Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
107s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 14:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9fed3887be350d7479ba5e4abef9aa80N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
9fed3887be350d7479ba5e4abef9aa80N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
9fed3887be350d7479ba5e4abef9aa80N.exe
-
Size
80KB
-
MD5
9fed3887be350d7479ba5e4abef9aa80
-
SHA1
5ef86d0bf3b07513e29278aca517fb17fe8fc173
-
SHA256
b50dfeda2c85043c71034f361f27c5ea958163888bc4be46c300ddc86f3da58d
-
SHA512
44425c40e04872215ee3740464f4ee14ecc915028dee2e2652959e4f8a3a93f75e733e06ded82176200ee52f6759c30d11b0e40fe4e57015359ec2ba11895e00
-
SSDEEP
1536:Zs2+p1V9byKXmEE7wwt4vb12L25J9VqDlzVxyh+CbxMa:Zs2mv9m/0w6qCJ9IDlRxyhTb7
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmmnjfnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cflkpblf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diffglam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjlpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hghoeqmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibpiogmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nilcjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnicfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phigif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdijbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiggbhda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbgcih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikcdlmgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkaqnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojcjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkgiimng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oampjeml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akamff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Higjaoci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idfaefkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Napjdpcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlmfeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foghnabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkabjbih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmofagfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikkpgafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjjpnlbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qddfkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqdoem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnhkbfme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pclgkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnnpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjomap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bohbhmfm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daconoae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efffmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epagkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkqeib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohaeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackigjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqpbglno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjgpfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgqeappe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iomcgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooqqdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkicaahi.exe -
Executes dropped EXE 64 IoCs
pid Process 4756 Mnebeogl.exe 1112 Ndokbi32.exe 3240 Ngmgne32.exe 4968 Nilcjp32.exe 2548 Nngokoej.exe 2480 Ndaggimg.exe 4884 Ncdgcf32.exe 4016 Njnpppkn.exe 3792 Nlmllkja.exe 3616 Ndcdmikd.exe 1728 Neeqea32.exe 924 Njqmepik.exe 3776 Npjebj32.exe 2192 Ncianepl.exe 4244 Nfgmjqop.exe 3696 Nlaegk32.exe 876 Ndhmhh32.exe 2460 Nfjjppmm.exe 780 Olcbmj32.exe 4516 Ogifjcdp.exe 2552 Olfobjbg.exe 4208 Ocpgod32.exe 3364 Ofnckp32.exe 4512 Olhlhjpd.exe 3964 Odocigqg.exe 1604 Ocbddc32.exe 4588 Ofqpqo32.exe 3708 Onhhamgg.exe 2248 Ocdqjceo.exe 4992 Ojoign32.exe 468 Oqhacgdh.exe 1108 Ofeilobp.exe 3524 Ojaelm32.exe 5092 Pmoahijl.exe 1812 Pqknig32.exe 5048 Pcijeb32.exe 2216 Pfhfan32.exe 3552 Pnonbk32.exe 2016 Pqmjog32.exe 4164 Pclgkb32.exe 3836 Pfjcgn32.exe 4868 Pnakhkol.exe 3468 Pqpgdfnp.exe 3668 Pcncpbmd.exe 2292 Pgioqq32.exe 5052 Pjhlml32.exe 2516 Pmfhig32.exe 3920 Pdmpje32.exe 972 Pgllfp32.exe 232 Pjjhbl32.exe 4360 Pmidog32.exe 4960 Pcbmka32.exe 1868 Pfaigm32.exe 1672 Qnhahj32.exe 5108 Qqfmde32.exe 3224 Qdbiedpa.exe 3152 Qgqeappe.exe 2024 Qjoankoi.exe 1600 Qmmnjfnl.exe 3744 Qddfkd32.exe 3028 Qgcbgo32.exe 4644 Ajanck32.exe 3648 Ampkof32.exe 2096 Adgbpc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dlghoa32.exe Dmdhcddh.exe File opened for modification C:\Windows\SysWOW64\Fligqhga.exe Process not Found File created C:\Windows\SysWOW64\Ibcbfe32.dll Process not Found File created C:\Windows\SysWOW64\Halpnqlq.dll Pqknig32.exe File opened for modification C:\Windows\SysWOW64\Dogogcpo.exe Dfpgffpm.exe File created C:\Windows\SysWOW64\Hkgnfhnh.exe Hhiajmod.exe File opened for modification C:\Windows\SysWOW64\Jdgafjpn.exe Jbiejoaj.exe File created C:\Windows\SysWOW64\Ljbfpo32.exe Lkofdbkj.exe File opened for modification C:\Windows\SysWOW64\Pkhjph32.exe Plejdkmm.exe File created C:\Windows\SysWOW64\Dahcld32.dll Process not Found File created C:\Windows\SysWOW64\Pnonbk32.exe Pfhfan32.exe File created C:\Windows\SysWOW64\Jhbffb32.dll Bnbmefbg.exe File created C:\Windows\SysWOW64\Kmdjdl32.dll Dhmgki32.exe File created C:\Windows\SysWOW64\Gepmlimi.exe Gadqlkep.exe File opened for modification C:\Windows\SysWOW64\Iggaah32.exe Ihdafkdg.exe File opened for modification C:\Windows\SysWOW64\Aolblopj.exe Ahbjoe32.exe File opened for modification C:\Windows\SysWOW64\Kjlopc32.exe Process not Found File created C:\Windows\SysWOW64\Hdkjpimd.dll Ioambknl.exe File opened for modification C:\Windows\SysWOW64\Acmobchj.exe Aoabad32.exe File created C:\Windows\SysWOW64\Jenmcggo.exe Process not Found File created C:\Windows\SysWOW64\Gfkcaoef.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pplobcpp.exe Process not Found File created C:\Windows\SysWOW64\Ddadpdmn.exe Dpehof32.exe File created C:\Windows\SysWOW64\Debbhd32.dll Eigonjcj.exe File created C:\Windows\SysWOW64\Fineoi32.exe Fdamgb32.exe File created C:\Windows\SysWOW64\Knbbep32.exe Kkcfid32.exe File opened for modification C:\Windows\SysWOW64\Nahgoe32.exe Nbefdijg.exe File created C:\Windows\SysWOW64\Jeciaina.dll Process not Found File created C:\Windows\SysWOW64\Hgncclck.dll Process not Found File created C:\Windows\SysWOW64\Jimehgni.dll Afgacokc.exe File created C:\Windows\SysWOW64\Nkenegog.dll Nilcjp32.exe File created C:\Windows\SysWOW64\Pmidog32.exe Pjjhbl32.exe File created C:\Windows\SysWOW64\Ooiolbic.dll Qqffjo32.exe File created C:\Windows\SysWOW64\Aocfbi32.dll Amcmpodi.exe File opened for modification C:\Windows\SysWOW64\Bidqko32.exe Bfedoc32.exe File created C:\Windows\SysWOW64\Dclkee32.exe Dannij32.exe File created C:\Windows\SysWOW64\Jdokpl32.dll Mejpje32.exe File created C:\Windows\SysWOW64\Fihnomjp.exe Process not Found File created C:\Windows\SysWOW64\Hmphmhjc.dll Pfaigm32.exe File opened for modification C:\Windows\SysWOW64\Piijno32.exe Pcobaedj.exe File created C:\Windows\SysWOW64\Qfglbe32.dll Ldipha32.exe File created C:\Windows\SysWOW64\Igegpo32.dll Ajdjin32.exe File created C:\Windows\SysWOW64\Phaahggp.exe Pecellgl.exe File created C:\Windows\SysWOW64\Heeeiopa.dll Process not Found File created C:\Windows\SysWOW64\Ghoqak32.dll Omgcpokp.exe File opened for modification C:\Windows\SysWOW64\Pmfhig32.exe Pjhlml32.exe File created C:\Windows\SysWOW64\Agoabn32.exe Aepefb32.exe File created C:\Windows\SysWOW64\Hbmcbime.exe Hkckeo32.exe File opened for modification C:\Windows\SysWOW64\Bjfjka32.exe Bggnof32.exe File opened for modification C:\Windows\SysWOW64\Bmlilh32.exe Bjnmpl32.exe File opened for modification C:\Windows\SysWOW64\Dpphjp32.exe Dmalne32.exe File created C:\Windows\SysWOW64\Djiiimel.dll Icnklbmj.exe File opened for modification C:\Windows\SysWOW64\Eejeiocj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ofnckp32.exe Ocpgod32.exe File opened for modification C:\Windows\SysWOW64\Idebdcdo.exe Inkjhi32.exe File opened for modification C:\Windows\SysWOW64\Edopabqn.exe Efkphnbd.exe File created C:\Windows\SysWOW64\Ppejnh32.dll Aaiimadl.exe File created C:\Windows\SysWOW64\Bdkohe32.dll Mglfplgk.exe File created C:\Windows\SysWOW64\Nobkpkdh.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kqpoakco.exe Knbbep32.exe File opened for modification C:\Windows\SysWOW64\Jjoiil32.exe Jcdala32.exe File created C:\Windows\SysWOW64\Klplbbaq.dll Oaqbkn32.exe File created C:\Windows\SysWOW64\Nohffe32.dll Process not Found File created C:\Windows\SysWOW64\Jljbeali.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 9144 10180 Process not Found 1467 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcjiff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fffhifdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hckeoeno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emnbdioi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnpfop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkadoiip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjmkoeqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdhhdlid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jngjch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmcclm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlgpod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclmamod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plagcbdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjaifp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnbog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpehof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgioqq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpcmga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nngokoej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agoabn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kelalp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aanbhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhgmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmoiqneg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogifjcdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foqkdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empoiimf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgeaifia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaiimadl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbajbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlpaoaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahqddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idhnkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ponfka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajohjon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqhacgdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqfmde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfjka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhiajmod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqpgdfnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pedbahod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooejohhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jncoikmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfmojenc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdehni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmhlgmmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnpppgdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpneegel.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmkcqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpabql32.dll" Hnodaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kenggi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahjgjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdqegoi.dll" Oobfob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iickkbje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pagpdj32.dll" Ehfcfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahqddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhgfkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eephln32.dll" Ikdcmpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcpikkge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkhimi32.dll" Emnbdioi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mldhfpib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkconn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgjamboa.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdmfqg32.dll" Najceeoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjhacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpglbfpm.dll" Mkohaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhpmfbl.dll" Bhkmec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll" Bjmnoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqindg32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaojagc.dll" Nlmllkja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll" Qmmnjfnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgbmccpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bohibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjbfklei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oobfob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaopfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhlkilba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljcpchlo.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aepefb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjknojbk.dll" Qkipkani.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngmgne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdokdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqbncb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mioaanec.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhbfff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmeafpab.dll" Pcicklnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmklglpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjkblhfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neclenfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaadfkgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkmnpkk.dll" Ajcdnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iphioh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bganhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poajkgnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkincfn.dll" Nhlpfgbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdamgb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4424 wrote to memory of 4756 4424 9fed3887be350d7479ba5e4abef9aa80N.exe 84 PID 4424 wrote to memory of 4756 4424 9fed3887be350d7479ba5e4abef9aa80N.exe 84 PID 4424 wrote to memory of 4756 4424 9fed3887be350d7479ba5e4abef9aa80N.exe 84 PID 4756 wrote to memory of 1112 4756 Mnebeogl.exe 85 PID 4756 wrote to memory of 1112 4756 Mnebeogl.exe 85 PID 4756 wrote to memory of 1112 4756 Mnebeogl.exe 85 PID 1112 wrote to memory of 3240 1112 Ndokbi32.exe 86 PID 1112 wrote to memory of 3240 1112 Ndokbi32.exe 86 PID 1112 wrote to memory of 3240 1112 Ndokbi32.exe 86 PID 3240 wrote to memory of 4968 3240 Ngmgne32.exe 87 PID 3240 wrote to memory of 4968 3240 Ngmgne32.exe 87 PID 3240 wrote to memory of 4968 3240 Ngmgne32.exe 87 PID 4968 wrote to memory of 2548 4968 Nilcjp32.exe 88 PID 4968 wrote to memory of 2548 4968 Nilcjp32.exe 88 PID 4968 wrote to memory of 2548 4968 Nilcjp32.exe 88 PID 2548 wrote to memory of 2480 2548 Nngokoej.exe 89 PID 2548 wrote to memory of 2480 2548 Nngokoej.exe 89 PID 2548 wrote to memory of 2480 2548 Nngokoej.exe 89 PID 2480 wrote to memory of 4884 2480 Ndaggimg.exe 90 PID 2480 wrote to memory of 4884 2480 Ndaggimg.exe 90 PID 2480 wrote to memory of 4884 2480 Ndaggimg.exe 90 PID 4884 wrote to memory of 4016 4884 Ncdgcf32.exe 91 PID 4884 wrote to memory of 4016 4884 Ncdgcf32.exe 91 PID 4884 wrote to memory of 4016 4884 Ncdgcf32.exe 91 PID 4016 wrote to memory of 3792 4016 Njnpppkn.exe 92 PID 4016 wrote to memory of 3792 4016 Njnpppkn.exe 92 PID 4016 wrote to memory of 3792 4016 Njnpppkn.exe 92 PID 3792 wrote to memory of 3616 3792 Nlmllkja.exe 93 PID 3792 wrote to memory of 3616 3792 Nlmllkja.exe 93 PID 3792 wrote to memory of 3616 3792 Nlmllkja.exe 93 PID 3616 wrote to memory of 1728 3616 Ndcdmikd.exe 94 PID 3616 wrote to memory of 1728 3616 Ndcdmikd.exe 94 PID 3616 wrote to memory of 1728 3616 Ndcdmikd.exe 94 PID 1728 wrote to memory of 924 1728 Neeqea32.exe 96 PID 1728 wrote to memory of 924 1728 Neeqea32.exe 96 PID 1728 wrote to memory of 924 1728 Neeqea32.exe 96 PID 924 wrote to memory of 3776 924 Njqmepik.exe 97 PID 924 wrote to memory of 3776 924 Njqmepik.exe 97 PID 924 wrote to memory of 3776 924 Njqmepik.exe 97 PID 3776 wrote to memory of 2192 3776 Npjebj32.exe 98 PID 3776 wrote to memory of 2192 3776 Npjebj32.exe 98 PID 3776 wrote to memory of 2192 3776 Npjebj32.exe 98 PID 2192 wrote to memory of 4244 2192 Ncianepl.exe 99 PID 2192 wrote to memory of 4244 2192 Ncianepl.exe 99 PID 2192 wrote to memory of 4244 2192 Ncianepl.exe 99 PID 4244 wrote to memory of 3696 4244 Nfgmjqop.exe 100 PID 4244 wrote to memory of 3696 4244 Nfgmjqop.exe 100 PID 4244 wrote to memory of 3696 4244 Nfgmjqop.exe 100 PID 3696 wrote to memory of 876 3696 Nlaegk32.exe 101 PID 3696 wrote to memory of 876 3696 Nlaegk32.exe 101 PID 3696 wrote to memory of 876 3696 Nlaegk32.exe 101 PID 876 wrote to memory of 2460 876 Ndhmhh32.exe 102 PID 876 wrote to memory of 2460 876 Ndhmhh32.exe 102 PID 876 wrote to memory of 2460 876 Ndhmhh32.exe 102 PID 2460 wrote to memory of 780 2460 Nfjjppmm.exe 104 PID 2460 wrote to memory of 780 2460 Nfjjppmm.exe 104 PID 2460 wrote to memory of 780 2460 Nfjjppmm.exe 104 PID 780 wrote to memory of 4516 780 Olcbmj32.exe 105 PID 780 wrote to memory of 4516 780 Olcbmj32.exe 105 PID 780 wrote to memory of 4516 780 Olcbmj32.exe 105 PID 4516 wrote to memory of 2552 4516 Ogifjcdp.exe 106 PID 4516 wrote to memory of 2552 4516 Ogifjcdp.exe 106 PID 4516 wrote to memory of 2552 4516 Ogifjcdp.exe 106 PID 2552 wrote to memory of 4208 2552 Olfobjbg.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fed3887be350d7479ba5e4abef9aa80N.exe"C:\Users\Admin\AppData\Local\Temp\9fed3887be350d7479ba5e4abef9aa80N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Mnebeogl.exeC:\Windows\system32\Mnebeogl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\Ndokbi32.exeC:\Windows\system32\Ndokbi32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Ngmgne32.exeC:\Windows\system32\Ngmgne32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\SysWOW64\Nilcjp32.exeC:\Windows\system32\Nilcjp32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Nngokoej.exeC:\Windows\system32\Nngokoej.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Ndaggimg.exeC:\Windows\system32\Ndaggimg.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Ncdgcf32.exeC:\Windows\system32\Ncdgcf32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Njnpppkn.exeC:\Windows\system32\Njnpppkn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\Nlmllkja.exeC:\Windows\system32\Nlmllkja.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\Ndcdmikd.exeC:\Windows\system32\Ndcdmikd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\Neeqea32.exeC:\Windows\system32\Neeqea32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Njqmepik.exeC:\Windows\system32\Njqmepik.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\Npjebj32.exeC:\Windows\system32\Npjebj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\Ncianepl.exeC:\Windows\system32\Ncianepl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Nfgmjqop.exeC:\Windows\system32\Nfgmjqop.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\Nlaegk32.exeC:\Windows\system32\Nlaegk32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Ndhmhh32.exeC:\Windows\system32\Ndhmhh32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Olcbmj32.exeC:\Windows\system32\Olcbmj32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Ogifjcdp.exeC:\Windows\system32\Ogifjcdp.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Olfobjbg.exeC:\Windows\system32\Olfobjbg.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Ocpgod32.exeC:\Windows\system32\Ocpgod32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4208 -
C:\Windows\SysWOW64\Ofnckp32.exeC:\Windows\system32\Ofnckp32.exe24⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe25⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Odocigqg.exeC:\Windows\system32\Odocigqg.exe26⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Ocbddc32.exeC:\Windows\system32\Ocbddc32.exe27⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Ofqpqo32.exeC:\Windows\system32\Ofqpqo32.exe28⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Onhhamgg.exeC:\Windows\system32\Onhhamgg.exe29⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Ocdqjceo.exeC:\Windows\system32\Ocdqjceo.exe30⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Ojoign32.exeC:\Windows\system32\Ojoign32.exe31⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Oqhacgdh.exeC:\Windows\system32\Oqhacgdh.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:468 -
C:\Windows\SysWOW64\Ofeilobp.exeC:\Windows\system32\Ofeilobp.exe33⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Ojaelm32.exeC:\Windows\system32\Ojaelm32.exe34⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Pmoahijl.exeC:\Windows\system32\Pmoahijl.exe35⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Pqknig32.exeC:\Windows\system32\Pqknig32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1812 -
C:\Windows\SysWOW64\Pcijeb32.exeC:\Windows\system32\Pcijeb32.exe37⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Pfhfan32.exeC:\Windows\system32\Pfhfan32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Pnonbk32.exeC:\Windows\system32\Pnonbk32.exe39⤵
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\Pqmjog32.exeC:\Windows\system32\Pqmjog32.exe40⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Pfjcgn32.exeC:\Windows\system32\Pfjcgn32.exe42⤵
- Executes dropped EXE
PID:3836 -
C:\Windows\SysWOW64\Pnakhkol.exeC:\Windows\system32\Pnakhkol.exe43⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Pqpgdfnp.exeC:\Windows\system32\Pqpgdfnp.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3468 -
C:\Windows\SysWOW64\Pcncpbmd.exeC:\Windows\system32\Pcncpbmd.exe45⤵
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5052 -
C:\Windows\SysWOW64\Pmfhig32.exeC:\Windows\system32\Pmfhig32.exe48⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Pdmpje32.exeC:\Windows\system32\Pdmpje32.exe49⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe50⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:232 -
C:\Windows\SysWOW64\Pmidog32.exeC:\Windows\system32\Pmidog32.exe52⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Pcbmka32.exeC:\Windows\system32\Pcbmka32.exe53⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Pfaigm32.exeC:\Windows\system32\Pfaigm32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1868 -
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe55⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5108 -
C:\Windows\SysWOW64\Qdbiedpa.exeC:\Windows\system32\Qdbiedpa.exe57⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Qgqeappe.exeC:\Windows\system32\Qgqeappe.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Qjoankoi.exeC:\Windows\system32\Qjoankoi.exe59⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Qmmnjfnl.exeC:\Windows\system32\Qmmnjfnl.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Qddfkd32.exeC:\Windows\system32\Qddfkd32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe62⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Ajanck32.exeC:\Windows\system32\Ajanck32.exe63⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe64⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe65⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe66⤵PID:4584
-
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe67⤵PID:1132
-
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe68⤵PID:4876
-
C:\Windows\SysWOW64\Agglboim.exeC:\Windows\system32\Agglboim.exe69⤵PID:4472
-
C:\Windows\SysWOW64\Aqppkd32.exeC:\Windows\system32\Aqppkd32.exe70⤵PID:1432
-
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe71⤵PID:4780
-
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe72⤵PID:4900
-
C:\Windows\SysWOW64\Ajhddjfn.exeC:\Windows\system32\Ajhddjfn.exe73⤵PID:3660
-
C:\Windows\SysWOW64\Aabmqd32.exeC:\Windows\system32\Aabmqd32.exe74⤵PID:4508
-
C:\Windows\SysWOW64\Aglemn32.exeC:\Windows\system32\Aglemn32.exe75⤵PID:2652
-
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe76⤵PID:4860
-
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe77⤵PID:4628
-
C:\Windows\SysWOW64\Aepefb32.exeC:\Windows\system32\Aepefb32.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:456 -
C:\Windows\SysWOW64\Agoabn32.exeC:\Windows\system32\Agoabn32.exe79⤵
- System Location Discovery: System Language Discovery
PID:4144 -
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe80⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe81⤵PID:4592
-
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe82⤵
- Modifies registry class
PID:5020 -
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe83⤵PID:3092
-
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe84⤵PID:5132
-
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe85⤵PID:5176
-
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe86⤵PID:5220
-
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe87⤵PID:5264
-
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe88⤵PID:5312
-
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe89⤵PID:5364
-
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe90⤵
- System Location Discovery: System Language Discovery
PID:5408 -
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe91⤵PID:5452
-
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe92⤵PID:5496
-
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe93⤵PID:5540
-
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe94⤵PID:5584
-
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe95⤵
- Drops file in System32 directory
PID:5628 -
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe96⤵PID:5672
-
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe97⤵PID:5716
-
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe98⤵PID:5764
-
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe99⤵PID:5816
-
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe100⤵PID:5860
-
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe101⤵PID:5928
-
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe102⤵PID:5976
-
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe103⤵PID:6016
-
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe104⤵PID:6064
-
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe105⤵PID:6116
-
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe106⤵PID:1956
-
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe107⤵PID:5152
-
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5252 -
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe109⤵PID:5328
-
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe110⤵PID:5396
-
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe111⤵PID:5468
-
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe112⤵
- System Location Discovery: System Language Discovery
PID:5548 -
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe113⤵PID:5624
-
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe114⤵PID:5724
-
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe115⤵
- Modifies registry class
PID:5856 -
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe116⤵PID:5940
-
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe117⤵
- Modifies registry class
PID:6028 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe118⤵PID:6100
-
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe119⤵PID:5140
-
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe120⤵PID:5308
-
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe121⤵PID:5464
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-