Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2024, 15:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8d7bb22c2609f010b3517296b6877060N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
8d7bb22c2609f010b3517296b6877060N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
8d7bb22c2609f010b3517296b6877060N.exe
-
Size
320KB
-
MD5
8d7bb22c2609f010b3517296b6877060
-
SHA1
785d29cf3c431fa7a9f8fc783eef6f626c7c0e02
-
SHA256
7eb6bbc3873b091994b4bffe0af715171bcd133ea9e8200ffd65198b39ad7bc2
-
SHA512
8787dbe4daf100949fa80ff467d2f1ad368d339e7a4d21cbf2de79825fe064074074d9c849abd03926d31febe396588f918ca71ae0ec0b53e9ff858b80b099f0
-
SSDEEP
6144:SFQi2TqDEueYr75lHzpaF2e6UK+42GTQMJSZO5f7M0rx7/hP66qve6UK+42GTQMH:82dueYr75lTefkY660fIaDZkY660f
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glpdjpbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlgegcng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bammeebe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonilenb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cggikk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdfcla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blpemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cddemi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edkddeag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogqcon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dajlafon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ladpcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgbmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pignccea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmdjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehjdejkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdllhdco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcpaiq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpcpjcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdjapphl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgkdbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pphckb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djbbhafj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggjgofkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmfpgmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejegdngb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jddnah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkfnlmkl.exe -
Executes dropped EXE 64 IoCs
pid Process 2304 Mdodbf32.exe 3716 Mabdlk32.exe 2328 Mdaqhf32.exe 1320 Mhoind32.exe 4448 Nipffmmg.exe 1484 Ndejcemn.exe 2072 Nfdfoala.exe 2420 Nibbklke.exe 1620 Nieoal32.exe 4940 Nandhi32.exe 2884 Ndmpddfe.exe 2208 Nkghqo32.exe 2728 Oileakbj.exe 2556 Ohmepbki.exe 3320 Okkalnjm.exe 3916 Omlkmign.exe 2972 Okpkgm32.exe 4876 Ohdlpa32.exe 1212 Oalpigkb.exe 2820 Pncanhaf.exe 1564 Pgkegn32.exe 4632 Ppdjpcng.exe 4356 Pnhjig32.exe 3500 Pklkbl32.exe 1760 Pphckb32.exe 1636 Pnlcdg32.exe 952 Qgehml32.exe 2296 Qpmmfbfl.exe 3680 Qjeaog32.exe 2868 Ahgamo32.exe 4616 Aaofedkl.exe 3240 Ajjjjghg.exe 2548 Agnkck32.exe 996 Anhcpeon.exe 5008 Adbkmo32.exe 4404 Ajodef32.exe 4440 Addhbo32.exe 1140 Akopoi32.exe 2660 Bbhhlccb.exe 2608 Bhbahm32.exe 3624 Bjcmpepm.exe 1544 Bnoiqd32.exe 2800 Bggnijof.exe 1228 Bnaffdfc.exe 60 Bqpbboeg.exe 4768 Bhgjcmfi.exe 944 Bndblcdq.exe 440 Bdnkhn32.exe 3088 Bglgdi32.exe 3520 Bjkcqdje.exe 4368 Bdphnmjk.exe 2020 Bkjpkg32.exe 4776 Cbdhgaid.exe 2672 Cebdcmhh.exe 2716 Ckmmpg32.exe 2028 Cbfema32.exe 4248 Cgcmeh32.exe 3588 Ckoifgmb.exe 2312 Calbnnkj.exe 3732 Ckafkfkp.exe 4308 Cnpbgajc.exe 3140 Ckcbaf32.exe 4628 Cnboma32.exe 5128 Celgjlpn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bggnijof.exe Bnoiqd32.exe File opened for modification C:\Windows\SysWOW64\Okaabg32.exe Obkiqi32.exe File created C:\Windows\SysWOW64\Ohakkkfn.dll Megldcgd.exe File opened for modification C:\Windows\SysWOW64\Ipohpdbb.exe Ikbphn32.exe File created C:\Windows\SysWOW64\Flbjgn32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fomfpg32.exe Process not Found File created C:\Windows\SysWOW64\Icdclifh.dll Process not Found File created C:\Windows\SysWOW64\Fjbddh32.exe Fchlhnlo.exe File created C:\Windows\SysWOW64\Mijofaje.exe Mflbjejb.exe File created C:\Windows\SysWOW64\Hfnpacjb.exe Hodgei32.exe File opened for modification C:\Windows\SysWOW64\Jbilnkjc.exe Process not Found File created C:\Windows\SysWOW64\Lnmkpm32.exe Process not Found File created C:\Windows\SysWOW64\Fblifijc.exe Process not Found File created C:\Windows\SysWOW64\Npjelo32.exe Nloikqnl.exe File created C:\Windows\SysWOW64\Fcleopbe.dll Process not Found File created C:\Windows\SysWOW64\Fpaqgf32.dll Process not Found File created C:\Windows\SysWOW64\Lqlmkp32.dll Bjcmpepm.exe File opened for modification C:\Windows\SysWOW64\Celgjlpn.exe Cnboma32.exe File created C:\Windows\SysWOW64\Oanicm32.dll Cnboma32.exe File created C:\Windows\SysWOW64\Jpaekgph.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mgimmkgp.exe Mdjapphl.exe File created C:\Windows\SysWOW64\Egcfmlqp.dll Bfabhppm.exe File created C:\Windows\SysWOW64\Pfffnphj.dll Jcknee32.exe File created C:\Windows\SysWOW64\Pfipfo32.dll Pdoofl32.exe File created C:\Windows\SysWOW64\Omfigmch.dll Nifnao32.exe File created C:\Windows\SysWOW64\Bmlofhca.exe Bgafin32.exe File opened for modification C:\Windows\SysWOW64\Aacjofkp.exe Ahkffqdo.exe File created C:\Windows\SysWOW64\Hgbaigln.dll Mjhqcmjo.exe File opened for modification C:\Windows\SysWOW64\Fgbfbc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ncjmob32.exe Process not Found File created C:\Windows\SysWOW64\Odpjml32.dll Process not Found File created C:\Windows\SysWOW64\Abdbef32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lkflpe32.exe Lihpdj32.exe File opened for modification C:\Windows\SysWOW64\Nfabok32.exe Nbefolao.exe File created C:\Windows\SysWOW64\Dofpqfof.exe Djihhoao.exe File created C:\Windows\SysWOW64\Phljflhe.dll Fchdnkpi.exe File created C:\Windows\SysWOW64\Pnmdkk32.dll Process not Found File created C:\Windows\SysWOW64\Dedeij32.dll Process not Found File created C:\Windows\SysWOW64\Gepkahmm.dll Process not Found File created C:\Windows\SysWOW64\Feiglp32.dll Fjpoio32.exe File created C:\Windows\SysWOW64\Ijjgbqlh.dll Iefedcmk.exe File opened for modification C:\Windows\SysWOW64\Cjabgm32.exe Ccgjjc32.exe File created C:\Windows\SysWOW64\Pajcllhp.dll Cofndo32.exe File opened for modification C:\Windows\SysWOW64\Mhenpk32.exe Mqnfon32.exe File created C:\Windows\SysWOW64\Iiehjgnp.exe Process not Found File created C:\Windows\SysWOW64\Pmgcidqm.exe Process not Found File created C:\Windows\SysWOW64\Plhcglil.exe Process not Found File created C:\Windows\SysWOW64\Hefneq32.exe Process not Found File created C:\Windows\SysWOW64\Eangjkkd.exe Ejdonq32.exe File created C:\Windows\SysWOW64\Gaepgacn.exe Gmjcgb32.exe File created C:\Windows\SysWOW64\Opfjmg32.dll Fqiiamjp.exe File created C:\Windows\SysWOW64\Ldjbbc32.dll Process not Found File created C:\Windows\SysWOW64\Aefjbo32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dijppjfd.exe Dabhomea.exe File created C:\Windows\SysWOW64\Lihpdj32.exe Kifcnjpi.exe File opened for modification C:\Windows\SysWOW64\Pnbifmla.exe Phhpic32.exe File created C:\Windows\SysWOW64\Aajeigke.dll Djihhoao.exe File created C:\Windows\SysWOW64\Hlqmla32.exe Process not Found File created C:\Windows\SysWOW64\Peokkbao.exe Process not Found File created C:\Windows\SysWOW64\Jhcmbm32.exe Jokiig32.exe File opened for modification C:\Windows\SysWOW64\Odelpm32.exe Ofalfi32.exe File created C:\Windows\SysWOW64\Oiglen32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hfkdkqeo.exe Hanlcjgh.exe File opened for modification C:\Windows\SysWOW64\Hkkhjj32.exe Hfnpacjb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2608 904 Process not Found 2044 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agcbqecp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aloekjod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckiipa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bndblcdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onekeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbphdfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjffkhpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhohfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkhkblii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejdonq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbknqeha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkbkkbdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efolidno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niblafgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihnmlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkghqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jognokdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nildajdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cediab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffbnin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogkcihgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apnkfelb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llmbqdfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eangjkkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajdff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcagdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbefolao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnfgmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhcdnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1268 Iempingp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjimaole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhbakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlefebfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlcnnhjo.dll" Npjelo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhehmbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eegpkcbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdfcla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcpkeef.dll" Majoikof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omjhgoco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmbdmib.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfndopfh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icakofel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffmj32.dll" Agojdnng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aaldngqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocoehdlk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjipmoai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkhkblii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigfndlc.dll" Eaoenjqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihjogm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdknoojh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgbepdpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaianaoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjgdgdma.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgcmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhmhiaka.dll" Nmbamdkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klpjgfdg.dll" Pgknlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idailabn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdcekfc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laheqjdd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apcead32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clihcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnffjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamofk32.dll" Ldgkdbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bffkcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bddiik32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efolidno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjkek32.dll" Ahiiqafa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aemjjeek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peeabhnn.dll" Jklihbol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeomnh32.dll" Mdnlkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddkpoelb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiedaoip.dll" Ahffqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afafnj32.dll" Bdnkhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baokejco.dll" Fjbddh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kinefp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncfdbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfjljb32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 32 wrote to memory of 2304 32 8d7bb22c2609f010b3517296b6877060N.exe 93 PID 32 wrote to memory of 2304 32 8d7bb22c2609f010b3517296b6877060N.exe 93 PID 32 wrote to memory of 2304 32 8d7bb22c2609f010b3517296b6877060N.exe 93 PID 2304 wrote to memory of 3716 2304 Mdodbf32.exe 94 PID 2304 wrote to memory of 3716 2304 Mdodbf32.exe 94 PID 2304 wrote to memory of 3716 2304 Mdodbf32.exe 94 PID 3716 wrote to memory of 2328 3716 Mabdlk32.exe 95 PID 3716 wrote to memory of 2328 3716 Mabdlk32.exe 95 PID 3716 wrote to memory of 2328 3716 Mabdlk32.exe 95 PID 2328 wrote to memory of 1320 2328 Mdaqhf32.exe 96 PID 2328 wrote to memory of 1320 2328 Mdaqhf32.exe 96 PID 2328 wrote to memory of 1320 2328 Mdaqhf32.exe 96 PID 1320 wrote to memory of 4448 1320 Mhoind32.exe 97 PID 1320 wrote to memory of 4448 1320 Mhoind32.exe 97 PID 1320 wrote to memory of 4448 1320 Mhoind32.exe 97 PID 4448 wrote to memory of 1484 4448 Nipffmmg.exe 98 PID 4448 wrote to memory of 1484 4448 Nipffmmg.exe 98 PID 4448 wrote to memory of 1484 4448 Nipffmmg.exe 98 PID 1484 wrote to memory of 2072 1484 Ndejcemn.exe 99 PID 1484 wrote to memory of 2072 1484 Ndejcemn.exe 99 PID 1484 wrote to memory of 2072 1484 Ndejcemn.exe 99 PID 2072 wrote to memory of 2420 2072 Nfdfoala.exe 100 PID 2072 wrote to memory of 2420 2072 Nfdfoala.exe 100 PID 2072 wrote to memory of 2420 2072 Nfdfoala.exe 100 PID 2420 wrote to memory of 1620 2420 Nibbklke.exe 101 PID 2420 wrote to memory of 1620 2420 Nibbklke.exe 101 PID 2420 wrote to memory of 1620 2420 Nibbklke.exe 101 PID 1620 wrote to memory of 4940 1620 Nieoal32.exe 102 PID 1620 wrote to memory of 4940 1620 Nieoal32.exe 102 PID 1620 wrote to memory of 4940 1620 Nieoal32.exe 102 PID 4940 wrote to memory of 2884 4940 Nandhi32.exe 104 PID 4940 wrote to memory of 2884 4940 Nandhi32.exe 104 PID 4940 wrote to memory of 2884 4940 Nandhi32.exe 104 PID 2884 wrote to memory of 2208 2884 Ndmpddfe.exe 105 PID 2884 wrote to memory of 2208 2884 Ndmpddfe.exe 105 PID 2884 wrote to memory of 2208 2884 Ndmpddfe.exe 105 PID 2208 wrote to memory of 2728 2208 Nkghqo32.exe 106 PID 2208 wrote to memory of 2728 2208 Nkghqo32.exe 106 PID 2208 wrote to memory of 2728 2208 Nkghqo32.exe 106 PID 2728 wrote to memory of 2556 2728 Oileakbj.exe 107 PID 2728 wrote to memory of 2556 2728 Oileakbj.exe 107 PID 2728 wrote to memory of 2556 2728 Oileakbj.exe 107 PID 2556 wrote to memory of 3320 2556 Ohmepbki.exe 108 PID 2556 wrote to memory of 3320 2556 Ohmepbki.exe 108 PID 2556 wrote to memory of 3320 2556 Ohmepbki.exe 108 PID 3320 wrote to memory of 3916 3320 Okkalnjm.exe 109 PID 3320 wrote to memory of 3916 3320 Okkalnjm.exe 109 PID 3320 wrote to memory of 3916 3320 Okkalnjm.exe 109 PID 3916 wrote to memory of 2972 3916 Omlkmign.exe 110 PID 3916 wrote to memory of 2972 3916 Omlkmign.exe 110 PID 3916 wrote to memory of 2972 3916 Omlkmign.exe 110 PID 2972 wrote to memory of 4876 2972 Okpkgm32.exe 111 PID 2972 wrote to memory of 4876 2972 Okpkgm32.exe 111 PID 2972 wrote to memory of 4876 2972 Okpkgm32.exe 111 PID 4876 wrote to memory of 1212 4876 Ohdlpa32.exe 112 PID 4876 wrote to memory of 1212 4876 Ohdlpa32.exe 112 PID 4876 wrote to memory of 1212 4876 Ohdlpa32.exe 112 PID 1212 wrote to memory of 2820 1212 Oalpigkb.exe 113 PID 1212 wrote to memory of 2820 1212 Oalpigkb.exe 113 PID 1212 wrote to memory of 2820 1212 Oalpigkb.exe 113 PID 2820 wrote to memory of 1564 2820 Pncanhaf.exe 114 PID 2820 wrote to memory of 1564 2820 Pncanhaf.exe 114 PID 2820 wrote to memory of 1564 2820 Pncanhaf.exe 114 PID 1564 wrote to memory of 4632 1564 Pgkegn32.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d7bb22c2609f010b3517296b6877060N.exe"C:\Users\Admin\AppData\Local\Temp\8d7bb22c2609f010b3517296b6877060N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\Mdodbf32.exeC:\Windows\system32\Mdodbf32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Mabdlk32.exeC:\Windows\system32\Mabdlk32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\Mdaqhf32.exeC:\Windows\system32\Mdaqhf32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Mhoind32.exeC:\Windows\system32\Mhoind32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Nipffmmg.exeC:\Windows\system32\Nipffmmg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\Ndejcemn.exeC:\Windows\system32\Ndejcemn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Nfdfoala.exeC:\Windows\system32\Nfdfoala.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Nibbklke.exeC:\Windows\system32\Nibbklke.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Nieoal32.exeC:\Windows\system32\Nieoal32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Nandhi32.exeC:\Windows\system32\Nandhi32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Ndmpddfe.exeC:\Windows\system32\Ndmpddfe.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Nkghqo32.exeC:\Windows\system32\Nkghqo32.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Oileakbj.exeC:\Windows\system32\Oileakbj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Ohmepbki.exeC:\Windows\system32\Ohmepbki.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Okkalnjm.exeC:\Windows\system32\Okkalnjm.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\Omlkmign.exeC:\Windows\system32\Omlkmign.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\Okpkgm32.exeC:\Windows\system32\Okpkgm32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Ohdlpa32.exeC:\Windows\system32\Ohdlpa32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\Oalpigkb.exeC:\Windows\system32\Oalpigkb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Pncanhaf.exeC:\Windows\system32\Pncanhaf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Pgkegn32.exeC:\Windows\system32\Pgkegn32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Ppdjpcng.exeC:\Windows\system32\Ppdjpcng.exe23⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Pnhjig32.exeC:\Windows\system32\Pnhjig32.exe24⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Pklkbl32.exeC:\Windows\system32\Pklkbl32.exe25⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Pphckb32.exeC:\Windows\system32\Pphckb32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Pnlcdg32.exeC:\Windows\system32\Pnlcdg32.exe27⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Qgehml32.exeC:\Windows\system32\Qgehml32.exe28⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Qpmmfbfl.exeC:\Windows\system32\Qpmmfbfl.exe29⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Qjeaog32.exeC:\Windows\system32\Qjeaog32.exe30⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Ahgamo32.exeC:\Windows\system32\Ahgamo32.exe31⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Aaofedkl.exeC:\Windows\system32\Aaofedkl.exe32⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Ajjjjghg.exeC:\Windows\system32\Ajjjjghg.exe33⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Agnkck32.exeC:\Windows\system32\Agnkck32.exe34⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Anhcpeon.exeC:\Windows\system32\Anhcpeon.exe35⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Adbkmo32.exeC:\Windows\system32\Adbkmo32.exe36⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Ajodef32.exeC:\Windows\system32\Ajodef32.exe37⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Addhbo32.exeC:\Windows\system32\Addhbo32.exe38⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Akopoi32.exeC:\Windows\system32\Akopoi32.exe39⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Bbhhlccb.exeC:\Windows\system32\Bbhhlccb.exe40⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Bhbahm32.exeC:\Windows\system32\Bhbahm32.exe41⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Bjcmpepm.exeC:\Windows\system32\Bjcmpepm.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3624 -
C:\Windows\SysWOW64\Bnoiqd32.exeC:\Windows\system32\Bnoiqd32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\Bggnijof.exeC:\Windows\system32\Bggnijof.exe44⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Bnaffdfc.exeC:\Windows\system32\Bnaffdfc.exe45⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Bqpbboeg.exeC:\Windows\system32\Bqpbboeg.exe46⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\Bhgjcmfi.exeC:\Windows\system32\Bhgjcmfi.exe47⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Bndblcdq.exeC:\Windows\system32\Bndblcdq.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:944 -
C:\Windows\SysWOW64\Bdnkhn32.exeC:\Windows\system32\Bdnkhn32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:440 -
C:\Windows\SysWOW64\Bglgdi32.exeC:\Windows\system32\Bglgdi32.exe50⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Bjkcqdje.exeC:\Windows\system32\Bjkcqdje.exe51⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\Bdphnmjk.exeC:\Windows\system32\Bdphnmjk.exe52⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Bkjpkg32.exeC:\Windows\system32\Bkjpkg32.exe53⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Cbdhgaid.exeC:\Windows\system32\Cbdhgaid.exe54⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Cebdcmhh.exeC:\Windows\system32\Cebdcmhh.exe55⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Ckmmpg32.exeC:\Windows\system32\Ckmmpg32.exe56⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Cbfema32.exeC:\Windows\system32\Cbfema32.exe57⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Cgcmeh32.exeC:\Windows\system32\Cgcmeh32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:4248 -
C:\Windows\SysWOW64\Ckoifgmb.exeC:\Windows\system32\Ckoifgmb.exe59⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Calbnnkj.exeC:\Windows\system32\Calbnnkj.exe60⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Ckafkfkp.exeC:\Windows\system32\Ckafkfkp.exe61⤵
- Executes dropped EXE
PID:3732 -
C:\Windows\SysWOW64\Cnpbgajc.exeC:\Windows\system32\Cnpbgajc.exe62⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Ckcbaf32.exeC:\Windows\system32\Ckcbaf32.exe63⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Cnboma32.exeC:\Windows\system32\Cnboma32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4628 -
C:\Windows\SysWOW64\Celgjlpn.exeC:\Windows\system32\Celgjlpn.exe65⤵
- Executes dropped EXE
PID:5128 -
C:\Windows\SysWOW64\Ckfofe32.exeC:\Windows\system32\Ckfofe32.exe66⤵PID:5168
-
C:\Windows\SysWOW64\Dbphcpog.exeC:\Windows\system32\Dbphcpog.exe67⤵PID:5208
-
C:\Windows\SysWOW64\Dabhomea.exeC:\Windows\system32\Dabhomea.exe68⤵
- Drops file in System32 directory
PID:5248 -
C:\Windows\SysWOW64\Dijppjfd.exeC:\Windows\system32\Dijppjfd.exe69⤵PID:5288
-
C:\Windows\SysWOW64\Dnghhqdk.exeC:\Windows\system32\Dnghhqdk.exe70⤵PID:5328
-
C:\Windows\SysWOW64\Deqqek32.exeC:\Windows\system32\Deqqek32.exe71⤵PID:5368
-
C:\Windows\SysWOW64\Dlkiaece.exeC:\Windows\system32\Dlkiaece.exe72⤵PID:5408
-
C:\Windows\SysWOW64\Dnienqbi.exeC:\Windows\system32\Dnienqbi.exe73⤵PID:5444
-
C:\Windows\SysWOW64\Decmjjie.exeC:\Windows\system32\Decmjjie.exe74⤵PID:5488
-
C:\Windows\SysWOW64\Djpfbahm.exeC:\Windows\system32\Djpfbahm.exe75⤵PID:5528
-
C:\Windows\SysWOW64\Dajnol32.exeC:\Windows\system32\Dajnol32.exe76⤵PID:5568
-
C:\Windows\SysWOW64\Diafqi32.exeC:\Windows\system32\Diafqi32.exe77⤵PID:5608
-
C:\Windows\SysWOW64\Djbbhafj.exeC:\Windows\system32\Djbbhafj.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5648 -
C:\Windows\SysWOW64\Dehgejep.exeC:\Windows\system32\Dehgejep.exe79⤵PID:5696
-
C:\Windows\SysWOW64\Ejdonq32.exeC:\Windows\system32\Ejdonq32.exe80⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5736 -
C:\Windows\SysWOW64\Eangjkkd.exeC:\Windows\system32\Eangjkkd.exe81⤵
- System Location Discovery: System Language Discovery
PID:5776 -
C:\Windows\SysWOW64\Eelpqi32.exeC:\Windows\system32\Eelpqi32.exe82⤵PID:5820
-
C:\Windows\SysWOW64\Ehklmd32.exeC:\Windows\system32\Ehklmd32.exe83⤵PID:5864
-
C:\Windows\SysWOW64\Eeomfioh.exeC:\Windows\system32\Eeomfioh.exe84⤵PID:5908
-
C:\Windows\SysWOW64\Ehmibdol.exeC:\Windows\system32\Ehmibdol.exe85⤵PID:5952
-
C:\Windows\SysWOW64\Eimelg32.exeC:\Windows\system32\Eimelg32.exe86⤵PID:5996
-
C:\Windows\SysWOW64\Eoindndf.exeC:\Windows\system32\Eoindndf.exe87⤵PID:6080
-
C:\Windows\SysWOW64\Fjpoio32.exeC:\Windows\system32\Fjpoio32.exe88⤵
- Drops file in System32 directory
PID:6124 -
C:\Windows\SysWOW64\Fiaogfai.exeC:\Windows\system32\Fiaogfai.exe89⤵PID:5152
-
C:\Windows\SysWOW64\Fkbkoo32.exeC:\Windows\system32\Fkbkoo32.exe90⤵PID:5232
-
C:\Windows\SysWOW64\Fbjcplhj.exeC:\Windows\system32\Fbjcplhj.exe91⤵PID:5300
-
C:\Windows\SysWOW64\Fkehdnee.exeC:\Windows\system32\Fkehdnee.exe92⤵PID:5384
-
C:\Windows\SysWOW64\Fifhbf32.exeC:\Windows\system32\Fifhbf32.exe93⤵PID:5452
-
C:\Windows\SysWOW64\Fkgejncb.exeC:\Windows\system32\Fkgejncb.exe94⤵PID:5524
-
C:\Windows\SysWOW64\Fhkecb32.exeC:\Windows\system32\Fhkecb32.exe95⤵PID:5580
-
C:\Windows\SysWOW64\Fbqiak32.exeC:\Windows\system32\Fbqiak32.exe96⤵PID:3040
-
C:\Windows\SysWOW64\Glinjqhb.exeC:\Windows\system32\Glinjqhb.exe97⤵PID:5744
-
C:\Windows\SysWOW64\Gogjflhf.exeC:\Windows\system32\Gogjflhf.exe98⤵PID:5812
-
C:\Windows\SysWOW64\Gimoce32.exeC:\Windows\system32\Gimoce32.exe99⤵PID:5856
-
C:\Windows\SysWOW64\Glkkop32.exeC:\Windows\system32\Glkkop32.exe100⤵PID:5920
-
C:\Windows\SysWOW64\Gojgkl32.exeC:\Windows\system32\Gojgkl32.exe101⤵PID:6072
-
C:\Windows\SysWOW64\Gedohfmp.exeC:\Windows\system32\Gedohfmp.exe102⤵PID:6116
-
C:\Windows\SysWOW64\Glngep32.exeC:\Windows\system32\Glngep32.exe103⤵PID:5204
-
C:\Windows\SysWOW64\Golcak32.exeC:\Windows\system32\Golcak32.exe104⤵PID:5264
-
C:\Windows\SysWOW64\Geflne32.exeC:\Windows\system32\Geflne32.exe105⤵PID:5440
-
C:\Windows\SysWOW64\Glpdjpbj.exeC:\Windows\system32\Glpdjpbj.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5552 -
C:\Windows\SysWOW64\Gbjlgj32.exeC:\Windows\system32\Gbjlgj32.exe107⤵PID:5632
-
C:\Windows\SysWOW64\Giddddad.exeC:\Windows\system32\Giddddad.exe108⤵PID:5788
-
C:\Windows\SysWOW64\Hifaic32.exeC:\Windows\system32\Hifaic32.exe109⤵PID:5896
-
C:\Windows\SysWOW64\Hocjaj32.exeC:\Windows\system32\Hocjaj32.exe110⤵PID:5988
-
C:\Windows\SysWOW64\Haafnf32.exeC:\Windows\system32\Haafnf32.exe111⤵PID:1820
-
C:\Windows\SysWOW64\Hiinoc32.exeC:\Windows\system32\Hiinoc32.exe112⤵PID:5296
-
C:\Windows\SysWOW64\Hkjjfkcm.exeC:\Windows\system32\Hkjjfkcm.exe113⤵PID:5432
-
C:\Windows\SysWOW64\Hcabhido.exeC:\Windows\system32\Hcabhido.exe114⤵PID:5656
-
C:\Windows\SysWOW64\Hikkdc32.exeC:\Windows\system32\Hikkdc32.exe115⤵PID:5724
-
C:\Windows\SysWOW64\Hligqnjp.exeC:\Windows\system32\Hligqnjp.exe116⤵PID:5992
-
C:\Windows\SysWOW64\Hccomh32.exeC:\Windows\system32\Hccomh32.exe117⤵PID:5124
-
C:\Windows\SysWOW64\Hebkid32.exeC:\Windows\system32\Hebkid32.exe118⤵PID:5400
-
C:\Windows\SysWOW64\Hhpheo32.exeC:\Windows\system32\Hhpheo32.exe119⤵PID:5760
-
C:\Windows\SysWOW64\Hkodak32.exeC:\Windows\system32\Hkodak32.exe120⤵PID:5948
-
C:\Windows\SysWOW64\Hojpbigq.exeC:\Windows\system32\Hojpbigq.exe121⤵PID:5324
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-