Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24/08/2024, 22:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe
-
Size
64KB
-
MD5
71086e111572fb73e849404c5867879f
-
SHA1
6b79403ee8f5c10bba42636f82b4e5b2c84d62a1
-
SHA256
4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef
-
SHA512
03fa0d6350d3faf07e6fedc74ecc572542d4f0195b2ee482f77ba8d773fd6c4bf367e35b2242765bacbe3eee9bd27de2bc6954266dadfc70287dd8f96ff5decf
-
SSDEEP
1536:425e1Mcj7sidBW2zDR5NTT8zI4v4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP3PPk:r5ebsiHlTT8zIZhsJuw2Bi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oamgcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blkgen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chinkndp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciefek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ileflmpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcbehbim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmdbooik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaenkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcqmpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkhidaeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohggm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhocgqjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbkojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdpmkhjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eohhie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmdeink.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moeoje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poagma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcpqgbkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inhion32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjqec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnoefagj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfeoijbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eljknl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fakfglhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlkplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oinbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiaogfai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlnkgbhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oghgbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnknim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghddp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgjglg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmlafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogbbqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iokocmnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkfcigkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdfhil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldnjndpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpfggang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhbhapha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdobhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jajdff32.exe -
Executes dropped EXE 64 IoCs
pid Process 3528 Khhaanop.exe 2020 Knbinhfl.exe 1508 Lelajb32.exe 1956 Lfmnbjcg.exe 540 Lndfchdj.exe 2184 Ldanloba.exe 4732 Lfpkhjae.exe 4412 Laeoec32.exe 1368 Lfbgmj32.exe 5624 Laglkb32.exe 2936 Lhadgmge.exe 2688 Lokldg32.exe 5208 Ldhdlnli.exe 2860 Lmqiec32.exe 1720 Mhfmbl32.exe 2392 Mopeofjl.exe 5904 Mmcfkc32.exe 4716 Mejnlpai.exe 4916 Mhhjhlqm.exe 6104 Mkgfdgpq.exe 4940 Mmebpbod.exe 4228 Mdokmm32.exe 1968 Mhkgnkoj.exe 208 Mkicjgnn.exe 5576 Moeoje32.exe 5916 Mmhofbma.exe 436 Meoggpmd.exe 3168 Mdagbl32.exe 5840 Mgpcohcb.exe 536 Mklpof32.exe 2980 Mmjlkb32.exe 1436 Maehlqch.exe 5696 Meadlo32.exe 4608 Mhppik32.exe 3212 Mgbpdgap.exe 5036 Mknlef32.exe 2640 Nmlhaa32.exe 5288 Nahdapae.exe 5176 Ndfanlpi.exe 3108 Nhbmnj32.exe 592 Ngemjg32.exe 2568 Nolekd32.exe 5908 Nnoefagj.exe 4796 Najagp32.exe 3468 Nefmgogl.exe 1500 Nhdicjfp.exe 3184 Nggjog32.exe 3840 Nonbqd32.exe 3844 Nnabladg.exe 5880 Namnmp32.exe 3772 Ndkjik32.exe 5436 Nhffijdm.exe 5876 Ngifef32.exe 3664 Noqofdlj.exe 2104 Nncoaq32.exe 3020 Naokbokn.exe 4628 Ndmgnkja.exe 2460 Nglcjfie.exe 5988 Nockkcjg.exe 1008 Naaghoik.exe 4836 Nemchn32.exe 4356 Nhkpdi32.exe 820 Ngnppfgb.exe 6044 Nkjlqd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Efjgpc32.exe Ebokodfc.exe File created C:\Windows\SysWOW64\Eqblfm32.dll Oemofpel.exe File created C:\Windows\SysWOW64\Fhonpi32.exe Fcbehbim.exe File opened for modification C:\Windows\SysWOW64\Giqlbqcc.exe Process not Found File created C:\Windows\SysWOW64\Pacfdpmc.dll Laofhbmp.exe File created C:\Windows\SysWOW64\Fdjkek32.dll Appaangd.exe File opened for modification C:\Windows\SysWOW64\Aogkhjii.exe Alioloje.exe File opened for modification C:\Windows\SysWOW64\Cghgpgqd.exe Ciefek32.exe File opened for modification C:\Windows\SysWOW64\Gkoinlbg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mplhjabe.exe Process not Found File created C:\Windows\SysWOW64\Neeifa32.exe Nnlqig32.exe File opened for modification C:\Windows\SysWOW64\Fnjmea32.exe Fpimgjbm.exe File created C:\Windows\SysWOW64\Dkkaqcod.dll Fnmqegle.exe File opened for modification C:\Windows\SysWOW64\Ifdgaond.exe Hagnihom.exe File created C:\Windows\SysWOW64\Hhehkepj.exe Hjbhph32.exe File opened for modification C:\Windows\SysWOW64\Hagnihom.exe Hmlbij32.exe File created C:\Windows\SysWOW64\Gcneca32.exe Gqohge32.exe File opened for modification C:\Windows\SysWOW64\Nahdapae.exe Nmlhaa32.exe File opened for modification C:\Windows\SysWOW64\Aiimejap.exe Agkqiobl.exe File created C:\Windows\SysWOW64\Kgnbol32.exe Kobnji32.exe File created C:\Windows\SysWOW64\Ibfafq32.dll Mqbpjmeg.exe File created C:\Windows\SysWOW64\Qkfbab32.dll Opfedb32.exe File created C:\Windows\SysWOW64\Andghd32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Eapmedef.exe Ejfeij32.exe File created C:\Windows\SysWOW64\Djlppb32.dll Fpimgjbm.exe File created C:\Windows\SysWOW64\Jajocm32.dll Process not Found File created C:\Windows\SysWOW64\Mngocq32.dll Jamhflqq.exe File opened for modification C:\Windows\SysWOW64\Ejaecdnc.exe Dokqfl32.exe File created C:\Windows\SysWOW64\Gceaofmc.exe Gmkibl32.exe File created C:\Windows\SysWOW64\Okjnpija.dll Process not Found File created C:\Windows\SysWOW64\Eoollocp.exe Process not Found File created C:\Windows\SysWOW64\Ckmmpg32.exe Cbdhgaid.exe File created C:\Windows\SysWOW64\Hholim32.dll Jbpkfa32.exe File created C:\Windows\SysWOW64\Addcbd32.dll Lkcaeige.exe File opened for modification C:\Windows\SysWOW64\Onecof32.exe Omdghmfo.exe File created C:\Windows\SysWOW64\Jfedkmem.dll Egiohh32.exe File opened for modification C:\Windows\SysWOW64\Niifnf32.exe Process not Found File created C:\Windows\SysWOW64\Jjffpb32.dll Cejaobel.exe File opened for modification C:\Windows\SysWOW64\Miklkm32.exe Mhjpceko.exe File created C:\Windows\SysWOW64\Fbjcplhj.exe Fiaogfai.exe File created C:\Windows\SysWOW64\Flhlak32.dll Hfonfp32.exe File created C:\Windows\SysWOW64\Ialhdh32.exe Ikbphn32.exe File opened for modification C:\Windows\SysWOW64\Lajmmc32.exe Kolaqh32.exe File created C:\Windows\SysWOW64\Plgkpj32.dll Jobfdl32.exe File created C:\Windows\SysWOW64\Qkpdbm32.dll Process not Found File created C:\Windows\SysWOW64\Dojlhg32.exe Dlkplk32.exe File created C:\Windows\SysWOW64\Hmgbginj.dll Jmmcgbnf.exe File opened for modification C:\Windows\SysWOW64\Anccjp32.exe Akdfndpd.exe File created C:\Windows\SysWOW64\Ahdpea32.exe Aefcif32.exe File created C:\Windows\SysWOW64\Lkdlhaop.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ndmgnkja.exe Naokbokn.exe File created C:\Windows\SysWOW64\Hnlnbkcc.dll Poagma32.exe File opened for modification C:\Windows\SysWOW64\Qkpmcddi.exe Qdfefkll.exe File opened for modification C:\Windows\SysWOW64\Joahop32.exe Jhgpbf32.exe File created C:\Windows\SysWOW64\Jknocljn.exe Jhocgqjj.exe File opened for modification C:\Windows\SysWOW64\Bhppap32.exe Bafgdfim.exe File created C:\Windows\SysWOW64\Mgpcohcb.exe Mdagbl32.exe File created C:\Windows\SysWOW64\Enpjkjkh.dll Jlafhkfe.exe File created C:\Windows\SysWOW64\Clnchh32.dll Process not Found File created C:\Windows\SysWOW64\Aoleqi32.dll Process not Found File created C:\Windows\SysWOW64\Kacofh32.dll Philfgdh.exe File created C:\Windows\SysWOW64\Lcndab32.exe Lmcldhfp.exe File opened for modification C:\Windows\SysWOW64\Cnhell32.exe Cgnmpbec.exe File created C:\Windows\SysWOW64\Fppchile.exe Fmbflm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15336 12448 Process not Found 1439 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhdmfljb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjgpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aocamk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffggdmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhkgnkoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgehml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkplilgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kklkej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Appaangd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nncoaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nockkcjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agmehamp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghbkdald.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjgdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkcjjhgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajnmjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Helkdnaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcbehbim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plfipakk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgngqico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eieplhlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dncehk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekahhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmfldkei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghqeihbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmkpipaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pocdba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkbhbeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lppjnpem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aikbpckb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbbfadn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhhaclqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmkak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfimmhkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjofambd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbdano32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifipmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nocphd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phpbffnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkonbamc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cppelkeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqdechnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbifmla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moeoje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diopep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kppbejka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnfoac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkpmcddi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfpkbfdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfhnme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqdlmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odighm32.dll" Idjdqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glompi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpimgjbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecmlmcmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chnlbndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fljedg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdbbfadn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omgjhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dncehk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdfhil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgnleiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnailf32.dll" Omlkmign.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbhina32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aieeddaq.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmjgdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agagab32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgjjoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqagcpkg.dll" Fbjcplhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idonlbff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lppjnpem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhblfpng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbihmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hodqlq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jookjpam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjnjbap.dll" Nfgbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmpido32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bafgdfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbpmfe32.dll" Behiec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kciaqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oecego32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lonnfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfpkbfdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnmhgjpl.dll" Neclpamg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhiinbdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfbgmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faiplcmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmlofhca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdpdkkf.dll" Hphbpehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bahilfha.dll" Jopaejlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgfkbglj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgkkij32.dll" Najagp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckclfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfdkm32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cemndbci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emlgedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhmdeink.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpplb32.dll" Glkdejcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbkdgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfonfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehedic32.dll" Efnennjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oamlkk32.dll" Gcpaiq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5368 wrote to memory of 3528 5368 4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe 91 PID 5368 wrote to memory of 3528 5368 4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe 91 PID 5368 wrote to memory of 3528 5368 4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe 91 PID 3528 wrote to memory of 2020 3528 Khhaanop.exe 92 PID 3528 wrote to memory of 2020 3528 Khhaanop.exe 92 PID 3528 wrote to memory of 2020 3528 Khhaanop.exe 92 PID 2020 wrote to memory of 1508 2020 Knbinhfl.exe 93 PID 2020 wrote to memory of 1508 2020 Knbinhfl.exe 93 PID 2020 wrote to memory of 1508 2020 Knbinhfl.exe 93 PID 1508 wrote to memory of 1956 1508 Lelajb32.exe 94 PID 1508 wrote to memory of 1956 1508 Lelajb32.exe 94 PID 1508 wrote to memory of 1956 1508 Lelajb32.exe 94 PID 1956 wrote to memory of 540 1956 Lfmnbjcg.exe 95 PID 1956 wrote to memory of 540 1956 Lfmnbjcg.exe 95 PID 1956 wrote to memory of 540 1956 Lfmnbjcg.exe 95 PID 540 wrote to memory of 2184 540 Lndfchdj.exe 96 PID 540 wrote to memory of 2184 540 Lndfchdj.exe 96 PID 540 wrote to memory of 2184 540 Lndfchdj.exe 96 PID 2184 wrote to memory of 4732 2184 Ldanloba.exe 97 PID 2184 wrote to memory of 4732 2184 Ldanloba.exe 97 PID 2184 wrote to memory of 4732 2184 Ldanloba.exe 97 PID 4732 wrote to memory of 4412 4732 Lfpkhjae.exe 99 PID 4732 wrote to memory of 4412 4732 Lfpkhjae.exe 99 PID 4732 wrote to memory of 4412 4732 Lfpkhjae.exe 99 PID 4412 wrote to memory of 1368 4412 Laeoec32.exe 100 PID 4412 wrote to memory of 1368 4412 Laeoec32.exe 100 PID 4412 wrote to memory of 1368 4412 Laeoec32.exe 100 PID 1368 wrote to memory of 5624 1368 Lfbgmj32.exe 101 PID 1368 wrote to memory of 5624 1368 Lfbgmj32.exe 101 PID 1368 wrote to memory of 5624 1368 Lfbgmj32.exe 101 PID 5624 wrote to memory of 2936 5624 Laglkb32.exe 102 PID 5624 wrote to memory of 2936 5624 Laglkb32.exe 102 PID 5624 wrote to memory of 2936 5624 Laglkb32.exe 102 PID 2936 wrote to memory of 2688 2936 Lhadgmge.exe 104 PID 2936 wrote to memory of 2688 2936 Lhadgmge.exe 104 PID 2936 wrote to memory of 2688 2936 Lhadgmge.exe 104 PID 2688 wrote to memory of 5208 2688 Lokldg32.exe 105 PID 2688 wrote to memory of 5208 2688 Lokldg32.exe 105 PID 2688 wrote to memory of 5208 2688 Lokldg32.exe 105 PID 5208 wrote to memory of 2860 5208 Ldhdlnli.exe 106 PID 5208 wrote to memory of 2860 5208 Ldhdlnli.exe 106 PID 5208 wrote to memory of 2860 5208 Ldhdlnli.exe 106 PID 2860 wrote to memory of 1720 2860 Lmqiec32.exe 107 PID 2860 wrote to memory of 1720 2860 Lmqiec32.exe 107 PID 2860 wrote to memory of 1720 2860 Lmqiec32.exe 107 PID 1720 wrote to memory of 2392 1720 Mhfmbl32.exe 108 PID 1720 wrote to memory of 2392 1720 Mhfmbl32.exe 108 PID 1720 wrote to memory of 2392 1720 Mhfmbl32.exe 108 PID 2392 wrote to memory of 5904 2392 Mopeofjl.exe 109 PID 2392 wrote to memory of 5904 2392 Mopeofjl.exe 109 PID 2392 wrote to memory of 5904 2392 Mopeofjl.exe 109 PID 5904 wrote to memory of 4716 5904 Mmcfkc32.exe 110 PID 5904 wrote to memory of 4716 5904 Mmcfkc32.exe 110 PID 5904 wrote to memory of 4716 5904 Mmcfkc32.exe 110 PID 4716 wrote to memory of 4916 4716 Mejnlpai.exe 111 PID 4716 wrote to memory of 4916 4716 Mejnlpai.exe 111 PID 4716 wrote to memory of 4916 4716 Mejnlpai.exe 111 PID 4916 wrote to memory of 6104 4916 Mhhjhlqm.exe 112 PID 4916 wrote to memory of 6104 4916 Mhhjhlqm.exe 112 PID 4916 wrote to memory of 6104 4916 Mhhjhlqm.exe 112 PID 6104 wrote to memory of 4940 6104 Mkgfdgpq.exe 113 PID 6104 wrote to memory of 4940 6104 Mkgfdgpq.exe 113 PID 6104 wrote to memory of 4940 6104 Mkgfdgpq.exe 113 PID 4940 wrote to memory of 4228 4940 Mmebpbod.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe"C:\Users\Admin\AppData\Local\Temp\4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5368 -
C:\Windows\SysWOW64\Khhaanop.exeC:\Windows\system32\Khhaanop.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Knbinhfl.exeC:\Windows\system32\Knbinhfl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Lelajb32.exeC:\Windows\system32\Lelajb32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Lfmnbjcg.exeC:\Windows\system32\Lfmnbjcg.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Lndfchdj.exeC:\Windows\system32\Lndfchdj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Ldanloba.exeC:\Windows\system32\Ldanloba.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Lfpkhjae.exeC:\Windows\system32\Lfpkhjae.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Laeoec32.exeC:\Windows\system32\Laeoec32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Lfbgmj32.exeC:\Windows\system32\Lfbgmj32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Laglkb32.exeC:\Windows\system32\Laglkb32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5624 -
C:\Windows\SysWOW64\Lhadgmge.exeC:\Windows\system32\Lhadgmge.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Lokldg32.exeC:\Windows\system32\Lokldg32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Ldhdlnli.exeC:\Windows\system32\Ldhdlnli.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5208 -
C:\Windows\SysWOW64\Lmqiec32.exeC:\Windows\system32\Lmqiec32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Mhfmbl32.exeC:\Windows\system32\Mhfmbl32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Mopeofjl.exeC:\Windows\system32\Mopeofjl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Mmcfkc32.exeC:\Windows\system32\Mmcfkc32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5904 -
C:\Windows\SysWOW64\Mejnlpai.exeC:\Windows\system32\Mejnlpai.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Mhhjhlqm.exeC:\Windows\system32\Mhhjhlqm.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Mkgfdgpq.exeC:\Windows\system32\Mkgfdgpq.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6104 -
C:\Windows\SysWOW64\Mmebpbod.exeC:\Windows\system32\Mmebpbod.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Mdokmm32.exeC:\Windows\system32\Mdokmm32.exe23⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Mhkgnkoj.exeC:\Windows\system32\Mhkgnkoj.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\Mkicjgnn.exeC:\Windows\system32\Mkicjgnn.exe25⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Moeoje32.exeC:\Windows\system32\Moeoje32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5576 -
C:\Windows\SysWOW64\Mmhofbma.exeC:\Windows\system32\Mmhofbma.exe27⤵
- Executes dropped EXE
PID:5916 -
C:\Windows\SysWOW64\Meoggpmd.exeC:\Windows\system32\Meoggpmd.exe28⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Mdagbl32.exeC:\Windows\system32\Mdagbl32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3168 -
C:\Windows\SysWOW64\Mgpcohcb.exeC:\Windows\system32\Mgpcohcb.exe30⤵
- Executes dropped EXE
PID:5840 -
C:\Windows\SysWOW64\Mklpof32.exeC:\Windows\system32\Mklpof32.exe31⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Mmjlkb32.exeC:\Windows\system32\Mmjlkb32.exe32⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Maehlqch.exeC:\Windows\system32\Maehlqch.exe33⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Meadlo32.exeC:\Windows\system32\Meadlo32.exe34⤵
- Executes dropped EXE
PID:5696 -
C:\Windows\SysWOW64\Mhppik32.exeC:\Windows\system32\Mhppik32.exe35⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Mgbpdgap.exeC:\Windows\system32\Mgbpdgap.exe36⤵
- Executes dropped EXE
PID:3212 -
C:\Windows\SysWOW64\Mknlef32.exeC:\Windows\system32\Mknlef32.exe37⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Nmlhaa32.exeC:\Windows\system32\Nmlhaa32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Nahdapae.exeC:\Windows\system32\Nahdapae.exe39⤵
- Executes dropped EXE
PID:5288 -
C:\Windows\SysWOW64\Ndfanlpi.exeC:\Windows\system32\Ndfanlpi.exe40⤵
- Executes dropped EXE
PID:5176 -
C:\Windows\SysWOW64\Nhbmnj32.exeC:\Windows\system32\Nhbmnj32.exe41⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Ngemjg32.exeC:\Windows\system32\Ngemjg32.exe42⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Nolekd32.exeC:\Windows\system32\Nolekd32.exe43⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Nnoefagj.exeC:\Windows\system32\Nnoefagj.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5908 -
C:\Windows\SysWOW64\Najagp32.exeC:\Windows\system32\Najagp32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4796 -
C:\Windows\SysWOW64\Nefmgogl.exeC:\Windows\system32\Nefmgogl.exe46⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Nhdicjfp.exeC:\Windows\system32\Nhdicjfp.exe47⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Nggjog32.exeC:\Windows\system32\Nggjog32.exe48⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Nonbqd32.exeC:\Windows\system32\Nonbqd32.exe49⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Nnabladg.exeC:\Windows\system32\Nnabladg.exe50⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\SysWOW64\Namnmp32.exeC:\Windows\system32\Namnmp32.exe51⤵
- Executes dropped EXE
PID:5880 -
C:\Windows\SysWOW64\Ndkjik32.exeC:\Windows\system32\Ndkjik32.exe52⤵
- Executes dropped EXE
PID:3772 -
C:\Windows\SysWOW64\Nhffijdm.exeC:\Windows\system32\Nhffijdm.exe53⤵
- Executes dropped EXE
PID:5436 -
C:\Windows\SysWOW64\Ngifef32.exeC:\Windows\system32\Ngifef32.exe54⤵
- Executes dropped EXE
PID:5876 -
C:\Windows\SysWOW64\Noqofdlj.exeC:\Windows\system32\Noqofdlj.exe55⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Nncoaq32.exeC:\Windows\system32\Nncoaq32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Windows\SysWOW64\Naokbokn.exeC:\Windows\system32\Naokbokn.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Ndmgnkja.exeC:\Windows\system32\Ndmgnkja.exe58⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Nglcjfie.exeC:\Windows\system32\Nglcjfie.exe59⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Nockkcjg.exeC:\Windows\system32\Nockkcjg.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5988 -
C:\Windows\SysWOW64\Naaghoik.exeC:\Windows\system32\Naaghoik.exe61⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Nemchn32.exeC:\Windows\system32\Nemchn32.exe62⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Nhkpdi32.exeC:\Windows\system32\Nhkpdi32.exe63⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Ngnppfgb.exeC:\Windows\system32\Ngnppfgb.exe64⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Nkjlqd32.exeC:\Windows\system32\Nkjlqd32.exe65⤵
- Executes dropped EXE
PID:6044 -
C:\Windows\SysWOW64\Oeopnmoa.exeC:\Windows\system32\Oeopnmoa.exe66⤵PID:5264
-
C:\Windows\SysWOW64\Ohnljine.exeC:\Windows\system32\Ohnljine.exe67⤵PID:2760
-
C:\Windows\SysWOW64\Oafacn32.exeC:\Windows\system32\Oafacn32.exe68⤵PID:4468
-
C:\Windows\SysWOW64\Okneldkf.exeC:\Windows\system32\Okneldkf.exe69⤵PID:116
-
C:\Windows\SysWOW64\Onmahojj.exeC:\Windows\system32\Onmahojj.exe70⤵PID:5032
-
C:\Windows\SysWOW64\Oediim32.exeC:\Windows\system32\Oediim32.exe71⤵PID:4404
-
C:\Windows\SysWOW64\Ogefqeaj.exeC:\Windows\system32\Ogefqeaj.exe72⤵PID:2496
-
C:\Windows\SysWOW64\Ononmo32.exeC:\Windows\system32\Ononmo32.exe73⤵PID:3104
-
C:\Windows\SysWOW64\Oeffnl32.exeC:\Windows\system32\Oeffnl32.exe74⤵PID:2096
-
C:\Windows\SysWOW64\Ohdbkh32.exeC:\Windows\system32\Ohdbkh32.exe75⤵PID:2664
-
C:\Windows\SysWOW64\Oookgbpj.exeC:\Windows\system32\Oookgbpj.exe76⤵PID:3516
-
C:\Windows\SysWOW64\Oamgcm32.exeC:\Windows\system32\Oamgcm32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:452 -
C:\Windows\SysWOW64\Odkcpi32.exeC:\Windows\system32\Odkcpi32.exe78⤵PID:5844
-
C:\Windows\SysWOW64\Ogjpld32.exeC:\Windows\system32\Ogjpld32.exe79⤵PID:6040
-
C:\Windows\SysWOW64\Poagma32.exeC:\Windows\system32\Poagma32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Paocim32.exeC:\Windows\system32\Paocim32.exe81⤵PID:5224
-
C:\Windows\SysWOW64\Philfgdh.exeC:\Windows\system32\Philfgdh.exe82⤵
- Drops file in System32 directory
PID:4548 -
C:\Windows\SysWOW64\Pkhhbbck.exeC:\Windows\system32\Pkhhbbck.exe83⤵PID:4748
-
C:\Windows\SysWOW64\Pocdba32.exeC:\Windows\system32\Pocdba32.exe84⤵
- System Location Discovery: System Language Discovery
PID:5676 -
C:\Windows\SysWOW64\Pbapom32.exeC:\Windows\system32\Pbapom32.exe85⤵PID:4816
-
C:\Windows\SysWOW64\Pdpmkhjl.exeC:\Windows\system32\Pdpmkhjl.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5268 -
C:\Windows\SysWOW64\Pgoigcip.exeC:\Windows\system32\Pgoigcip.exe87⤵PID:5692
-
C:\Windows\SysWOW64\Poeahaib.exeC:\Windows\system32\Poeahaib.exe88⤵PID:5764
-
C:\Windows\SysWOW64\Pbdmdlie.exeC:\Windows\system32\Pbdmdlie.exe89⤵PID:3616
-
C:\Windows\SysWOW64\Pdbiphhi.exeC:\Windows\system32\Pdbiphhi.exe90⤵PID:4912
-
C:\Windows\SysWOW64\Pgaelcgm.exeC:\Windows\system32\Pgaelcgm.exe91⤵PID:3644
-
C:\Windows\SysWOW64\Pohnnqgo.exeC:\Windows\system32\Pohnnqgo.exe92⤵PID:3312
-
C:\Windows\SysWOW64\Pnknim32.exeC:\Windows\system32\Pnknim32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3952 -
C:\Windows\SysWOW64\Pfbfjk32.exeC:\Windows\system32\Pfbfjk32.exe94⤵PID:6136
-
C:\Windows\SysWOW64\Phpbffnp.exeC:\Windows\system32\Phpbffnp.exe95⤵
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Windows\SysWOW64\Pkonbamc.exeC:\Windows\system32\Pkonbamc.exe96⤵
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\Pojjcp32.exeC:\Windows\system32\Pojjcp32.exe97⤵PID:5132
-
C:\Windows\SysWOW64\Qnpgdmjd.exeC:\Windows\system32\Qnpgdmjd.exe98⤵PID:5848
-
C:\Windows\SysWOW64\Qffoejkg.exeC:\Windows\system32\Qffoejkg.exe99⤵PID:6096
-
C:\Windows\SysWOW64\Qhekaejj.exeC:\Windows\system32\Qhekaejj.exe100⤵PID:3980
-
C:\Windows\SysWOW64\Qghlmbae.exeC:\Windows\system32\Qghlmbae.exe101⤵PID:5588
-
C:\Windows\SysWOW64\Qoocnpag.exeC:\Windows\system32\Qoocnpag.exe102⤵PID:4672
-
C:\Windows\SysWOW64\Qdllffpo.exeC:\Windows\system32\Qdllffpo.exe103⤵PID:5732
-
C:\Windows\SysWOW64\Aoapcood.exeC:\Windows\system32\Aoapcood.exe104⤵PID:3128
-
C:\Windows\SysWOW64\Abpmpkoh.exeC:\Windows\system32\Abpmpkoh.exe105⤵PID:2484
-
C:\Windows\SysWOW64\Adnilfnl.exeC:\Windows\system32\Adnilfnl.exe106⤵PID:4164
-
C:\Windows\SysWOW64\Aijeme32.exeC:\Windows\system32\Aijeme32.exe107⤵PID:2744
-
C:\Windows\SysWOW64\Agmehamp.exeC:\Windows\system32\Agmehamp.exe108⤵
- System Location Discovery: System Language Discovery
PID:4636 -
C:\Windows\SysWOW64\Aocmio32.exeC:\Windows\system32\Aocmio32.exe109⤵PID:4424
-
C:\Windows\SysWOW64\Abbiej32.exeC:\Windows\system32\Abbiej32.exe110⤵PID:4592
-
C:\Windows\SysWOW64\Agobna32.exeC:\Windows\system32\Agobna32.exe111⤵PID:5484
-
C:\Windows\SysWOW64\Aofjoo32.exeC:\Windows\system32\Aofjoo32.exe112⤵PID:2776
-
C:\Windows\SysWOW64\Abdfkj32.exeC:\Windows\system32\Abdfkj32.exe113⤵PID:1852
-
C:\Windows\SysWOW64\Afpbkicl.exeC:\Windows\system32\Afpbkicl.exe114⤵PID:5724
-
C:\Windows\SysWOW64\Aecbge32.exeC:\Windows\system32\Aecbge32.exe115⤵PID:4712
-
C:\Windows\SysWOW64\Akmjdpac.exeC:\Windows\system32\Akmjdpac.exe116⤵PID:1456
-
C:\Windows\SysWOW64\Afboah32.exeC:\Windows\system32\Afboah32.exe117⤵PID:3940
-
C:\Windows\SysWOW64\Aiqkmd32.exeC:\Windows\system32\Aiqkmd32.exe118⤵PID:5280
-
C:\Windows\SysWOW64\Akogio32.exeC:\Windows\system32\Akogio32.exe119⤵PID:3340
-
C:\Windows\SysWOW64\Abipfifn.exeC:\Windows\system32\Abipfifn.exe120⤵PID:2592
-
C:\Windows\SysWOW64\Afdkfh32.exeC:\Windows\system32\Afdkfh32.exe121⤵PID:384
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-