Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 18:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fdd5b1b548f464606d8cd33202e33a10N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
fdd5b1b548f464606d8cd33202e33a10N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
fdd5b1b548f464606d8cd33202e33a10N.exe
-
Size
93KB
-
MD5
fdd5b1b548f464606d8cd33202e33a10
-
SHA1
33a7d8358664fe28ca70e6c4c203e001d7f6ba6d
-
SHA256
f20ed0018f579337878071c7ac35cd7af07edfca4ec73baad1ba9289ef8ff014
-
SHA512
d2f6a7e336e61fb44eca1689b67403f29a654d4eff3d708e7e62b5303114b1cee1e8097b48dd733f1c0e95fdce48c3f78ca93f3da134046156d850368f6addaa
-
SSDEEP
1536:ol69/MbLM+6GirCSM5wUZVCQA3QmORsRQORkRLJzeLD9N0iQGRNQR8RyV+32rR:c6k8GpOkCR3QmOOeOSJdEN0s4WE+3K
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chjakm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afqidnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkpeec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkhkgegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adknoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfqgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbpbdcai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njmehohp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbjlfie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhekodmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kqfemg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhqogmdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bolbhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbofph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmbhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Admkeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncmaohja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djkjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmbcgjla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkeoqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baadej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajhlimei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccdkji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blnmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dojgql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mldffiki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbdjahii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Diamin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgpcij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Meipebmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 700 Kpppkqep.exe 4600 Kemhcgdg.exe 4872 Ldniqolf.exe 216 Leoehg32.exe 4580 Llimeaia.exe 3868 Ldpefojd.exe 664 Limnoehk.exe 1868 Lpgfkpph.exe 3776 Lbebgkol.exe 3684 Ledocfnp.exe 3208 Lmkfddnb.exe 1660 Lpicaome.exe 1504 Lbhomkmi.exe 1572 Libgje32.exe 3100 Lmmcjclo.exe 4184 Lbjlbj32.exe 4208 Lehhof32.exe 4352 Liddodbc.exe 4620 Mlbpkpag.exe 3792 Mdjhlmai.exe 3016 Mclhhj32.exe 432 Mekdde32.exe 3748 Mifqedpq.exe 1740 Mmbmec32.exe 996 Mpqian32.exe 4244 Mcoenjfa.exe 4456 Memajeee.exe 2988 Miimjd32.exe 1348 Mlgjfo32.exe 4960 Mpcegnek.exe 5036 Mcabcido.exe 4216 Mgmndh32.exe 3360 Mikjpc32.exe 4140 Mmgfqbdd.exe 2588 Mliflo32.exe 3960 Mdqnml32.exe 2496 Mccoiibl.exe 4220 Mgokihke.exe 1148 Mimgecji.exe 4904 Mmicfb32.exe 2896 Mpgobm32.exe 2312 Mdckbljo.exe 3900 Mgagogib.exe 1448 Medgjd32.exe 4984 Nnkpla32.exe 4596 Npjlhm32.exe 2316 Ndehhlgl.exe 4348 Ngdddg32.exe 3652 Nefdpdmj.exe 2056 Nnnlaanl.exe 2120 Nplhmmmp.exe 3948 Ndhdnk32.exe 1920 Ngfqjg32.exe 1952 Neiaeckg.exe 4424 Njdmfb32.exe 4292 Nlcibn32.exe 5156 Npoeclkn.exe 5188 Ncmaohja.exe 5236 Nghmpf32.exe 5276 Neknkcie.exe 5316 Nnbelq32.exe 5356 Nlefhmaa.exe 5396 Ndlnikad.exe 5436 Ncondg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mifqedpq.exe Mekdde32.exe File created C:\Windows\SysWOW64\Nbgjol32.exe Nlmbbapb.exe File created C:\Windows\SysWOW64\Dpalmd32.dll Hmbmha32.exe File created C:\Windows\SysWOW64\Jghpnlbo.exe Joahmobm.exe File created C:\Windows\SysWOW64\Adpgkk32.exe Process not Found File created C:\Windows\SysWOW64\Peleni32.dll Process not Found File created C:\Windows\SysWOW64\Mdpnmdmb.dll Process not Found File created C:\Windows\SysWOW64\Bmagag32.exe Bjckekkk.exe File created C:\Windows\SysWOW64\Glpdho32.exe Gkohqfoo.exe File opened for modification C:\Windows\SysWOW64\Nfgbcbcg.exe Nnlmopel.exe File created C:\Windows\SysWOW64\Fjpiapan.dll Process not Found File created C:\Windows\SysWOW64\Kldmglcl.dll Feeqlndo.exe File created C:\Windows\SysWOW64\Pbdlle32.dll Qlmmegpa.exe File created C:\Windows\SysWOW64\Choobm32.exe Caegfc32.exe File created C:\Windows\SysWOW64\Qddcfahj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Appapm32.exe Process not Found File created C:\Windows\SysWOW64\Nhgipc32.dll Ginekjnj.exe File created C:\Windows\SysWOW64\Lgniko32.exe Lmhemfdm.exe File created C:\Windows\SysWOW64\Bphnkb32.exe Bmibog32.exe File created C:\Windows\SysWOW64\Blnmgk32.exe Bjpqko32.exe File created C:\Windows\SysWOW64\Kjniemof.exe Kdaamfao.exe File created C:\Windows\SysWOW64\Jkmplmef.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kmbdihnd.exe Process not Found File created C:\Windows\SysWOW64\Obkbjg32.dll Nlcibn32.exe File created C:\Windows\SysWOW64\Cdbnjpfg.dll Nnlmopel.exe File created C:\Windows\SysWOW64\Edfiolap.dll Daafaahp.exe File opened for modification C:\Windows\SysWOW64\Hhojoako.exe Process not Found File created C:\Windows\SysWOW64\Lknqij32.dll Process not Found File created C:\Windows\SysWOW64\Gngkpa32.exe Process not Found File created C:\Windows\SysWOW64\Cbninjcp.exe Process not Found File created C:\Windows\SysWOW64\Deflbkpf.dll Bcilnk32.exe File created C:\Windows\SysWOW64\Cecmjbmo.dll Jbhlpb32.exe File created C:\Windows\SysWOW64\Mnadnhce.exe Mclppo32.exe File created C:\Windows\SysWOW64\Henamf32.exe Process not Found File created C:\Windows\SysWOW64\Faccqj32.dll Ofijla32.exe File opened for modification C:\Windows\SysWOW64\Neefkg32.exe Najjjhnj.exe File created C:\Windows\SysWOW64\Gognbe32.dll Dpfepb32.exe File opened for modification C:\Windows\SysWOW64\Mjphgd32.exe Mqhdonee.exe File created C:\Windows\SysWOW64\Dgeicpna.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lpepoh32.exe Process not Found File created C:\Windows\SysWOW64\Aificcbj.exe Process not Found File created C:\Windows\SysWOW64\Eabibh32.dll Process not Found File created C:\Windows\SysWOW64\Qkmhdi32.exe Process not Found File created C:\Windows\SysWOW64\Gcokmild.exe Process not Found File created C:\Windows\SysWOW64\Okimgf32.dll Process not Found File created C:\Windows\SysWOW64\Picefn32.dll Cjddlimi.exe File created C:\Windows\SysWOW64\Ppcngejo.dll Ahlapc32.exe File created C:\Windows\SysWOW64\Hpemamfm.dll Bqoimomj.exe File opened for modification C:\Windows\SysWOW64\Bcfhneoj.exe Akopmhng.exe File created C:\Windows\SysWOW64\Eagfhj32.exe Process not Found File created C:\Windows\SysWOW64\Egkdapfk.exe Process not Found File created C:\Windows\SysWOW64\Pcigibki.dll Process not Found File opened for modification C:\Windows\SysWOW64\Miimjd32.exe Memajeee.exe File opened for modification C:\Windows\SysWOW64\Najjjhnj.exe Nbgjol32.exe File created C:\Windows\SysWOW64\Ccahjcdl.exe Bkjphfcj.exe File created C:\Windows\SysWOW64\Geddbk32.dll Bnaoil32.exe File created C:\Windows\SysWOW64\Fgmfbj32.dll Process not Found File created C:\Windows\SysWOW64\Apbnemgd.exe Process not Found File created C:\Windows\SysWOW64\Dekacb32.dll Chhdemlb.exe File created C:\Windows\SysWOW64\Hlchkn32.dll Bmaqgqfc.exe File created C:\Windows\SysWOW64\Ehbeokid.exe Eqkmnmhb.exe File created C:\Windows\SysWOW64\Ficagg32.dll Gbfbjl32.exe File created C:\Windows\SysWOW64\Hhhdnbag.exe Heihagbc.exe File created C:\Windows\SysWOW64\Ibnabicj.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 7548 9056 Process not Found 1751 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jghhhope.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfbeea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpcegnek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjefmgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cknbio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofahn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdmhicb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmknpdnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnnfjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkbfda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkleaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djhfmbeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eckcgpno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaimgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akflglmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnhgfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoedlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmcoihcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdhnggij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjefonga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelidapa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fabqghpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iajpod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbpbbeoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmpmib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelneoli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfgjfnmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnckmnad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpmeah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncondg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdfoepmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmeggp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ophhikcc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dghabhfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Caegfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mifqedpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jnjcjdin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlehcmp.dll" Ejconjgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdnicm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbimcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afnlnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpiaj32.dll" Obbjkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpiaeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iijjlflc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpbboiea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmihaanh.dll" Ihiafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bamkjknc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Daafaahp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdajka32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dabfdbpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbpbdcai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dobjefhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cieebkda.dll" Kiejijgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aokjcb32.dll" Fnofnoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bcqiip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhmick32.dll" Afpbigeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ipcopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjpck32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eedkji32.dll" Dfdggi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkpgbjdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpegebhh.dll" Hdnbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjllnopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaphkeoh.dll" Bpjkpbeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpcmdbkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hngnmgjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mekmjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bafnoeel.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcanimfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afdegegb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlecdgfb.dll" Giodlmdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gohcikdk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljjmbjjh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pcbdad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhlnqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 808 wrote to memory of 700 808 fdd5b1b548f464606d8cd33202e33a10N.exe 91 PID 808 wrote to memory of 700 808 fdd5b1b548f464606d8cd33202e33a10N.exe 91 PID 808 wrote to memory of 700 808 fdd5b1b548f464606d8cd33202e33a10N.exe 91 PID 700 wrote to memory of 4600 700 Kpppkqep.exe 92 PID 700 wrote to memory of 4600 700 Kpppkqep.exe 92 PID 700 wrote to memory of 4600 700 Kpppkqep.exe 92 PID 4600 wrote to memory of 4872 4600 Kemhcgdg.exe 93 PID 4600 wrote to memory of 4872 4600 Kemhcgdg.exe 93 PID 4600 wrote to memory of 4872 4600 Kemhcgdg.exe 93 PID 4872 wrote to memory of 216 4872 Ldniqolf.exe 94 PID 4872 wrote to memory of 216 4872 Ldniqolf.exe 94 PID 4872 wrote to memory of 216 4872 Ldniqolf.exe 94 PID 216 wrote to memory of 4580 216 Leoehg32.exe 95 PID 216 wrote to memory of 4580 216 Leoehg32.exe 95 PID 216 wrote to memory of 4580 216 Leoehg32.exe 95 PID 4580 wrote to memory of 3868 4580 Llimeaia.exe 96 PID 4580 wrote to memory of 3868 4580 Llimeaia.exe 96 PID 4580 wrote to memory of 3868 4580 Llimeaia.exe 96 PID 3868 wrote to memory of 664 3868 Ldpefojd.exe 98 PID 3868 wrote to memory of 664 3868 Ldpefojd.exe 98 PID 3868 wrote to memory of 664 3868 Ldpefojd.exe 98 PID 664 wrote to memory of 1868 664 Limnoehk.exe 99 PID 664 wrote to memory of 1868 664 Limnoehk.exe 99 PID 664 wrote to memory of 1868 664 Limnoehk.exe 99 PID 1868 wrote to memory of 3776 1868 Lpgfkpph.exe 100 PID 1868 wrote to memory of 3776 1868 Lpgfkpph.exe 100 PID 1868 wrote to memory of 3776 1868 Lpgfkpph.exe 100 PID 3776 wrote to memory of 3684 3776 Lbebgkol.exe 101 PID 3776 wrote to memory of 3684 3776 Lbebgkol.exe 101 PID 3776 wrote to memory of 3684 3776 Lbebgkol.exe 101 PID 3684 wrote to memory of 3208 3684 Ledocfnp.exe 102 PID 3684 wrote to memory of 3208 3684 Ledocfnp.exe 102 PID 3684 wrote to memory of 3208 3684 Ledocfnp.exe 102 PID 3208 wrote to memory of 1660 3208 Lmkfddnb.exe 103 PID 3208 wrote to memory of 1660 3208 Lmkfddnb.exe 103 PID 3208 wrote to memory of 1660 3208 Lmkfddnb.exe 103 PID 1660 wrote to memory of 1504 1660 Lpicaome.exe 104 PID 1660 wrote to memory of 1504 1660 Lpicaome.exe 104 PID 1660 wrote to memory of 1504 1660 Lpicaome.exe 104 PID 1504 wrote to memory of 1572 1504 Lbhomkmi.exe 106 PID 1504 wrote to memory of 1572 1504 Lbhomkmi.exe 106 PID 1504 wrote to memory of 1572 1504 Lbhomkmi.exe 106 PID 1572 wrote to memory of 3100 1572 Libgje32.exe 107 PID 1572 wrote to memory of 3100 1572 Libgje32.exe 107 PID 1572 wrote to memory of 3100 1572 Libgje32.exe 107 PID 3100 wrote to memory of 4184 3100 Lmmcjclo.exe 108 PID 3100 wrote to memory of 4184 3100 Lmmcjclo.exe 108 PID 3100 wrote to memory of 4184 3100 Lmmcjclo.exe 108 PID 4184 wrote to memory of 4208 4184 Lbjlbj32.exe 109 PID 4184 wrote to memory of 4208 4184 Lbjlbj32.exe 109 PID 4184 wrote to memory of 4208 4184 Lbjlbj32.exe 109 PID 4208 wrote to memory of 4352 4208 Lehhof32.exe 110 PID 4208 wrote to memory of 4352 4208 Lehhof32.exe 110 PID 4208 wrote to memory of 4352 4208 Lehhof32.exe 110 PID 4352 wrote to memory of 4620 4352 Liddodbc.exe 111 PID 4352 wrote to memory of 4620 4352 Liddodbc.exe 111 PID 4352 wrote to memory of 4620 4352 Liddodbc.exe 111 PID 4620 wrote to memory of 3792 4620 Mlbpkpag.exe 112 PID 4620 wrote to memory of 3792 4620 Mlbpkpag.exe 112 PID 4620 wrote to memory of 3792 4620 Mlbpkpag.exe 112 PID 3792 wrote to memory of 3016 3792 Mdjhlmai.exe 113 PID 3792 wrote to memory of 3016 3792 Mdjhlmai.exe 113 PID 3792 wrote to memory of 3016 3792 Mdjhlmai.exe 113 PID 3016 wrote to memory of 432 3016 Mclhhj32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdd5b1b548f464606d8cd33202e33a10N.exe"C:\Users\Admin\AppData\Local\Temp\fdd5b1b548f464606d8cd33202e33a10N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Kpppkqep.exeC:\Windows\system32\Kpppkqep.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\Kemhcgdg.exeC:\Windows\system32\Kemhcgdg.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Ldniqolf.exeC:\Windows\system32\Ldniqolf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Leoehg32.exeC:\Windows\system32\Leoehg32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Llimeaia.exeC:\Windows\system32\Llimeaia.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Ldpefojd.exeC:\Windows\system32\Ldpefojd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\Limnoehk.exeC:\Windows\system32\Limnoehk.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Lpgfkpph.exeC:\Windows\system32\Lpgfkpph.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Lbebgkol.exeC:\Windows\system32\Lbebgkol.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\Ledocfnp.exeC:\Windows\system32\Ledocfnp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\Lmkfddnb.exeC:\Windows\system32\Lmkfddnb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Lpicaome.exeC:\Windows\system32\Lpicaome.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Lbhomkmi.exeC:\Windows\system32\Lbhomkmi.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Libgje32.exeC:\Windows\system32\Libgje32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Lmmcjclo.exeC:\Windows\system32\Lmmcjclo.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\Lbjlbj32.exeC:\Windows\system32\Lbjlbj32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\SysWOW64\Lehhof32.exeC:\Windows\system32\Lehhof32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\Liddodbc.exeC:\Windows\system32\Liddodbc.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\Mlbpkpag.exeC:\Windows\system32\Mlbpkpag.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Mdjhlmai.exeC:\Windows\system32\Mdjhlmai.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\Mclhhj32.exeC:\Windows\system32\Mclhhj32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Mekdde32.exeC:\Windows\system32\Mekdde32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:432 -
C:\Windows\SysWOW64\Mifqedpq.exeC:\Windows\system32\Mifqedpq.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:3748 -
C:\Windows\SysWOW64\Mmbmec32.exeC:\Windows\system32\Mmbmec32.exe25⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Mpqian32.exeC:\Windows\system32\Mpqian32.exe26⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Mcoenjfa.exeC:\Windows\system32\Mcoenjfa.exe27⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Memajeee.exeC:\Windows\system32\Memajeee.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4456 -
C:\Windows\SysWOW64\Miimjd32.exeC:\Windows\system32\Miimjd32.exe29⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Mlgjfo32.exeC:\Windows\system32\Mlgjfo32.exe30⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Mpcegnek.exeC:\Windows\system32\Mpcegnek.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4960 -
C:\Windows\SysWOW64\Mcabcido.exeC:\Windows\system32\Mcabcido.exe32⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Mgmndh32.exeC:\Windows\system32\Mgmndh32.exe33⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Mikjpc32.exeC:\Windows\system32\Mikjpc32.exe34⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Mmgfqbdd.exeC:\Windows\system32\Mmgfqbdd.exe35⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\Mliflo32.exeC:\Windows\system32\Mliflo32.exe36⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Mdqnml32.exeC:\Windows\system32\Mdqnml32.exe37⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Mccoiibl.exeC:\Windows\system32\Mccoiibl.exe38⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Mgokihke.exeC:\Windows\system32\Mgokihke.exe39⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Mimgecji.exeC:\Windows\system32\Mimgecji.exe40⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Mmicfb32.exeC:\Windows\system32\Mmicfb32.exe41⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Mpgobm32.exeC:\Windows\system32\Mpgobm32.exe42⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Mdckbljo.exeC:\Windows\system32\Mdckbljo.exe43⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Mgagogib.exeC:\Windows\system32\Mgagogib.exe44⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Medgjd32.exeC:\Windows\system32\Medgjd32.exe45⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Nnkpla32.exeC:\Windows\system32\Nnkpla32.exe46⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Npjlhm32.exeC:\Windows\system32\Npjlhm32.exe47⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Ndehhlgl.exeC:\Windows\system32\Ndehhlgl.exe48⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Ngdddg32.exeC:\Windows\system32\Ngdddg32.exe49⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Nefdpdmj.exeC:\Windows\system32\Nefdpdmj.exe50⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Nnnlaanl.exeC:\Windows\system32\Nnnlaanl.exe51⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Nplhmmmp.exeC:\Windows\system32\Nplhmmmp.exe52⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Ndhdnk32.exeC:\Windows\system32\Ndhdnk32.exe53⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Ngfqjg32.exeC:\Windows\system32\Ngfqjg32.exe54⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Neiaeckg.exeC:\Windows\system32\Neiaeckg.exe55⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Njdmfb32.exeC:\Windows\system32\Njdmfb32.exe56⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Nlcibn32.exeC:\Windows\system32\Nlcibn32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4292 -
C:\Windows\SysWOW64\Npoeclkn.exeC:\Windows\system32\Npoeclkn.exe58⤵
- Executes dropped EXE
PID:5156 -
C:\Windows\SysWOW64\Ncmaohja.exeC:\Windows\system32\Ncmaohja.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5188 -
C:\Windows\SysWOW64\Nghmpf32.exeC:\Windows\system32\Nghmpf32.exe60⤵
- Executes dropped EXE
PID:5236 -
C:\Windows\SysWOW64\Neknkcie.exeC:\Windows\system32\Neknkcie.exe61⤵
- Executes dropped EXE
PID:5276 -
C:\Windows\SysWOW64\Nnbelq32.exeC:\Windows\system32\Nnbelq32.exe62⤵
- Executes dropped EXE
PID:5316 -
C:\Windows\SysWOW64\Nlefhmaa.exeC:\Windows\system32\Nlefhmaa.exe63⤵
- Executes dropped EXE
PID:5356 -
C:\Windows\SysWOW64\Ndlnikad.exeC:\Windows\system32\Ndlnikad.exe64⤵
- Executes dropped EXE
PID:5396 -
C:\Windows\SysWOW64\Ncondg32.exeC:\Windows\system32\Ncondg32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5436 -
C:\Windows\SysWOW64\Ngkjefqh.exeC:\Windows\system32\Ngkjefqh.exe66⤵PID:5476
-
C:\Windows\SysWOW64\Njifaapk.exeC:\Windows\system32\Njifaapk.exe67⤵PID:5508
-
C:\Windows\SysWOW64\Nnebap32.exeC:\Windows\system32\Nnebap32.exe68⤵PID:5548
-
C:\Windows\SysWOW64\Nlgbmmoo.exeC:\Windows\system32\Nlgbmmoo.exe69⤵PID:5588
-
C:\Windows\SysWOW64\Ndoknjpa.exeC:\Windows\system32\Ndoknjpa.exe70⤵PID:5628
-
C:\Windows\SysWOW64\Ncakjg32.exeC:\Windows\system32\Ncakjg32.exe71⤵PID:5676
-
C:\Windows\SysWOW64\Nfpgfb32.exeC:\Windows\system32\Nfpgfb32.exe72⤵PID:5716
-
C:\Windows\SysWOW64\Ojlcgani.exeC:\Windows\system32\Ojlcgani.exe73⤵PID:5748
-
C:\Windows\SysWOW64\Oljocm32.exeC:\Windows\system32\Oljocm32.exe74⤵PID:5788
-
C:\Windows\SysWOW64\Opekckee.exeC:\Windows\system32\Opekckee.exe75⤵PID:5836
-
C:\Windows\SysWOW64\Ocdgpgdi.exeC:\Windows\system32\Ocdgpgdi.exe76⤵PID:5868
-
C:\Windows\SysWOW64\Ogpcpe32.exeC:\Windows\system32\Ogpcpe32.exe77⤵PID:5908
-
C:\Windows\SysWOW64\Ojnpla32.exeC:\Windows\system32\Ojnpla32.exe78⤵PID:5956
-
C:\Windows\SysWOW64\Olllhl32.exeC:\Windows\system32\Olllhl32.exe79⤵PID:5996
-
C:\Windows\SysWOW64\Ophhikcc.exeC:\Windows\system32\Ophhikcc.exe80⤵
- System Location Discovery: System Language Discovery
PID:6028 -
C:\Windows\SysWOW64\Ocfdefbf.exeC:\Windows\system32\Ocfdefbf.exe81⤵PID:6076
-
C:\Windows\SysWOW64\Ofdqabaj.exeC:\Windows\system32\Ofdqabaj.exe82⤵PID:6116
-
C:\Windows\SysWOW64\Onlhbobl.exeC:\Windows\system32\Onlhbobl.exe83⤵PID:4880
-
C:\Windows\SysWOW64\Oloinlig.exeC:\Windows\system32\Oloinlig.exe84⤵PID:3716
-
C:\Windows\SysWOW64\Odfqoiii.exeC:\Windows\system32\Odfqoiii.exe85⤵PID:756
-
C:\Windows\SysWOW64\Ogdmkdhm.exeC:\Windows\system32\Ogdmkdhm.exe86⤵PID:5096
-
C:\Windows\SysWOW64\Ofgmga32.exeC:\Windows\system32\Ofgmga32.exe87⤵PID:5136
-
C:\Windows\SysWOW64\Onneho32.exeC:\Windows\system32\Onneho32.exe88⤵PID:5180
-
C:\Windows\SysWOW64\Oqmadj32.exeC:\Windows\system32\Oqmadj32.exe89⤵PID:5260
-
C:\Windows\SysWOW64\Odhmdigf.exeC:\Windows\system32\Odhmdigf.exe90⤵PID:5324
-
C:\Windows\SysWOW64\Ocknpf32.exeC:\Windows\system32\Ocknpf32.exe91⤵PID:5384
-
C:\Windows\SysWOW64\Ofijla32.exeC:\Windows\system32\Ofijla32.exe92⤵
- Drops file in System32 directory
PID:5452 -
C:\Windows\SysWOW64\Onqbno32.exeC:\Windows\system32\Onqbno32.exe93⤵PID:5516
-
C:\Windows\SysWOW64\Oqonjjmk.exeC:\Windows\system32\Oqonjjmk.exe94⤵PID:2380
-
C:\Windows\SysWOW64\Ocmjfelo.exeC:\Windows\system32\Ocmjfelo.exe95⤵PID:5656
-
C:\Windows\SysWOW64\Ogiffd32.exeC:\Windows\system32\Ogiffd32.exe96⤵PID:5732
-
C:\Windows\SysWOW64\Pncocnld.exeC:\Windows\system32\Pncocnld.exe97⤵PID:5820
-
C:\Windows\SysWOW64\Pgkclc32.exeC:\Windows\system32\Pgkclc32.exe98⤵PID:5892
-
C:\Windows\SysWOW64\Pjjoho32.exeC:\Windows\system32\Pjjoho32.exe99⤵PID:5964
-
C:\Windows\SysWOW64\Pmhldk32.exeC:\Windows\system32\Pmhldk32.exe100⤵PID:6020
-
C:\Windows\SysWOW64\Pcbdad32.exeC:\Windows\system32\Pcbdad32.exe101⤵
- Modifies registry class
PID:5428 -
C:\Windows\SysWOW64\Pgnpacpb.exeC:\Windows\system32\Pgnpacpb.exe102⤵PID:1844
-
C:\Windows\SysWOW64\Pjllnopf.exeC:\Windows\system32\Pjllnopf.exe103⤵
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Pmjhjjoj.exeC:\Windows\system32\Pmjhjjoj.exe104⤵PID:2636
-
C:\Windows\SysWOW64\Pdapkgol.exeC:\Windows\system32\Pdapkgol.exe105⤵PID:4340
-
C:\Windows\SysWOW64\Pgplgcnp.exeC:\Windows\system32\Pgplgcnp.exe106⤵PID:5284
-
C:\Windows\SysWOW64\Pjnicomc.exeC:\Windows\system32\Pjnicomc.exe107⤵PID:5948
-
C:\Windows\SysWOW64\Pnjecm32.exeC:\Windows\system32\Pnjecm32.exe108⤵PID:3712
-
C:\Windows\SysWOW64\Pddmqgmi.exeC:\Windows\system32\Pddmqgmi.exe109⤵PID:5544
-
C:\Windows\SysWOW64\Pgbimb32.exeC:\Windows\system32\Pgbimb32.exe110⤵PID:1424
-
C:\Windows\SysWOW64\Pfeihpcg.exeC:\Windows\system32\Pfeihpcg.exe111⤵PID:952
-
C:\Windows\SysWOW64\Pnlaimcj.exeC:\Windows\system32\Pnlaimcj.exe112⤵PID:3424
-
C:\Windows\SysWOW64\Pdfjfg32.exeC:\Windows\system32\Pdfjfg32.exe113⤵PID:5972
-
C:\Windows\SysWOW64\Qgdfbb32.exeC:\Windows\system32\Qgdfbb32.exe114⤵PID:6064
-
C:\Windows\SysWOW64\Qjcbnn32.exeC:\Windows\system32\Qjcbnn32.exe115⤵PID:376
-
C:\Windows\SysWOW64\Qnonolag.exeC:\Windows\system32\Qnonolag.exe116⤵PID:4840
-
C:\Windows\SysWOW64\Qckfgcpo.exeC:\Windows\system32\Qckfgcpo.exe117⤵PID:4436
-
C:\Windows\SysWOW64\Qfjcco32.exeC:\Windows\system32\Qfjcco32.exe118⤵PID:5536
-
C:\Windows\SysWOW64\Qjeodmgk.exeC:\Windows\system32\Qjeodmgk.exe119⤵PID:5700
-
C:\Windows\SysWOW64\Qnakdl32.exeC:\Windows\system32\Qnakdl32.exe120⤵PID:5200
-
C:\Windows\SysWOW64\Qqogqg32.exeC:\Windows\system32\Qqogqg32.exe121⤵PID:6016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-