4edc04cf5b9ddea2ddfa6N.exe 82 PID 1452 wrote to memory of 264 1452 Iicbehnq.exe 83 PID 1452 wrote to memory of 264 1452 Iicbehnq.exe 83 PID 1452 wrote to memory of 264 1452 Iicbehnq.exe 83 PID 264 wrote to memory of 3256 264 Icifbang.exe 84 PID 264 wrote to memory of 3256 264 Icifbang.exe 84 PID 264 wrote to memory of 3256 264 Icifbang.exe 84 PID 3256 wrote to memory of 3808 3256 Iejcji32.exe 85 PID 3256 wrote to memory of 3808 3256 Iejcji32.exe 85 PID 3256 wrote to memory of 3808 3256 Iejcji32.exe 85 PID 3808 wrote to memory of 4032 3808 Imakkfdg.exe 86 PID 3808 wrote to memory of 4032 3808 Imakkfdg.exe 86 PID 3808 wrote to memory of 4032 3808 Imakkfdg.exe 86 PID 4032 wrote to memory of 1300 4032 Ickchq32.exe 87 PID 4032 wrote to memory of 1300 4032 Ickchq32.exe 87 PID 4032 wrote to memory of 1300 4032 Ickchq32.exe 87 PID 1300 wrote to memory of 4920 1300 Ifjodl32.exe 88 PID 1300 wrote to memory of 4920 1300 Ifjodl32.exe 88 PID 1300 wrote to memory of 4920 1300 Ifjodl32.exe 88 PID 4920 wrote to memory of 3000 4920 Iihkpg32.exe 89 PID 4920 wrote to memory of 3000 4920 Iihkpg32.exe 89 PID 4920 wrote to memory of 3000 4920 Iihkpg32.exe 89 PID 3000 wrote to memory of 4488 3000 Ipbdmaah.exe 90 PID 3000 wrote to memory of 4488 3000 Ipbdmaah.exe 90 PID 3000 wrote to memory of 4488 3000 Ipbdmaah.exe 90 PID 4488 wrote to memory of 5000 4488 Icnpmp32.exe 91 PID 4488 wrote to memory of 5000 4488 Icnpmp32.exe 91 PID 4488 wrote to memory of 5000 4488 Icnpmp32.exe 91 PID 5000 wrote to memory of 5024 5000 Ifllil32.exe 92 PID 5000 wrote to memory of 5024 5000 Ifllil32.exe 92 PID 5000 wrote to memory of 5024 5000 Ifllil32.exe 92 PID 5024 wrote to memory of 4192 5024 Ieolehop.exe 93 PID 5024 wrote to memory of 4192 5024 Ieolehop.exe 93 PID 5024 wrote to memory of 4192 5024 Ieolehop.exe 93 PID 4192 wrote to memory of 3484 4192 Ilidbbgl.exe 94 PID 4192 wrote to memory of 3484 4192 Ilidbbgl.exe 94 PID 4192 wrote to memory of 3484 4192 Ilidbbgl.exe 94 PID 3484 wrote to memory of 5052 3484 Jfoiokfb.exe 95 PID 3484 wrote to memory of 5052 3484 Jfoiokfb.exe 95 PID 3484 wrote to memory of 5052 3484 Jfoiokfb.exe 95 PID 5052 wrote to memory of 736 5052 Jimekgff.exe 96 PID 5052 wrote to memory of 736 5052 Jimekgff.exe 96 PID 5052 wrote to memory of 736 5052 Jimekgff.exe 96 PID 736 wrote to memory of 1496 736 Jlkagbej.exe 97 PID 736 wrote to memory of 1496 736 Jlkagbej.exe 97 PID 736 wrote to memory of 1496 736 Jlkagbej.exe 97 PID 1496 wrote to memory of 4908 1496 Jbeidl32.exe 98 PID 1496 wrote to memory of 4908 1496 Jbeidl32.exe 98 PID 1496 wrote to memory of 4908 1496 Jbeidl32.exe 98 PID 4908 wrote to memory of 1436 4908 Jmknaell.exe 99 PID 4908 wrote to memory of 1436 4908 Jmknaell.exe 99 PID 4908 wrote to memory of 1436 4908 Jmknaell.exe 99 PID 1436 wrote to memory of 2644 1436 Jcefno32.exe 100 PID 1436 wrote to memory of 2644 1436 Jcefno32.exe 100 PID 1436 wrote to memory of 2644 1436 Jcefno32.exe 100 PID 2644 wrote to memory of 4496 2644 Jfcbjk32.exe 101 PID 2644 wrote to memory of 4496 2644 Jfcbjk32.exe 101 PID 2644 wrote to memory of 4496 2644 Jfcbjk32.exe 101 PID 4496 wrote to memory of 2316 4496 Jmmjgejj.exe 102 PID 4496 wrote to memory of 2316 4496 Jmmjgejj.exe 102 PID 4496 wrote to memory of 2316 4496 Jmmjgejj.exe 102 PID 2316 wrote to memory of 2260 2316 Jlpkba32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\94fa2698f843e1dbe088ad8807a670de623c121eb1d4edc04cf5b9ddea2ddfa6N.exe"C:\Users\Admin\AppData\Local\Temp\94fa2698f843e1dbe088ad8807a670de623c121eb1d4edc04cf5b9ddea2ddfa6N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Iicbehnq.exeC:\Windows\system32\Iicbehnq.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Icifbang.exeC:\Windows\system32\Icifbang.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Iejcji32.exeC:\Windows\system32\Iejcji32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\Imakkfdg.exeC:\Windows\system32\Imakkfdg.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\Ickchq32.exeC:\Windows\system32\Ickchq32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Ifjodl32.exeC:\Windows\system32\Ifjodl32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Iihkpg32.exeC:\Windows\system32\Iihkpg32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Ipbdmaah.exeC:\Windows\system32\Ipbdmaah.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Icnpmp32.exeC:\Windows\system32\Icnpmp32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Ifllil32.exeC:\Windows\system32\Ifllil32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Ieolehop.exeC:\Windows\system32\Ieolehop.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Ilidbbgl.exeC:\Windows\system32\Ilidbbgl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\Jfoiokfb.exeC:\Windows\system32\Jfoiokfb.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Jimekgff.exeC:\Windows\system32\Jimekgff.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Jlkagbej.exeC:\Windows\system32\Jlkagbej.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\Jbeidl32.exeC:\Windows\system32\Jbeidl32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Jmknaell.exeC:\Windows\system32\Jmknaell.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Jcefno32.exeC:\Windows\system32\Jcefno32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Jfcbjk32.exeC:\Windows\system32\Jfcbjk32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Jmmjgejj.exeC:\Windows\system32\Jmmjgejj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\Jlpkba32.exeC:\Windows\system32\Jlpkba32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Jcgbco32.exeC:\Windows\system32\Jcgbco32.exe23⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Jmpgldhg.exeC:\Windows\system32\Jmpgldhg.exe24⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Jpnchp32.exeC:\Windows\system32\Jpnchp32.exe25⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Jeklag32.exeC:\Windows\system32\Jeklag32.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4684 -
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe27⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Kboljk32.exeC:\Windows\system32\Kboljk32.exe28⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Klgqcqkl.exeC:\Windows\system32\Klgqcqkl.exe29⤵
- Executes dropped EXE
PID:364 -
C:\Windows\SysWOW64\Kdnidn32.exeC:\Windows\system32\Kdnidn32.exe30⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Kmfmmcbo.exeC:\Windows\system32\Kmfmmcbo.exe31⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Kimnbd32.exeC:\Windows\system32\Kimnbd32.exe32⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Kdcbom32.exeC:\Windows\system32\Kdcbom32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:624 -
C:\Windows\SysWOW64\Kmkfhc32.exeC:\Windows\system32\Kmkfhc32.exe34⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Kpjcdn32.exeC:\Windows\system32\Kpjcdn32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Kefkme32.exeC:\Windows\system32\Kefkme32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:3760 -
C:\Windows\SysWOW64\Kplpjn32.exeC:\Windows\system32\Kplpjn32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Llcpoo32.exeC:\Windows\system32\Llcpoo32.exe38⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Lekehdgp.exeC:\Windows\system32\Lekehdgp.exe39⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Lenamdem.exeC:\Windows\system32\Lenamdem.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4640 -
C:\Windows\SysWOW64\Lmdina32.exeC:\Windows\system32\Lmdina32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3488 -
C:\Windows\SysWOW64\Ldoaklml.exeC:\Windows\system32\Ldoaklml.exe42⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Lepncd32.exeC:\Windows\system32\Lepncd32.exe43⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Likjcbkc.exeC:\Windows\system32\Likjcbkc.exe44⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Ldanqkki.exeC:\Windows\system32\Ldanqkki.exe45⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Lebkhc32.exeC:\Windows\system32\Lebkhc32.exe46⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Lllcen32.exeC:\Windows\system32\Lllcen32.exe47⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Mdckfk32.exeC:\Windows\system32\Mdckfk32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Mgagbf32.exeC:\Windows\system32\Mgagbf32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Mdehlk32.exeC:\Windows\system32\Mdehlk32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Mchhggno.exeC:\Windows\system32\Mchhggno.exe51⤵
- Executes dropped EXE
PID:3712 -
C:\Windows\SysWOW64\Mmnldp32.exeC:\Windows\system32\Mmnldp32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Mplhql32.exeC:\Windows\system32\Mplhql32.exe53⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Mgfqmfde.exeC:\Windows\system32\Mgfqmfde.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:4240 -
C:\Windows\SysWOW64\Mmpijp32.exeC:\Windows\system32\Mmpijp32.exe55⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Mcmabg32.exeC:\Windows\system32\Mcmabg32.exe56⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Melnob32.exeC:\Windows\system32\Melnob32.exe57⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Mpablkhc.exeC:\Windows\system32\Mpablkhc.exe58⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Mcpnhfhf.exeC:\Windows\system32\Mcpnhfhf.exe59⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Miifeq32.exeC:\Windows\system32\Miifeq32.exe60⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Mlhbal32.exeC:\Windows\system32\Mlhbal32.exe61⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Ngmgne32.exeC:\Windows\system32\Ngmgne32.exe62⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Nngokoej.exeC:\Windows\system32\Nngokoej.exe63⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Nljofl32.exeC:\Windows\system32\Nljofl32.exe64⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Ndaggimg.exeC:\Windows\system32\Ndaggimg.exe65⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Nnjlpo32.exeC:\Windows\system32\Nnjlpo32.exe66⤵PID:2704
-
C:\Windows\SysWOW64\Nlmllkja.exeC:\Windows\system32\Nlmllkja.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2152 -
C:\Windows\SysWOW64\Ncfdie32.exeC:\Windows\system32\Ncfdie32.exe68⤵
- System Location Discovery: System Language Discovery
PID:1820 -
C:\Windows\SysWOW64\Nnlhfn32.exeC:\Windows\system32\Nnlhfn32.exe69⤵PID:4560
-
C:\Windows\SysWOW64\Nloiakho.exeC:\Windows\system32\Nloiakho.exe70⤵PID:4420
-
C:\Windows\SysWOW64\Ndfqbhia.exeC:\Windows\system32\Ndfqbhia.exe71⤵PID:4936
-
C:\Windows\SysWOW64\Nfgmjqop.exeC:\Windows\system32\Nfgmjqop.exe72⤵PID:2844
-
C:\Windows\SysWOW64\Npmagine.exeC:\Windows\system32\Npmagine.exe73⤵PID:3604
-
C:\Windows\SysWOW64\Nggjdc32.exeC:\Windows\system32\Nggjdc32.exe74⤵PID:2056
-
C:\Windows\SysWOW64\Njefqo32.exeC:\Windows\system32\Njefqo32.exe75⤵PID:3220
-
C:\Windows\SysWOW64\Odkjng32.exeC:\Windows\system32\Odkjng32.exe76⤵
- Modifies registry class
PID:4832 -
C:\Windows\SysWOW64\Ogifjcdp.exeC:\Windows\system32\Ogifjcdp.exe77⤵PID:3144
-
C:\Windows\SysWOW64\Olfobjbg.exeC:\Windows\system32\Olfobjbg.exe78⤵PID:4160
-
C:\Windows\SysWOW64\Odmgcgbi.exeC:\Windows\system32\Odmgcgbi.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Ogkcpbam.exeC:\Windows\system32\Ogkcpbam.exe80⤵PID:4472
-
C:\Windows\SysWOW64\Ojjolnaq.exeC:\Windows\system32\Ojjolnaq.exe81⤵PID:3388
-
C:\Windows\SysWOW64\Ocbddc32.exeC:\Windows\system32\Ocbddc32.exe82⤵PID:1972
-
C:\Windows\SysWOW64\Olkhmi32.exeC:\Windows\system32\Olkhmi32.exe83⤵PID:4268
-
C:\Windows\SysWOW64\Ofcmfodb.exeC:\Windows\system32\Ofcmfodb.exe84⤵PID:3572
-
C:\Windows\SysWOW64\Olmeci32.exeC:\Windows\system32\Olmeci32.exe85⤵PID:4424
-
C:\Windows\SysWOW64\Ogbipa32.exeC:\Windows\system32\Ogbipa32.exe86⤵PID:1180
-
C:\Windows\SysWOW64\Ofeilobp.exeC:\Windows\system32\Ofeilobp.exe87⤵
- Drops file in System32 directory
PID:388 -
C:\Windows\SysWOW64\Pmoahijl.exeC:\Windows\system32\Pmoahijl.exe88⤵PID:1684
-
C:\Windows\SysWOW64\Pgefeajb.exeC:\Windows\system32\Pgefeajb.exe89⤵
- Modifies registry class
PID:4460 -
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe90⤵PID:1532
-
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe91⤵PID:912
-
C:\Windows\SysWOW64\Pggbkagp.exeC:\Windows\system32\Pggbkagp.exe92⤵PID:3208
-
C:\Windows\SysWOW64\Pfjcgn32.exeC:\Windows\system32\Pfjcgn32.exe93⤵PID:4344
-
C:\Windows\SysWOW64\Pdkcde32.exeC:\Windows\system32\Pdkcde32.exe94⤵PID:1472
-
C:\Windows\SysWOW64\Pcncpbmd.exeC:\Windows\system32\Pcncpbmd.exe95⤵PID:1728
-
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe96⤵PID:1640
-
C:\Windows\SysWOW64\Pmfhig32.exeC:\Windows\system32\Pmfhig32.exe97⤵PID:1312
-
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe98⤵
- Drops file in System32 directory
PID:4680 -
C:\Windows\SysWOW64\Pfolbmje.exeC:\Windows\system32\Pfolbmje.exe99⤵PID:4500
-
C:\Windows\SysWOW64\Pmidog32.exeC:\Windows\system32\Pmidog32.exe100⤵PID:4456
-
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe101⤵PID:856
-
C:\Windows\SysWOW64\Pcbmka32.exeC:\Windows\system32\Pcbmka32.exe102⤵PID:3648
-
C:\Windows\SysWOW64\Pgnilpah.exeC:\Windows\system32\Pgnilpah.exe103⤵PID:3184
-
C:\Windows\SysWOW64\Pjmehkqk.exeC:\Windows\system32\Pjmehkqk.exe104⤵PID:4540
-
C:\Windows\SysWOW64\Qdbiedpa.exeC:\Windows\system32\Qdbiedpa.exe105⤵PID:2208
-
C:\Windows\SysWOW64\Qjoankoi.exeC:\Windows\system32\Qjoankoi.exe106⤵
- Drops file in System32 directory
PID:1860 -
C:\Windows\SysWOW64\Qmmnjfnl.exeC:\Windows\system32\Qmmnjfnl.exe107⤵PID:2224
-
C:\Windows\SysWOW64\Qffbbldm.exeC:\Windows\system32\Qffbbldm.exe108⤵PID:1508
-
C:\Windows\SysWOW64\Anmjcieo.exeC:\Windows\system32\Anmjcieo.exe109⤵PID:5056
-
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe110⤵PID:2380
-
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5148 -
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe112⤵PID:5192
-
C:\Windows\SysWOW64\Aqncedbp.exeC:\Windows\system32\Aqncedbp.exe113⤵PID:5236
-
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe114⤵PID:5280
-
C:\Windows\SysWOW64\Ajfhnjhq.exeC:\Windows\system32\Ajfhnjhq.exe115⤵PID:5324
-
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe116⤵
- Modifies registry class
PID:5368 -
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe117⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5412 -
C:\Windows\SysWOW64\Ajhddjfn.exeC:\Windows\system32\Ajhddjfn.exe118⤵
- Drops file in System32 directory
PID:5456 -
C:\Windows\SysWOW64\Amgapeea.exeC:\Windows\system32\Amgapeea.exe119⤵PID:5500
-
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe120⤵PID:5544
-
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe121⤵PID:5588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-