Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/09/2024, 03:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d07e397ca9a33be97c279faaae6db500N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d07e397ca9a33be97c279faaae6db500N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d07e397ca9a33be97c279faaae6db500N.exe
-
Size
109KB
-
MD5
d07e397ca9a33be97c279faaae6db500
-
SHA1
f1045201502164138e624ba7263cb78d24c0ed9e
-
SHA256
68fb4cefe302356d62a6e4a568a0fdf7f567253d4247d642ccec159d0c237bbf
-
SHA512
4314a87b9bb30eb6f4b3cc006e7836de3626ba47435453a3b23593d3bb399e0b1a07c931de9d8f335ec71cd8a758ea1bb8e4e15d3be9045310d272280e2cac04
-
SSDEEP
3072:8CS4Quzjmqj22+nxeJYZ36jY7IZd8fo3PXl9Z7S/yCsKh2EzZA/z:C4fvmqT+nsyZGY7edgo35e/yCthvUz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpfnheef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inaoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mblqdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cechje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcnoam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmofpaai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idgefb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Polflfim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbebaeii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acafcdho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doeoii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfeldnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agaaih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naedhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgbcgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkokoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llgpfmdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmkdaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edomhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jinqco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kncegnjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefgpnbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aggaonaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afokejdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdldih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdajngjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldifeqda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlqkci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlbhhefe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgikmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhpfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mldeme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgodchcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onheiabg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeckmgco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jeckmgco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojlbnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpojiafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phdjel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qogeheop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpklpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baiinb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfobfmpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pommfmmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcpcbmaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glimokdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjkagjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idegae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnokiqlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjacfqhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plkmjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbpfhjjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jghmipmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifkkldmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohibdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmdkical.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcpfbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dieeje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dilkjdon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjlbpk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afikpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhkkfa32.exe -
Executes dropped EXE 64 IoCs
pid Process 1184 Kmifjh32.exe 5156 Kpgcfd32.exe 4988 Kfakbnam.exe 1452 Kkmgcm32.exe 4760 Kagopg32.exe 5420 Kdellb32.exe 1788 Kkodilhc.exe 4324 Kmnpehgg.exe 6052 Kdhhaa32.exe 6104 Lidqji32.exe 6076 Lpoifc32.exe 5804 Lbmebn32.exe 5960 Lmbipg32.exe 1604 Ldlamajo.exe 5824 Lapbfeih.exe 808 Ldonbq32.exe 5784 Lkifokpi.exe 3600 Ldakhq32.exe 5760 Lgpgdl32.exe 1696 Laelad32.exe 1220 Lphlmaln.exe 4584 Mgbdilck.exe 3804 Mmllfe32.exe 4856 Mgdqokah.exe 5740 Mkpmpj32.exe 5368 Mdhahppa.exe 2424 Mkbieihn.exe 1568 Mcmnilei.exe 5424 Mjgfff32.exe 5260 Mcpkolcg.exe 2508 Mkgcpi32.exe 4332 Maqkmckf.exe 652 Ncbgdk32.exe 1556 Ngncejim.exe 4628 Ngppkigk.exe 4296 Naedhb32.exe 4140 Ncgapjmo.exe 2100 Nkniahna.exe 5088 Nahanb32.exe 5732 Ngdjfi32.exe 2896 Nnobbc32.exe 1156 Ndhjombo.exe 1544 Nkbblg32.exe 3352 Nalkiaah.exe 4252 Ogicahop.exe 3216 Oncknb32.exe 3096 Oqagjneq.exe 3436 Ojjlbc32.exe 4056 Obaddq32.exe 5484 Ognmlg32.exe 1476 Onheiabg.exe 5780 Ocemah32.exe 5788 Ojoenbhl.exe 5528 Oddjkkha.exe 1212 Oknbhe32.exe 5556 Pbhjdpgk.exe 5540 Pdffqk32.exe 2156 Pgebmf32.exe 4572 Pnokiqlo.exe 1384 Pdicfk32.exe 4400 Pggobf32.exe 4280 Pbmcpo32.exe 1648 Pqpdkliq.exe 5956 Pjhhdapa.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hcijfblm.dll Ekjloh32.exe File created C:\Windows\SysWOW64\Pliajb32.dll Fhdloell.exe File opened for modification C:\Windows\SysWOW64\Hkdpba32.exe Hghdbblj.exe File opened for modification C:\Windows\SysWOW64\Gccjmc32.exe Ghnepjhm.exe File created C:\Windows\SysWOW64\Qdaobc32.exe Qqfcad32.exe File opened for modification C:\Windows\SysWOW64\Jnhekpdk.exe Jgnmof32.exe File created C:\Windows\SysWOW64\Gnbnnc32.dll Kmifjh32.exe File created C:\Windows\SysWOW64\Lcljln32.dll Lbahcg32.exe File created C:\Windows\SysWOW64\Mecfplcn.exe Mfqfdo32.exe File created C:\Windows\SysWOW64\Oofjhaen.dll Ipolgl32.exe File opened for modification C:\Windows\SysWOW64\Kmcfdblf.exe Kfjngh32.exe File opened for modification C:\Windows\SysWOW64\Cjlfhp32.exe Cgnjldik.exe File opened for modification C:\Windows\SysWOW64\Hmnjnc32.exe Hkpnbh32.exe File created C:\Windows\SysWOW64\Gjnjbgni.dll Nnobbc32.exe File opened for modification C:\Windows\SysWOW64\Daehkd32.exe Dklpnjcf.exe File created C:\Windows\SysWOW64\Neofljiq.exe Noenop32.exe File created C:\Windows\SysWOW64\Cldcfpah.dll Process not Found File created C:\Windows\SysWOW64\Ilidhn32.dll Ncbgdk32.exe File created C:\Windows\SysWOW64\Jfmhadkk.exe Jnfppfji.exe File created C:\Windows\SysWOW64\Gmeghe32.exe Ggkokkkf.exe File created C:\Windows\SysWOW64\Ljfehnfd.exe Lghilbfq.exe File opened for modification C:\Windows\SysWOW64\Eehjlbmd.exe Ekbfoi32.exe File created C:\Windows\SysWOW64\Igmgelbb.dll Agfkdgmf.exe File created C:\Windows\SysWOW64\Baiinb32.exe Bmmmmcgn.exe File created C:\Windows\SysWOW64\Klqcif32.dll Jnmfqe32.exe File created C:\Windows\SysWOW64\Mconefmh.dll Bgmqef32.exe File opened for modification C:\Windows\SysWOW64\Iljfei32.exe Iikjim32.exe File opened for modification C:\Windows\SysWOW64\Hhinabjd.exe Haofdh32.exe File created C:\Windows\SysWOW64\Dmghgp32.dll Neofljiq.exe File created C:\Windows\SysWOW64\Iecacinb.dll Paolca32.exe File created C:\Windows\SysWOW64\Ncbgdk32.exe Maqkmckf.exe File opened for modification C:\Windows\SysWOW64\Pdffqk32.exe Pbhjdpgk.exe File created C:\Windows\SysWOW64\Keepbnel.dll Glehei32.exe File created C:\Windows\SysWOW64\Bkjoekhg.dll Kfcang32.exe File created C:\Windows\SysWOW64\Cbbohj32.exe Cjkggl32.exe File created C:\Windows\SysWOW64\Qhbdihag.dll Fceedjon.exe File created C:\Windows\SysWOW64\Jnebkj32.exe Jkffoo32.exe File opened for modification C:\Windows\SysWOW64\Kkmgcm32.exe Kfakbnam.exe File opened for modification C:\Windows\SysWOW64\Ihpdaadl.exe Ibfleg32.exe File opened for modification C:\Windows\SysWOW64\Keqacncc.exe Kbbdgcdo.exe File created C:\Windows\SysWOW64\Ojnadb32.dll Phbejb32.exe File opened for modification C:\Windows\SysWOW64\Hpclkncc.exe Hnepobdp.exe File created C:\Windows\SysWOW64\Ihongkpq.exe Iaeejqic.exe File opened for modification C:\Windows\SysWOW64\Ndhjombo.exe Nnobbc32.exe File opened for modification C:\Windows\SysWOW64\Jgodil32.exe Jfmhadkk.exe File created C:\Windows\SysWOW64\Leliefej.exe Lbmmikff.exe File created C:\Windows\SysWOW64\Lehgqplp.dll Hhkkfa32.exe File created C:\Windows\SysWOW64\Mblhcnhi.dll Aqalbmbc.exe File created C:\Windows\SysWOW64\Nadfjimg.dll Gblokfac.exe File opened for modification C:\Windows\SysWOW64\Jpaabf32.exe Jghmipmg.exe File opened for modification C:\Windows\SysWOW64\Mdhahppa.exe Mkpmpj32.exe File created C:\Windows\SysWOW64\Bhjneadh.exe Bbnemjfq.exe File created C:\Windows\SysWOW64\Emmejmhl.dll Kfkdbb32.exe File created C:\Windows\SysWOW64\Moaboq32.dll Qfphie32.exe File opened for modification C:\Windows\SysWOW64\Lbmebn32.exe Lpoifc32.exe File created C:\Windows\SysWOW64\Lhmiah32.exe Leomel32.exe File created C:\Windows\SysWOW64\Hejfdg32.dll Kmjhcdig.exe File created C:\Windows\SysWOW64\Ghpecm32.dll Kkmgcm32.exe File created C:\Windows\SysWOW64\Cjmmenll.dll Nllbhjbf.exe File created C:\Windows\SysWOW64\Beinip32.exe Bmbfhb32.exe File created C:\Windows\SysWOW64\Koidcj32.dll Gafcni32.exe File opened for modification C:\Windows\SysWOW64\Bqfenlnn.exe Bjlmab32.exe File created C:\Windows\SysWOW64\Pdkiad32.exe Plcapg32.exe File created C:\Windows\SysWOW64\Kgjmjd32.exe Kqpdnjkc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6768 656 Process not Found 1165 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iljfei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbmgoean.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acglcpmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gemfchgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjkkpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najiadgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcimangn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnbco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlmomf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlkkndnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbnjjmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbiqgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hamioh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhkin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlqkci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acpoinec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfgjgbbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdhidp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenfjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foikqphn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckgjfgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaaefo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhfemp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jconna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikoghcfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfodlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgqbhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anodpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddaagjhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogeifl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Minlfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knqaghhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalfgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jicahdgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nikigoee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocajabof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbdoogob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dilkjdon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kflkmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghodpmoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idhkak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdqfpicd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfngbhpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjmhek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkjmbfii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnebkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkbieihn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqhpgdnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbndca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ledcdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biajbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbckjfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkgoflek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emnoko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empdfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bchdjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emonka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lciiknmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcjggd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdgjnimf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lblgnale.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afikpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfnok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmjhcdig.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkgcpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qklniccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emkgemcf.dll" Jicahdgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbokng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mghcpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjjflopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cegojnoj.dll" Jlkgda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejahjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnoqhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hoqjhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Leejon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nilhgbkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oaapbcql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enakha32.dll" Ahejfpeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Higgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmandc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmhjcoc.dll" Ddfalohd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Habaic32.dll" Gjcglcbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Maqkmckf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Behkbkeg.dll" Mibfqpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfpjfmjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfdnbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bifcmngd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmcfdblf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olaong32.dll" Nnknbmii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lejcjmkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lekkdcod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmjcndca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhhgfp32.dll" Bnmigfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkoma32.dll" Lhmiah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpgchb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqpdnjkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lidqji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Haabjgqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpphgfkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnknll32.dll" Jbbbkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jknbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afgnjdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpojiafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gagiibec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnhekpdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oieknacq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kecdcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afndkcpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcaei32.dll" Djhecn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akeajeae.dll" Gheajnfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eindci32.dll" Gkkdgipi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjhahmgk.dll" Kecdcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oenign32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgehlpgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plegkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lenfjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcafbf32.dll" Lpphgfkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjclh32.dll" Leomel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Damdeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehafbhma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fajcbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbdlgk32.dll" Maqkmckf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coklcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfencg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngaffc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjldkhjm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2228 wrote to memory of 1184 2228 d07e397ca9a33be97c279faaae6db500N.exe 85 PID 2228 wrote to memory of 1184 2228 d07e397ca9a33be97c279faaae6db500N.exe 85 PID 2228 wrote to memory of 1184 2228 d07e397ca9a33be97c279faaae6db500N.exe 85 PID 1184 wrote to memory of 5156 1184 Kmifjh32.exe 86 PID 1184 wrote to memory of 5156 1184 Kmifjh32.exe 86 PID 1184 wrote to memory of 5156 1184 Kmifjh32.exe 86 PID 5156 wrote to memory of 4988 5156 Kpgcfd32.exe 87 PID 5156 wrote to memory of 4988 5156 Kpgcfd32.exe 87 PID 5156 wrote to memory of 4988 5156 Kpgcfd32.exe 87 PID 4988 wrote to memory of 1452 4988 Kfakbnam.exe 89 PID 4988 wrote to memory of 1452 4988 Kfakbnam.exe 89 PID 4988 wrote to memory of 1452 4988 Kfakbnam.exe 89 PID 1452 wrote to memory of 4760 1452 Kkmgcm32.exe 90 PID 1452 wrote to memory of 4760 1452 Kkmgcm32.exe 90 PID 1452 wrote to memory of 4760 1452 Kkmgcm32.exe 90 PID 4760 wrote to memory of 5420 4760 Kagopg32.exe 91 PID 4760 wrote to memory of 5420 4760 Kagopg32.exe 91 PID 4760 wrote to memory of 5420 4760 Kagopg32.exe 91 PID 5420 wrote to memory of 1788 5420 Kdellb32.exe 92 PID 5420 wrote to memory of 1788 5420 Kdellb32.exe 92 PID 5420 wrote to memory of 1788 5420 Kdellb32.exe 92 PID 1788 wrote to memory of 4324 1788 Kkodilhc.exe 93 PID 1788 wrote to memory of 4324 1788 Kkodilhc.exe 93 PID 1788 wrote to memory of 4324 1788 Kkodilhc.exe 93 PID 4324 wrote to memory of 6052 4324 Kmnpehgg.exe 94 PID 4324 wrote to memory of 6052 4324 Kmnpehgg.exe 94 PID 4324 wrote to memory of 6052 4324 Kmnpehgg.exe 94 PID 6052 wrote to memory of 6104 6052 Kdhhaa32.exe 95 PID 6052 wrote to memory of 6104 6052 Kdhhaa32.exe 95 PID 6052 wrote to memory of 6104 6052 Kdhhaa32.exe 95 PID 6104 wrote to memory of 6076 6104 Lidqji32.exe 96 PID 6104 wrote to memory of 6076 6104 Lidqji32.exe 96 PID 6104 wrote to memory of 6076 6104 Lidqji32.exe 96 PID 6076 wrote to memory of 5804 6076 Lpoifc32.exe 97 PID 6076 wrote to memory of 5804 6076 Lpoifc32.exe 97 PID 6076 wrote to memory of 5804 6076 Lpoifc32.exe 97 PID 5804 wrote to memory of 5960 5804 Lbmebn32.exe 98 PID 5804 wrote to memory of 5960 5804 Lbmebn32.exe 98 PID 5804 wrote to memory of 5960 5804 Lbmebn32.exe 98 PID 5960 wrote to memory of 1604 5960 Lmbipg32.exe 99 PID 5960 wrote to memory of 1604 5960 Lmbipg32.exe 99 PID 5960 wrote to memory of 1604 5960 Lmbipg32.exe 99 PID 1604 wrote to memory of 5824 1604 Ldlamajo.exe 100 PID 1604 wrote to memory of 5824 1604 Ldlamajo.exe 100 PID 1604 wrote to memory of 5824 1604 Ldlamajo.exe 100 PID 5824 wrote to memory of 808 5824 Lapbfeih.exe 101 PID 5824 wrote to memory of 808 5824 Lapbfeih.exe 101 PID 5824 wrote to memory of 808 5824 Lapbfeih.exe 101 PID 808 wrote to memory of 5784 808 Ldonbq32.exe 102 PID 808 wrote to memory of 5784 808 Ldonbq32.exe 102 PID 808 wrote to memory of 5784 808 Ldonbq32.exe 102 PID 5784 wrote to memory of 3600 5784 Lkifokpi.exe 103 PID 5784 wrote to memory of 3600 5784 Lkifokpi.exe 103 PID 5784 wrote to memory of 3600 5784 Lkifokpi.exe 103 PID 3600 wrote to memory of 5760 3600 Ldakhq32.exe 104 PID 3600 wrote to memory of 5760 3600 Ldakhq32.exe 104 PID 3600 wrote to memory of 5760 3600 Ldakhq32.exe 104 PID 5760 wrote to memory of 1696 5760 Lgpgdl32.exe 105 PID 5760 wrote to memory of 1696 5760 Lgpgdl32.exe 105 PID 5760 wrote to memory of 1696 5760 Lgpgdl32.exe 105 PID 1696 wrote to memory of 1220 1696 Laelad32.exe 106 PID 1696 wrote to memory of 1220 1696 Laelad32.exe 106 PID 1696 wrote to memory of 1220 1696 Laelad32.exe 106 PID 1220 wrote to memory of 4584 1220 Lphlmaln.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\d07e397ca9a33be97c279faaae6db500N.exe"C:\Users\Admin\AppData\Local\Temp\d07e397ca9a33be97c279faaae6db500N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Kmifjh32.exeC:\Windows\system32\Kmifjh32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Kpgcfd32.exeC:\Windows\system32\Kpgcfd32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5156 -
C:\Windows\SysWOW64\Kfakbnam.exeC:\Windows\system32\Kfakbnam.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Kkmgcm32.exeC:\Windows\system32\Kkmgcm32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Kagopg32.exeC:\Windows\system32\Kagopg32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Kdellb32.exeC:\Windows\system32\Kdellb32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5420 -
C:\Windows\SysWOW64\Kkodilhc.exeC:\Windows\system32\Kkodilhc.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Kmnpehgg.exeC:\Windows\system32\Kmnpehgg.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\Kdhhaa32.exeC:\Windows\system32\Kdhhaa32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6052 -
C:\Windows\SysWOW64\Lidqji32.exeC:\Windows\system32\Lidqji32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:6104 -
C:\Windows\SysWOW64\Lpoifc32.exeC:\Windows\system32\Lpoifc32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:6076 -
C:\Windows\SysWOW64\Lbmebn32.exeC:\Windows\system32\Lbmebn32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5804 -
C:\Windows\SysWOW64\Lmbipg32.exeC:\Windows\system32\Lmbipg32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5960 -
C:\Windows\SysWOW64\Ldlamajo.exeC:\Windows\system32\Ldlamajo.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Lapbfeih.exeC:\Windows\system32\Lapbfeih.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5824 -
C:\Windows\SysWOW64\Ldonbq32.exeC:\Windows\system32\Ldonbq32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Lkifokpi.exeC:\Windows\system32\Lkifokpi.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5784 -
C:\Windows\SysWOW64\Ldakhq32.exeC:\Windows\system32\Ldakhq32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Lgpgdl32.exeC:\Windows\system32\Lgpgdl32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5760 -
C:\Windows\SysWOW64\Laelad32.exeC:\Windows\system32\Laelad32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Lphlmaln.exeC:\Windows\system32\Lphlmaln.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Mgbdilck.exeC:\Windows\system32\Mgbdilck.exe23⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Mmllfe32.exeC:\Windows\system32\Mmllfe32.exe24⤵
- Executes dropped EXE
PID:3804 -
C:\Windows\SysWOW64\Mgdqokah.exeC:\Windows\system32\Mgdqokah.exe25⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Mkpmpj32.exeC:\Windows\system32\Mkpmpj32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5740 -
C:\Windows\SysWOW64\Mdhahppa.exeC:\Windows\system32\Mdhahppa.exe27⤵
- Executes dropped EXE
PID:5368 -
C:\Windows\SysWOW64\Mkbieihn.exeC:\Windows\system32\Mkbieihn.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Windows\SysWOW64\Mcmnilei.exeC:\Windows\system32\Mcmnilei.exe29⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Mjgfff32.exeC:\Windows\system32\Mjgfff32.exe30⤵
- Executes dropped EXE
PID:5424 -
C:\Windows\SysWOW64\Mcpkolcg.exeC:\Windows\system32\Mcpkolcg.exe31⤵
- Executes dropped EXE
PID:5260 -
C:\Windows\SysWOW64\Mkgcpi32.exeC:\Windows\system32\Mkgcpi32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Maqkmckf.exeC:\Windows\system32\Maqkmckf.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4332 -
C:\Windows\SysWOW64\Ncbgdk32.exeC:\Windows\system32\Ncbgdk32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:652 -
C:\Windows\SysWOW64\Ngncejim.exeC:\Windows\system32\Ngncejim.exe35⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Ngppkigk.exeC:\Windows\system32\Ngppkigk.exe36⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Naedhb32.exeC:\Windows\system32\Naedhb32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Ncgapjmo.exeC:\Windows\system32\Ncgapjmo.exe38⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\Nkniahna.exeC:\Windows\system32\Nkniahna.exe39⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Nahanb32.exeC:\Windows\system32\Nahanb32.exe40⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Ngdjfi32.exeC:\Windows\system32\Ngdjfi32.exe41⤵
- Executes dropped EXE
PID:5732 -
C:\Windows\SysWOW64\Nnobbc32.exeC:\Windows\system32\Nnobbc32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Ndhjombo.exeC:\Windows\system32\Ndhjombo.exe43⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Nkbblg32.exeC:\Windows\system32\Nkbblg32.exe44⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Nalkiaah.exeC:\Windows\system32\Nalkiaah.exe45⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Ogicahop.exeC:\Windows\system32\Ogicahop.exe46⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Oncknb32.exeC:\Windows\system32\Oncknb32.exe47⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Oqagjneq.exeC:\Windows\system32\Oqagjneq.exe48⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Ojjlbc32.exeC:\Windows\system32\Ojjlbc32.exe49⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Obaddq32.exeC:\Windows\system32\Obaddq32.exe50⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Ognmlg32.exeC:\Windows\system32\Ognmlg32.exe51⤵
- Executes dropped EXE
PID:5484 -
C:\Windows\SysWOW64\Onheiabg.exeC:\Windows\system32\Onheiabg.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Ocemah32.exeC:\Windows\system32\Ocemah32.exe53⤵
- Executes dropped EXE
PID:5780 -
C:\Windows\SysWOW64\Ojoenbhl.exeC:\Windows\system32\Ojoenbhl.exe54⤵
- Executes dropped EXE
PID:5788 -
C:\Windows\SysWOW64\Oddjkkha.exeC:\Windows\system32\Oddjkkha.exe55⤵
- Executes dropped EXE
PID:5528 -
C:\Windows\SysWOW64\Oknbhe32.exeC:\Windows\system32\Oknbhe32.exe56⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Pbhjdpgk.exeC:\Windows\system32\Pbhjdpgk.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5556 -
C:\Windows\SysWOW64\Pdffqk32.exeC:\Windows\system32\Pdffqk32.exe58⤵
- Executes dropped EXE
PID:5540 -
C:\Windows\SysWOW64\Pgebmf32.exeC:\Windows\system32\Pgebmf32.exe59⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Pnokiqlo.exeC:\Windows\system32\Pnokiqlo.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Pdicfk32.exeC:\Windows\system32\Pdicfk32.exe61⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Pggobf32.exeC:\Windows\system32\Pggobf32.exe62⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Pbmcpo32.exeC:\Windows\system32\Pbmcpo32.exe63⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Pqpdkliq.exeC:\Windows\system32\Pqpdkliq.exe64⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Pjhhdapa.exeC:\Windows\system32\Pjhhdapa.exe65⤵
- Executes dropped EXE
PID:5956 -
C:\Windows\SysWOW64\Pncddp32.exeC:\Windows\system32\Pncddp32.exe66⤵PID:5888
-
C:\Windows\SysWOW64\Pqbqqk32.exeC:\Windows\system32\Pqbqqk32.exe67⤵PID:5500
-
C:\Windows\SysWOW64\Pkgend32.exeC:\Windows\system32\Pkgend32.exe68⤵PID:3748
-
C:\Windows\SysWOW64\Pqdmfk32.exeC:\Windows\system32\Pqdmfk32.exe69⤵PID:2028
-
C:\Windows\SysWOW64\Pgnecemh.exeC:\Windows\system32\Pgnecemh.exe70⤵PID:2988
-
C:\Windows\SysWOW64\Pjmaoq32.exeC:\Windows\system32\Pjmaoq32.exe71⤵PID:3180
-
C:\Windows\SysWOW64\Qqgjlkch.exeC:\Windows\system32\Qqgjlkch.exe72⤵PID:5056
-
C:\Windows\SysWOW64\Qgqbhe32.exeC:\Windows\system32\Qgqbhe32.exe73⤵
- System Location Discovery: System Language Discovery
PID:3168 -
C:\Windows\SysWOW64\Qklniccn.exeC:\Windows\system32\Qklniccn.exe74⤵
- Modifies registry class
PID:3672 -
C:\Windows\SysWOW64\Qnkjeobb.exeC:\Windows\system32\Qnkjeobb.exe75⤵PID:5724
-
C:\Windows\SysWOW64\Qcgcmfqi.exeC:\Windows\system32\Qcgcmfqi.exe76⤵PID:3344
-
C:\Windows\SysWOW64\Qkokoc32.exeC:\Windows\system32\Qkokoc32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4752 -
C:\Windows\SysWOW64\Abhckmhh.exeC:\Windows\system32\Abhckmhh.exe78⤵PID:4608
-
C:\Windows\SysWOW64\Aegogihl.exeC:\Windows\system32\Aegogihl.exe79⤵PID:1968
-
C:\Windows\SysWOW64\Anodpn32.exeC:\Windows\system32\Anodpn32.exe80⤵
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Aanplj32.exeC:\Windows\system32\Aanplj32.exe81⤵PID:3276
-
C:\Windows\SysWOW64\Ajfdeoda.exeC:\Windows\system32\Ajfdeoda.exe82⤵PID:5348
-
C:\Windows\SysWOW64\Aapmbikn.exeC:\Windows\system32\Aapmbikn.exe83⤵PID:5756
-
C:\Windows\SysWOW64\Agjeoc32.exeC:\Windows\system32\Agjeoc32.exe84⤵PID:2236
-
C:\Windows\SysWOW64\Andmknjg.exeC:\Windows\system32\Andmknjg.exe85⤵PID:448
-
C:\Windows\SysWOW64\Acafcdho.exeC:\Windows\system32\Acafcdho.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1356 -
C:\Windows\SysWOW64\Ajknpo32.exeC:\Windows\system32\Ajknpo32.exe87⤵PID:1908
-
C:\Windows\SysWOW64\Accbid32.exeC:\Windows\system32\Accbid32.exe88⤵PID:1824
-
C:\Windows\SysWOW64\Bbdbglnk.exeC:\Windows\system32\Bbdbglnk.exe89⤵PID:2396
-
C:\Windows\SysWOW64\Bhakobmb.exeC:\Windows\system32\Bhakobmb.exe90⤵PID:3212
-
C:\Windows\SysWOW64\Bnkclm32.exeC:\Windows\system32\Bnkclm32.exe91⤵PID:2952
-
C:\Windows\SysWOW64\Bhcheb32.exeC:\Windows\system32\Bhcheb32.exe92⤵PID:744
-
C:\Windows\SysWOW64\Bnmpalbm.exeC:\Windows\system32\Bnmpalbm.exe93⤵PID:4732
-
C:\Windows\SysWOW64\Beghnf32.exeC:\Windows\system32\Beghnf32.exe94⤵PID:5160
-
C:\Windows\SysWOW64\Bhfdjb32.exeC:\Windows\system32\Bhfdjb32.exe95⤵PID:5592
-
C:\Windows\SysWOW64\Bjdafm32.exeC:\Windows\system32\Bjdafm32.exe96⤵PID:5680
-
C:\Windows\SysWOW64\Bbkihk32.exeC:\Windows\system32\Bbkihk32.exe97⤵PID:5880
-
C:\Windows\SysWOW64\Bejedfgg.exeC:\Windows\system32\Bejedfgg.exe98⤵PID:4072
-
C:\Windows\SysWOW64\Bhhapafk.exeC:\Windows\system32\Bhhapafk.exe99⤵PID:6024
-
C:\Windows\SysWOW64\Bjfnlmen.exeC:\Windows\system32\Bjfnlmen.exe100⤵PID:6088
-
C:\Windows\SysWOW64\Bbnemjfq.exeC:\Windows\system32\Bbnemjfq.exe101⤵
- Drops file in System32 directory
PID:6132 -
C:\Windows\SysWOW64\Bhjneadh.exeC:\Windows\system32\Bhjneadh.exe102⤵PID:3916
-
C:\Windows\SysWOW64\Cjijamcl.exeC:\Windows\system32\Cjijamcl.exe103⤵PID:2788
-
C:\Windows\SysWOW64\Cndfbk32.exeC:\Windows\system32\Cndfbk32.exe104⤵PID:5736
-
C:\Windows\SysWOW64\Cacbng32.exeC:\Windows\system32\Cacbng32.exe105⤵PID:2832
-
C:\Windows\SysWOW64\Cenooeca.exeC:\Windows\system32\Cenooeca.exe106⤵PID:5712
-
C:\Windows\SysWOW64\Clhglpkn.exeC:\Windows\system32\Clhglpkn.exe107⤵PID:5432
-
C:\Windows\SysWOW64\Cjkggl32.exeC:\Windows\system32\Cjkggl32.exe108⤵
- Drops file in System32 directory
PID:3520 -
C:\Windows\SysWOW64\Cbbohj32.exeC:\Windows\system32\Cbbohj32.exe109⤵PID:4600
-
C:\Windows\SysWOW64\Ceqkde32.exeC:\Windows\system32\Ceqkde32.exe110⤵PID:4972
-
C:\Windows\SysWOW64\Chogqq32.exeC:\Windows\system32\Chogqq32.exe111⤵PID:1020
-
C:\Windows\SysWOW64\Caglifgc.exeC:\Windows\system32\Caglifgc.exe112⤵PID:2432
-
C:\Windows\SysWOW64\Cechje32.exeC:\Windows\system32\Cechje32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3092 -
C:\Windows\SysWOW64\Coklcj32.exeC:\Windows\system32\Coklcj32.exe114⤵
- Modifies registry class
PID:3516 -
C:\Windows\SysWOW64\Cdheka32.exeC:\Windows\system32\Cdheka32.exe115⤵PID:2056
-
C:\Windows\SysWOW64\Calede32.exeC:\Windows\system32\Calede32.exe116⤵PID:6128
-
C:\Windows\SysWOW64\Dlaibnbc.exeC:\Windows\system32\Dlaibnbc.exe117⤵PID:5404
-
C:\Windows\SysWOW64\Dopfnjag.exeC:\Windows\system32\Dopfnjag.exe118⤵PID:6056
-
C:\Windows\SysWOW64\Ddmnfqpo.exeC:\Windows\system32\Ddmnfqpo.exe119⤵PID:5064
-
C:\Windows\SysWOW64\Dkgfck32.exeC:\Windows\system32\Dkgfck32.exe120⤵PID:5616
-
C:\Windows\SysWOW64\Delkpc32.exeC:\Windows\system32\Delkpc32.exe121⤵PID:3572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-