Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2024, 18:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d1fd1abaabb66d22fb71dd62ddf12ac0N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d1fd1abaabb66d22fb71dd62ddf12ac0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d1fd1abaabb66d22fb71dd62ddf12ac0N.exe
-
Size
384KB
-
MD5
d1fd1abaabb66d22fb71dd62ddf12ac0
-
SHA1
6dde182c10585b1c7c365132fea5ee81535de5e1
-
SHA256
d898915fc66298149f91e22c60e9c3149cb987a5cbe2bf4ccf30e08a328f4b40
-
SHA512
26f841bef31a380ea53746f6921b0ac53d49a671f6735c0b6e6d8eaa576befe776d4de978e219ef9f0ad5c28e593d04467b8b24499c2a8e3fe421844f255a2b2
-
SSDEEP
6144:CEWu5yxqTVuJpui6yYPaIGckpyWO63t5YNpui6yYPaIGcky0PVd68LwYwI+8mkUm:Wu5yxqApV6yYPI3cpV6yYPZ0PVdvcY9T
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajkaii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agjhgngj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oocddono.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oanfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkgeainn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Klfaapbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gipdap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefgbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpoalo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjgeedch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpmlnjco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpbbch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghpocngo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjopcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbbagk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maodigil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oekiqccc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdepgkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohhnbhok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnangaoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmemac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnaokmco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhnlkfpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhiajmod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oalipoiq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmfcok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nepgjaeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdbfodfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cofnik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gimqajgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npgmpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpgnjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbjena32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaifpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjkpoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chiigadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcanll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmomlnjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gijekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nheble32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpcmga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pajeam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcaknbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Niniei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biogppeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkofdbkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmhhefi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojdgnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbdjchgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nemcjk32.exe -
Executes dropped EXE 64 IoCs
pid Process 4276 Mmbfpp32.exe 4048 Mpablkhc.exe 4564 Mcpnhfhf.exe 1676 Nepgjaeg.exe 4288 Nngokoej.exe 1784 Ncdgcf32.exe 4620 Nlmllkja.exe 716 Ngbpidjh.exe 4112 Nnlhfn32.exe 2384 Ncianepl.exe 3220 Nnneknob.exe 4500 Nggjdc32.exe 3108 Olcbmj32.exe 4808 Odkjng32.exe 2900 Ocnjidkf.exe 1040 Ocpgod32.exe 5012 Olhlhjpd.exe 3604 Ocbddc32.exe 2140 Ojllan32.exe 4784 Oqfdnhfk.exe 2332 Ocdqjceo.exe 3688 Ojoign32.exe 2368 Olmeci32.exe 4756 Oqhacgdh.exe 3320 Pnonbk32.exe 64 Pqmjog32.exe 612 Pmdkch32.exe 4812 Qjoankoi.exe 3764 Qgcbgo32.exe 3128 Aqkgpedc.exe 2120 Ajckij32.exe 1020 Aeiofcji.exe 3516 Ajfhnjhq.exe 720 Amddjegd.exe 2344 Aeklkchg.exe 3224 Agjhgngj.exe 4976 Ajhddjfn.exe 4964 Amgapeea.exe 1732 Acqimo32.exe 1100 Ajkaii32.exe 1576 Aminee32.exe 3000 Aepefb32.exe 1188 Bfabnjjp.exe 3168 Bnhjohkb.exe 4920 Bagflcje.exe 4340 Bganhm32.exe 4132 Bfdodjhm.exe 2984 Bmngqdpj.exe 1960 Beeoaapl.exe 1084 Bgcknmop.exe 884 Bjagjhnc.exe 320 Bmpcfdmg.exe 1372 Bcjlcn32.exe 712 Bjddphlq.exe 428 Bmbplc32.exe 4832 Beihma32.exe 3268 Bfkedibe.exe 4840 Bjfaeh32.exe 3292 Bmemac32.exe 1940 Belebq32.exe 2504 Cjinkg32.exe 4476 Cmgjgcgo.exe 1116 Cdabcm32.exe 388 Cfpnph32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aboiil32.dll Ifbbig32.exe File opened for modification C:\Windows\SysWOW64\Jiokfpph.exe Jgonlm32.exe File opened for modification C:\Windows\SysWOW64\Ejoomhmi.exe Ebhglj32.exe File created C:\Windows\SysWOW64\Ilkoim32.exe Process not Found File created C:\Windows\SysWOW64\Pknjieep.dll Process not Found File created C:\Windows\SysWOW64\Omopjcjp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dmcibama.exe Djdmffnn.exe File created C:\Windows\SysWOW64\Dknpmdfc.exe Dgbdlf32.exe File created C:\Windows\SysWOW64\Ipgiebei.dll Fpjjac32.exe File opened for modification C:\Windows\SysWOW64\Gikkfqmf.exe Gfmojenc.exe File created C:\Windows\SysWOW64\Kjeiodek.exe Kgflcifg.exe File created C:\Windows\SysWOW64\Imffkelf.dll Process not Found File created C:\Windows\SysWOW64\Coaadq32.dll Bihjfnmm.exe File created C:\Windows\SysWOW64\Fpejlmcf.exe Fikbocki.exe File opened for modification C:\Windows\SysWOW64\Lgpoihnl.exe Lcdciiec.exe File created C:\Windows\SysWOW64\Afbgkl32.exe Aphnnafb.exe File created C:\Windows\SysWOW64\Gfmojenc.exe Gdobnj32.exe File opened for modification C:\Windows\SysWOW64\Kgflcifg.exe Klahfp32.exe File created C:\Windows\SysWOW64\Qfmfefni.exe Process not Found File created C:\Windows\SysWOW64\Mpkcqhdh.dll Process not Found File created C:\Windows\SysWOW64\Aqmlknnd.exe Ahfdjanb.exe File created C:\Windows\SysWOW64\Ddgfdiop.dll Cadlbk32.exe File created C:\Windows\SysWOW64\Ingcceof.dll Ohghgodi.exe File created C:\Windows\SysWOW64\Dlieda32.exe Dikihe32.exe File created C:\Windows\SysWOW64\Dpgnjo32.exe Dmhand32.exe File created C:\Windows\SysWOW64\Afakoidm.dll Ickglm32.exe File created C:\Windows\SysWOW64\Ibajgf32.dll Cflkpblf.exe File opened for modification C:\Windows\SysWOW64\Hckeoeno.exe Hlambk32.exe File created C:\Windows\SysWOW64\Aajohjon.exe Aolblopj.exe File created C:\Windows\SysWOW64\Jifecp32.exe Process not Found File created C:\Windows\SysWOW64\Ekooihip.dll Kkconn32.exe File created C:\Windows\SysWOW64\Lhqefjpo.exe Process not Found File created C:\Windows\SysWOW64\Djdmffnn.exe Ddjejl32.exe File created C:\Windows\SysWOW64\Jdblhj32.dll Flkdfh32.exe File created C:\Windows\SysWOW64\Omgmeigd.exe Ojhpimhp.exe File created C:\Windows\SysWOW64\Ncbafoge.exe Process not Found File created C:\Windows\SysWOW64\Moobbb32.exe Mlnipg32.exe File created C:\Windows\SysWOW64\Ogklelna.exe Oocddono.exe File created C:\Windows\SysWOW64\Idhmabfb.dll Jdedak32.exe File created C:\Windows\SysWOW64\Oqmhqapg.exe Process not Found File created C:\Windows\SysWOW64\Biiobo32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qhlkilba.exe Piijno32.exe File created C:\Windows\SysWOW64\Fechomko.exe Fbelcblk.exe File opened for modification C:\Windows\SysWOW64\Dndgfpbo.exe Process not Found File opened for modification C:\Windows\SysWOW64\Feapkk32.exe Fnjhjn32.exe File created C:\Windows\SysWOW64\Fnpeoe32.dll Bbnkonbd.exe File opened for modification C:\Windows\SysWOW64\Hlambk32.exe Hibafp32.exe File opened for modification C:\Windows\SysWOW64\Hekgfj32.exe Hblkjo32.exe File opened for modification C:\Windows\SysWOW64\Dejacond.exe Dmcibama.exe File created C:\Windows\SysWOW64\Mblkhq32.exe Mlbbkfoq.exe File created C:\Windows\SysWOW64\Ggcfja32.exe Gnkaalkd.exe File created C:\Windows\SysWOW64\Enpmld32.exe Epmmqheb.exe File created C:\Windows\SysWOW64\Eepmqdbn.dll Akkffkhk.exe File created C:\Windows\SysWOW64\Gidbim32.dll Djgjlelk.exe File created C:\Windows\SysWOW64\Hifpcjin.dll Filiii32.exe File created C:\Windows\SysWOW64\Mpeaedjn.dll Haoimcgg.exe File opened for modification C:\Windows\SysWOW64\Ocihgnam.exe Process not Found File created C:\Windows\SysWOW64\Aoabad32.exe Akffafgg.exe File created C:\Windows\SysWOW64\Belebq32.exe Bmemac32.exe File created C:\Windows\SysWOW64\Iomoenej.exe Ilnbicff.exe File created C:\Windows\SysWOW64\Bfmpaf32.dll Process not Found File created C:\Windows\SysWOW64\Ealadnik.exe Eonehbjg.exe File created C:\Windows\SysWOW64\Dfnbgc32.exe Dodjjimm.exe File opened for modification C:\Windows\SysWOW64\Komhll32.exe Jlolpq32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11760 11612 Process not Found 1389 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecdjmfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goljqnpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhfkopc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlfpdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifkpknp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfcnpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghipne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klifnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocamjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflmlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmkbfeab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibicnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lghcocol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nclikl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojllan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkcboack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdepgkgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onkidm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhddjfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgghjjid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbbagk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obafpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkmgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bheffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phigif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmeandma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmdhcddh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcndbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbcjnilj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aonoao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncdgcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agjhgngj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Belebq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgjljpkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igcoqocb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipekiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgqqdeod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbphdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnddgjbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkkple32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfkkhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdkidohn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emmkiclm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phonha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjoankoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnfamjqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhfppabl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbfbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebjdgmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfchlbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbfgkffn.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnmghonf.dll" Efhcbodf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgkpdcmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennioe32.dll" Hpabni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blafme32.dll" Igdnabjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Igcoqocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fbajbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plikcm32.dll" Bmeandma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Goljqnpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Inlihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mgeakekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbfbhoh.dll" Amodep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pifnhpmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aaiimadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Akhcfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pocpfphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlkbkddd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dahhio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qcbfakec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjbbo32.dll" Dgejpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mnfnlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pflibgil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djklmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejphhm32.dll" Aoioli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Becnaq32.dll" Hkjjlhle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojdgnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhppji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knaalh32.dll" Maodigil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hplfookn.dll" Idbodn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jqknkedi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jpmlnjco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jcdjbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckamjcad.dll" Eolhbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkkgmlcm.dll" Ghpocngo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmlilh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njoddaaj.dll" Cfcjfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqpdko32.dll" Cbdjeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jcanll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lcimdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll" Beihma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fnobem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hgabkoee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocmcjb32.dll" Ffaong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgkbmbm.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Olbdhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bojomm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhagfo32.dll" Fhdfbfdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bedgjgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eejeiocj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfjdqmng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll" Cjinkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kidiae32.dll" Aqaffn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkbado32.dll" Idahjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chqogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liabph32.dll" Ljqhkckn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1972 wrote to memory of 4276 1972 d1fd1abaabb66d22fb71dd62ddf12ac0N.exe 84 PID 1972 wrote to memory of 4276 1972 d1fd1abaabb66d22fb71dd62ddf12ac0N.exe 84 PID 1972 wrote to memory of 4276 1972 d1fd1abaabb66d22fb71dd62ddf12ac0N.exe 84 PID 4276 wrote to memory of 4048 4276 Mmbfpp32.exe 85 PID 4276 wrote to memory of 4048 4276 Mmbfpp32.exe 85 PID 4276 wrote to memory of 4048 4276 Mmbfpp32.exe 85 PID 4048 wrote to memory of 4564 4048 Mpablkhc.exe 86 PID 4048 wrote to memory of 4564 4048 Mpablkhc.exe 86 PID 4048 wrote to memory of 4564 4048 Mpablkhc.exe 86 PID 4564 wrote to memory of 1676 4564 Mcpnhfhf.exe 87 PID 4564 wrote to memory of 1676 4564 Mcpnhfhf.exe 87 PID 4564 wrote to memory of 1676 4564 Mcpnhfhf.exe 87 PID 1676 wrote to memory of 4288 1676 Nepgjaeg.exe 88 PID 1676 wrote to memory of 4288 1676 Nepgjaeg.exe 88 PID 1676 wrote to memory of 4288 1676 Nepgjaeg.exe 88 PID 4288 wrote to memory of 1784 4288 Nngokoej.exe 89 PID 4288 wrote to memory of 1784 4288 Nngokoej.exe 89 PID 4288 wrote to memory of 1784 4288 Nngokoej.exe 89 PID 1784 wrote to memory of 4620 1784 Ncdgcf32.exe 90 PID 1784 wrote to memory of 4620 1784 Ncdgcf32.exe 90 PID 1784 wrote to memory of 4620 1784 Ncdgcf32.exe 90 PID 4620 wrote to memory of 716 4620 Nlmllkja.exe 91 PID 4620 wrote to memory of 716 4620 Nlmllkja.exe 91 PID 4620 wrote to memory of 716 4620 Nlmllkja.exe 91 PID 716 wrote to memory of 4112 716 Ngbpidjh.exe 93 PID 716 wrote to memory of 4112 716 Ngbpidjh.exe 93 PID 716 wrote to memory of 4112 716 Ngbpidjh.exe 93 PID 4112 wrote to memory of 2384 4112 Nnlhfn32.exe 94 PID 4112 wrote to memory of 2384 4112 Nnlhfn32.exe 94 PID 4112 wrote to memory of 2384 4112 Nnlhfn32.exe 94 PID 2384 wrote to memory of 3220 2384 Ncianepl.exe 95 PID 2384 wrote to memory of 3220 2384 Ncianepl.exe 95 PID 2384 wrote to memory of 3220 2384 Ncianepl.exe 95 PID 3220 wrote to memory of 4500 3220 Nnneknob.exe 96 PID 3220 wrote to memory of 4500 3220 Nnneknob.exe 96 PID 3220 wrote to memory of 4500 3220 Nnneknob.exe 96 PID 4500 wrote to memory of 3108 4500 Nggjdc32.exe 98 PID 4500 wrote to memory of 3108 4500 Nggjdc32.exe 98 PID 4500 wrote to memory of 3108 4500 Nggjdc32.exe 98 PID 3108 wrote to memory of 4808 3108 Olcbmj32.exe 99 PID 3108 wrote to memory of 4808 3108 Olcbmj32.exe 99 PID 3108 wrote to memory of 4808 3108 Olcbmj32.exe 99 PID 4808 wrote to memory of 2900 4808 Odkjng32.exe 100 PID 4808 wrote to memory of 2900 4808 Odkjng32.exe 100 PID 4808 wrote to memory of 2900 4808 Odkjng32.exe 100 PID 2900 wrote to memory of 1040 2900 Ocnjidkf.exe 101 PID 2900 wrote to memory of 1040 2900 Ocnjidkf.exe 101 PID 2900 wrote to memory of 1040 2900 Ocnjidkf.exe 101 PID 1040 wrote to memory of 5012 1040 Ocpgod32.exe 103 PID 1040 wrote to memory of 5012 1040 Ocpgod32.exe 103 PID 1040 wrote to memory of 5012 1040 Ocpgod32.exe 103 PID 5012 wrote to memory of 3604 5012 Olhlhjpd.exe 104 PID 5012 wrote to memory of 3604 5012 Olhlhjpd.exe 104 PID 5012 wrote to memory of 3604 5012 Olhlhjpd.exe 104 PID 3604 wrote to memory of 2140 3604 Ocbddc32.exe 105 PID 3604 wrote to memory of 2140 3604 Ocbddc32.exe 105 PID 3604 wrote to memory of 2140 3604 Ocbddc32.exe 105 PID 2140 wrote to memory of 4784 2140 Ojllan32.exe 106 PID 2140 wrote to memory of 4784 2140 Ojllan32.exe 106 PID 2140 wrote to memory of 4784 2140 Ojllan32.exe 106 PID 4784 wrote to memory of 2332 4784 Oqfdnhfk.exe 107 PID 4784 wrote to memory of 2332 4784 Oqfdnhfk.exe 107 PID 4784 wrote to memory of 2332 4784 Oqfdnhfk.exe 107 PID 2332 wrote to memory of 3688 2332 Ocdqjceo.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1fd1abaabb66d22fb71dd62ddf12ac0N.exe"C:\Users\Admin\AppData\Local\Temp\d1fd1abaabb66d22fb71dd62ddf12ac0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Mmbfpp32.exeC:\Windows\system32\Mmbfpp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\Mpablkhc.exeC:\Windows\system32\Mpablkhc.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\Mcpnhfhf.exeC:\Windows\system32\Mcpnhfhf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Nepgjaeg.exeC:\Windows\system32\Nepgjaeg.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Nngokoej.exeC:\Windows\system32\Nngokoej.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\Ncdgcf32.exeC:\Windows\system32\Ncdgcf32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Nlmllkja.exeC:\Windows\system32\Nlmllkja.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Ngbpidjh.exeC:\Windows\system32\Ngbpidjh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\Nnlhfn32.exeC:\Windows\system32\Nnlhfn32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Ncianepl.exeC:\Windows\system32\Ncianepl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Nnneknob.exeC:\Windows\system32\Nnneknob.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Nggjdc32.exeC:\Windows\system32\Nggjdc32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Olcbmj32.exeC:\Windows\system32\Olcbmj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\Odkjng32.exeC:\Windows\system32\Odkjng32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Ocnjidkf.exeC:\Windows\system32\Ocnjidkf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Ocpgod32.exeC:\Windows\system32\Ocpgod32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Ocbddc32.exeC:\Windows\system32\Ocbddc32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Ojllan32.exeC:\Windows\system32\Ojllan32.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Ocdqjceo.exeC:\Windows\system32\Ocdqjceo.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Ojoign32.exeC:\Windows\system32\Ojoign32.exe23⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Olmeci32.exeC:\Windows\system32\Olmeci32.exe24⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Oqhacgdh.exeC:\Windows\system32\Oqhacgdh.exe25⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Pnonbk32.exeC:\Windows\system32\Pnonbk32.exe26⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Pqmjog32.exeC:\Windows\system32\Pqmjog32.exe27⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe28⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Qjoankoi.exeC:\Windows\system32\Qjoankoi.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4812 -
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe30⤵
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe31⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe32⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe33⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Ajfhnjhq.exeC:\Windows\system32\Ajfhnjhq.exe34⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe35⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe36⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3224 -
C:\Windows\SysWOW64\Ajhddjfn.exeC:\Windows\system32\Ajhddjfn.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4976 -
C:\Windows\SysWOW64\Amgapeea.exeC:\Windows\system32\Amgapeea.exe39⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe40⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Ajkaii32.exeC:\Windows\system32\Ajkaii32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe42⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Aepefb32.exeC:\Windows\system32\Aepefb32.exe43⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe44⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe45⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe46⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe47⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe48⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Bmngqdpj.exeC:\Windows\system32\Bmngqdpj.exe49⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe50⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe51⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe52⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe53⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe54⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe55⤵
- Executes dropped EXE
PID:712 -
C:\Windows\SysWOW64\Bmbplc32.exeC:\Windows\system32\Bmbplc32.exe56⤵
- Executes dropped EXE
PID:428 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:4832 -
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe58⤵
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe59⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Bmemac32.exeC:\Windows\system32\Bmemac32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3292 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1940 -
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe63⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe64⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe65⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe66⤵PID:2412
-
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe67⤵PID:2896
-
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe68⤵PID:3236
-
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe69⤵PID:2628
-
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe70⤵PID:2312
-
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe71⤵PID:3124
-
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe72⤵PID:2012
-
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe73⤵PID:1480
-
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe74⤵PID:3344
-
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe75⤵PID:2304
-
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe76⤵
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe77⤵
- Drops file in System32 directory
PID:1404 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe78⤵
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe79⤵PID:3352
-
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe80⤵
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe81⤵PID:5132
-
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe82⤵PID:5176
-
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe83⤵PID:5220
-
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe84⤵PID:5256
-
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe85⤵PID:5300
-
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe86⤵PID:5344
-
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe87⤵PID:5384
-
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe88⤵PID:5432
-
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe89⤵PID:5476
-
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe90⤵
- Drops file in System32 directory
PID:5520 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe91⤵PID:5564
-
C:\Windows\SysWOW64\Dahhio32.exeC:\Windows\system32\Dahhio32.exe92⤵
- Modifies registry class
PID:5608 -
C:\Windows\SysWOW64\Eecdjmfi.exeC:\Windows\system32\Eecdjmfi.exe93⤵
- System Location Discovery: System Language Discovery
PID:5652 -
C:\Windows\SysWOW64\Ehapfiem.exeC:\Windows\system32\Ehapfiem.exe94⤵PID:5696
-
C:\Windows\SysWOW64\Ekpmbddq.exeC:\Windows\system32\Ekpmbddq.exe95⤵PID:5740
-
C:\Windows\SysWOW64\Eolhbc32.exeC:\Windows\system32\Eolhbc32.exe96⤵
- Modifies registry class
PID:5784 -
C:\Windows\SysWOW64\Eajeon32.exeC:\Windows\system32\Eajeon32.exe97⤵PID:5828
-
C:\Windows\SysWOW64\Edhakj32.exeC:\Windows\system32\Edhakj32.exe98⤵PID:5872
-
C:\Windows\SysWOW64\Eggmge32.exeC:\Windows\system32\Eggmge32.exe99⤵PID:5916
-
C:\Windows\SysWOW64\Eonehbjg.exeC:\Windows\system32\Eonehbjg.exe100⤵
- Drops file in System32 directory
PID:5976 -
C:\Windows\SysWOW64\Ealadnik.exeC:\Windows\system32\Ealadnik.exe101⤵PID:6016
-
C:\Windows\SysWOW64\Edknqiho.exeC:\Windows\system32\Edknqiho.exe102⤵PID:6092
-
C:\Windows\SysWOW64\Egijmegb.exeC:\Windows\system32\Egijmegb.exe103⤵PID:3340
-
C:\Windows\SysWOW64\Ekefmc32.exeC:\Windows\system32\Ekefmc32.exe104⤵PID:5228
-
C:\Windows\SysWOW64\Emcbio32.exeC:\Windows\system32\Emcbio32.exe105⤵PID:5296
-
C:\Windows\SysWOW64\Edmjfifl.exeC:\Windows\system32\Edmjfifl.exe106⤵PID:5368
-
C:\Windows\SysWOW64\Ehiffh32.exeC:\Windows\system32\Ehiffh32.exe107⤵PID:5460
-
C:\Windows\SysWOW64\Ekgbccni.exeC:\Windows\system32\Ekgbccni.exe108⤵PID:5576
-
C:\Windows\SysWOW64\Eobocb32.exeC:\Windows\system32\Eobocb32.exe109⤵PID:5644
-
C:\Windows\SysWOW64\Eaakpm32.exeC:\Windows\system32\Eaakpm32.exe110⤵PID:5728
-
C:\Windows\SysWOW64\Ehkclgmb.exeC:\Windows\system32\Ehkclgmb.exe111⤵PID:5804
-
C:\Windows\SysWOW64\Ekiohclf.exeC:\Windows\system32\Ekiohclf.exe112⤵PID:1156
-
C:\Windows\SysWOW64\Emhldnkj.exeC:\Windows\system32\Emhldnkj.exe113⤵PID:5928
-
C:\Windows\SysWOW64\Eachem32.exeC:\Windows\system32\Eachem32.exe114⤵PID:6008
-
C:\Windows\SysWOW64\Fhmpagkp.exeC:\Windows\system32\Fhmpagkp.exe115⤵PID:6140
-
C:\Windows\SysWOW64\Fkllnbjc.exeC:\Windows\system32\Fkllnbjc.exe116⤵PID:5244
-
C:\Windows\SysWOW64\Fnjhjn32.exeC:\Windows\system32\Fnjhjn32.exe117⤵
- Drops file in System32 directory
PID:5264 -
C:\Windows\SysWOW64\Feapkk32.exeC:\Windows\system32\Feapkk32.exe118⤵PID:5508
-
C:\Windows\SysWOW64\Fhpmgg32.exeC:\Windows\system32\Fhpmgg32.exe119⤵PID:3796
-
C:\Windows\SysWOW64\Fknicb32.exeC:\Windows\system32\Fknicb32.exe120⤵PID:548
-
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe121⤵PID:5856
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-