Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2024, 02:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fc297d8c99b5ee9a6d1b1009ca08ff50N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
fc297d8c99b5ee9a6d1b1009ca08ff50N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
fc297d8c99b5ee9a6d1b1009ca08ff50N.exe
-
Size
592KB
-
MD5
fc297d8c99b5ee9a6d1b1009ca08ff50
-
SHA1
ad1244ed4e2db78e916b993e1d3e29a6ddde681d
-
SHA256
6037aa1a0ff0a956c92ff8ff0ec92a2f2d5ccb780e6298e3ff3e932c9fb800e5
-
SHA512
ba9a143c4b08facb06af6cd6c4215e8424e9824d7aa43fa2483534401877ec464291398e163025f5d209f7494d712882d56749817ea8331cbecfd20cd4ab7544
-
SSDEEP
6144:kyLQLA3j8Hs+ae8SeNpgdyuH1lZfRo0V8JcgE+ezpg1xrloBNTNxaaqk9a5:FLQLATus+p87g7/VycgE81lgxaa79y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Headon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abjdbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blakhgoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbbkjgpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbamcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecccmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pblolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cafpkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijlii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oijgmokc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egnhcgeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echbad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jahgpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmhibi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aofemaog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bipcei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifhibhfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejfjocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmcocn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgbdmfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bomknp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cllkcbnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbofdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmlmlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgkhec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okjbimal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdihfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebbmpmnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmfmfigl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnokmkfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbepdfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Locgagli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklfho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jafaem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liimgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cqghcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcmeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdaonmdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emoaopnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnojcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogmaneoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cojqdhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Elkbhbeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlblcdpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Impeib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnjbbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiikkada.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocldhqgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpfdkiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ieknpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckqoapgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbhnga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnlfqngm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aoenbkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apdkmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kigoeagd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkgmmpab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikmepj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifefbbdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pphckb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dajnol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfafhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjbhbf32.exe -
Executes dropped EXE 64 IoCs
pid Process 32 Mfmpob32.exe 5096 Mmghklif.exe 4168 Mdaqhf32.exe 3904 Nagngjmj.exe 4012 Nfdfoala.exe 2608 Nkboeobh.exe 828 Nalgbi32.exe 3124 Nkdlkope.exe 3624 Nmbhgjoi.exe 2288 Odaiodbp.exe 4940 Oinbgk32.exe 1612 Ohaokbfd.exe 2208 Okbhlm32.exe 1824 Opopdd32.exe 3096 Phiekaql.exe 1556 Pnenchoc.exe 2200 Pgnblm32.exe 4588 Pphckb32.exe 1800 Qpkppbho.exe 1172 Qhbhapha.exe 3980 Qpmmfbfl.exe 4624 Qdihfq32.exe 1204 Akenij32.exe 348 Aaofedkl.exe 764 Abdoqd32.exe 4868 Abflfc32.exe 5104 Bbhhlccb.exe 3616 Bgeadjai.exe 3436 Bkcjjhgp.exe 1544 Bnaffdfc.exe 3024 Bdlncn32.exe 3464 Bndblcdq.exe 2828 Biigildg.exe 1664 Bkhceh32.exe 2004 Bkjpkg32.exe 1072 Cqghcn32.exe 1688 Cgaqphgl.exe 3044 Cbfema32.exe 4876 Cgcmeh32.exe 800 Cnmebblf.exe 440 Cicjokll.exe 208 Cghgpgqd.exe 1380 Capkim32.exe 3336 Dndlba32.exe 1320 Dgmpkg32.exe 3252 Dnghhqdk.exe 4416 Dgomaf32.exe 2244 Dbdano32.exe 404 Decmjjie.exe 4368 Dnkbcp32.exe 3708 Dajnol32.exe 3196 Dlobmd32.exe 1468 Dicbfhni.exe 3556 Enpknplq.exe 4736 Eangjkkd.exe 1600 Ehhpge32.exe 4440 Ejglcq32.exe 3740 Eaqdpjia.exe 408 Ehklmd32.exe 4628 Ejiiippb.exe 2264 Eijigg32.exe 5140 Ebbmpmnb.exe 5188 Eimelg32.exe 5224 Elkbhbeb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Behbkmgb.exe Bjbnndgl.exe File opened for modification C:\Windows\SysWOW64\Odaiodbp.exe Nmbhgjoi.exe File created C:\Windows\SysWOW64\Keppcl32.dll Nicalpak.exe File created C:\Windows\SysWOW64\Amddeq32.dll Dfeibf32.exe File created C:\Windows\SysWOW64\Phmjdbpo.exe Pacahhib.exe File created C:\Windows\SysWOW64\Qolnjhjb.dll Pbbnbkpe.exe File created C:\Windows\SysWOW64\Pphckb32.exe Pgnblm32.exe File opened for modification C:\Windows\SysWOW64\Bnobfn32.exe Bkpfjb32.exe File created C:\Windows\SysWOW64\Bngcmp32.dll Mndjhhjp.exe File created C:\Windows\SysWOW64\Kekljlkp.exe Kpncbemh.exe File opened for modification C:\Windows\SysWOW64\Mieeka32.exe Mkadam32.exe File created C:\Windows\SysWOW64\Gbnpqpgp.dll Hphbpehj.exe File created C:\Windows\SysWOW64\Jkjikd32.dll Eflhiolf.exe File created C:\Windows\SysWOW64\Okbhlm32.exe Ohaokbfd.exe File created C:\Windows\SysWOW64\Donklfgn.dll Abdoqd32.exe File created C:\Windows\SysWOW64\Gopdnemk.dll Qckbggad.exe File created C:\Windows\SysWOW64\Lfbpae32.dll Admkgifd.exe File opened for modification C:\Windows\SysWOW64\Feella32.exe Fmndkd32.exe File created C:\Windows\SysWOW64\Dqnmjg32.dll Nlefebfg.exe File opened for modification C:\Windows\SysWOW64\Midoph32.exe Mcggga32.exe File created C:\Windows\SysWOW64\Hnneimjn.dll Qdfefkll.exe File opened for modification C:\Windows\SysWOW64\Olfgcj32.exe Oemofpel.exe File opened for modification C:\Windows\SysWOW64\Imeeohoi.exe Ipaeedpp.exe File created C:\Windows\SysWOW64\Hqphkjmi.dll Kppphe32.exe File created C:\Windows\SysWOW64\Caikpked.dll Jognokdi.exe File created C:\Windows\SysWOW64\Panemeei.dll Bplammmf.exe File created C:\Windows\SysWOW64\Pqknbmhc.exe Pfeiedhm.exe File created C:\Windows\SysWOW64\Efcpkeke.dll Cgaqphgl.exe File created C:\Windows\SysWOW64\Geabbfoc.exe Fbqiak32.exe File created C:\Windows\SysWOW64\Mclpbqal.exe Miflehaf.exe File created C:\Windows\SysWOW64\Linojbdc.exe Lfnfhg32.exe File opened for modification C:\Windows\SysWOW64\Nppfnige.exe Nejbaqgo.exe File opened for modification C:\Windows\SysWOW64\Bknidbhi.exe Acgacegg.exe File created C:\Windows\SysWOW64\Ibchnb32.dll Kahpgcch.exe File opened for modification C:\Windows\SysWOW64\Geeecogb.exe Gmlplbib.exe File opened for modification C:\Windows\SysWOW64\Aeofoe32.exe Aoenbkll.exe File opened for modification C:\Windows\SysWOW64\Mkpglqgj.exe Mpkbohhd.exe File created C:\Windows\SysWOW64\Keilgoad.dll Pjeoablq.exe File created C:\Windows\SysWOW64\Igmjbjkl.dll Ihfglhfp.exe File opened for modification C:\Windows\SysWOW64\Iaqapggb.exe Imeeohoi.exe File opened for modification C:\Windows\SysWOW64\Negoaj32.exe Nnmfdpni.exe File opened for modification C:\Windows\SysWOW64\Efdbhpbn.exe Ecfeldcj.exe File created C:\Windows\SysWOW64\Fmmffhnk.exe Ffbnin32.exe File created C:\Windows\SysWOW64\Mmjekp32.dll Cpmqoqbp.exe File opened for modification C:\Windows\SysWOW64\Locgagli.exe Ldnbdnlc.exe File created C:\Windows\SysWOW64\Hcblakmh.dll Imonol32.exe File opened for modification C:\Windows\SysWOW64\Nlefebfg.exe Meknhh32.exe File created C:\Windows\SysWOW64\Qakkgnpi.dll Ckidoc32.exe File opened for modification C:\Windows\SysWOW64\Lefkfk32.exe Ldeonbkd.exe File opened for modification C:\Windows\SysWOW64\Kbgafqla.exe Kmjinjnj.exe File opened for modification C:\Windows\SysWOW64\Bpkbmi32.exe Bloflk32.exe File created C:\Windows\SysWOW64\Bcinie32.exe Bpkbmi32.exe File created C:\Windows\SysWOW64\Ejkndijd.exe Emgnje32.exe File created C:\Windows\SysWOW64\Dehchiqm.dll Geeecogb.exe File created C:\Windows\SysWOW64\Djlppb32.dll Fgqehgco.exe File created C:\Windows\SysWOW64\Cafpkc32.exe Chnlbndj.exe File created C:\Windows\SysWOW64\Elepei32.exe Eflhiolf.exe File opened for modification C:\Windows\SysWOW64\Jbcmhb32.exe Jlidkh32.exe File created C:\Windows\SysWOW64\Kmjinjnj.exe Kjlmbnof.exe File opened for modification C:\Windows\SysWOW64\Addahh32.exe Aphegjhc.exe File created C:\Windows\SysWOW64\Dnkkij32.exe Djjemlhf.exe File created C:\Windows\SysWOW64\Fmflco32.dll Hpchdf32.exe File created C:\Windows\SysWOW64\Laacmbkm.exe Locgagli.exe File opened for modification C:\Windows\SysWOW64\Kmfmfigl.exe Kbaiip32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9264 9756 WerFault.exe 977 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohaokbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdjfhhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifdgaond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baepjpea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnealfkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgibjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hijohoki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncecioib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpljdjnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjjbmhfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dccbln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pphckb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flddoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kahpgcch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhpeelnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qecgcfmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnonla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmjinjnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbpqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opongobp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eceoanpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicjokll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngodlgka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qepccqlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbabpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkbhbeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejmkiiha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imonol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akgcdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbiklmhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nilkkq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffeaichg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlialb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olfgcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcnnjoam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmkdeaee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mihbpalh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oendaipn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdolbijg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oigdmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifefbbdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mndjhhjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjagapbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmginjki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geflne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcmkjeko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkflpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnjqhcno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbmnlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dldpde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgbdmfnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djjobedk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjkhme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkcjjhgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amibqhed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnhoqmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahhbfkbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgaqphgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kokbpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kojdkhdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaimko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclpbqal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdibplaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apdkmn32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqogfdbb.dll" Ibagmiie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epplai32.dll" Iadljc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekakihaj.dll" Kokbpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahnclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bidefbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ehgqed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kdqecc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Alcfpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbandfpf.dll" Omfcmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Affgno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nkgmmpab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgmnqmam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bqokhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbofckhp.dll" Nkhdgfen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gjapfjnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lefkfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afmfhcff.dll" Opongobp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmeapbpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmepohe.dll" Npipnjmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmhogppb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jahgpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pbiklmhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qniogl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmfadi32.dll" Kkihedld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkmapc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocikabbg.dll" Qpmmfbfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hdfapjbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djjobedk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qnihlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onhhkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bgdjicmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Klljhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mqimdomb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dknelf32.dll" Cojqdhid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jdcplkoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peghgj32.dll" Ojfmdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qlajkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Acgacegg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oemofpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhlhei32.dll" Bcfkiock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enonclfe.dll" Kpdjbapj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbiooolb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fdiafc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbaiip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Akipic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Blabakle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgnmpbec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Beefenie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hiinoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lhdeinhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pbmnlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaobmboi.dll" Oinbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cnokmkfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djjemlhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipabdl32.dll" Majoikof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ngedbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjnpija.dll" Elncjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gaibhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfnnbn32.dll" Knenffqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dcdifdem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkhceh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajikhfpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eefhcimp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iokkmq32.dll" Qnniopcm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3048 wrote to memory of 32 3048 fc297d8c99b5ee9a6d1b1009ca08ff50N.exe 92 PID 3048 wrote to memory of 32 3048 fc297d8c99b5ee9a6d1b1009ca08ff50N.exe 92 PID 3048 wrote to memory of 32 3048 fc297d8c99b5ee9a6d1b1009ca08ff50N.exe 92 PID 32 wrote to memory of 5096 32 Mfmpob32.exe 93 PID 32 wrote to memory of 5096 32 Mfmpob32.exe 93 PID 32 wrote to memory of 5096 32 Mfmpob32.exe 93 PID 5096 wrote to memory of 4168 5096 Mmghklif.exe 94 PID 5096 wrote to memory of 4168 5096 Mmghklif.exe 94 PID 5096 wrote to memory of 4168 5096 Mmghklif.exe 94 PID 4168 wrote to memory of 3904 4168 Mdaqhf32.exe 96 PID 4168 wrote to memory of 3904 4168 Mdaqhf32.exe 96 PID 4168 wrote to memory of 3904 4168 Mdaqhf32.exe 96 PID 3904 wrote to memory of 4012 3904 Nagngjmj.exe 97 PID 3904 wrote to memory of 4012 3904 Nagngjmj.exe 97 PID 3904 wrote to memory of 4012 3904 Nagngjmj.exe 97 PID 4012 wrote to memory of 2608 4012 Nfdfoala.exe 98 PID 4012 wrote to memory of 2608 4012 Nfdfoala.exe 98 PID 4012 wrote to memory of 2608 4012 Nfdfoala.exe 98 PID 2608 wrote to memory of 828 2608 Nkboeobh.exe 99 PID 2608 wrote to memory of 828 2608 Nkboeobh.exe 99 PID 2608 wrote to memory of 828 2608 Nkboeobh.exe 99 PID 828 wrote to memory of 3124 828 Nalgbi32.exe 100 PID 828 wrote to memory of 3124 828 Nalgbi32.exe 100 PID 828 wrote to memory of 3124 828 Nalgbi32.exe 100 PID 3124 wrote to memory of 3624 3124 Nkdlkope.exe 101 PID 3124 wrote to memory of 3624 3124 Nkdlkope.exe 101 PID 3124 wrote to memory of 3624 3124 Nkdlkope.exe 101 PID 3624 wrote to memory of 2288 3624 Nmbhgjoi.exe 102 PID 3624 wrote to memory of 2288 3624 Nmbhgjoi.exe 102 PID 3624 wrote to memory of 2288 3624 Nmbhgjoi.exe 102 PID 2288 wrote to memory of 4940 2288 Odaiodbp.exe 103 PID 2288 wrote to memory of 4940 2288 Odaiodbp.exe 103 PID 2288 wrote to memory of 4940 2288 Odaiodbp.exe 103 PID 4940 wrote to memory of 1612 4940 Oinbgk32.exe 104 PID 4940 wrote to memory of 1612 4940 Oinbgk32.exe 104 PID 4940 wrote to memory of 1612 4940 Oinbgk32.exe 104 PID 1612 wrote to memory of 2208 1612 Ohaokbfd.exe 105 PID 1612 wrote to memory of 2208 1612 Ohaokbfd.exe 105 PID 1612 wrote to memory of 2208 1612 Ohaokbfd.exe 105 PID 2208 wrote to memory of 1824 2208 Okbhlm32.exe 106 PID 2208 wrote to memory of 1824 2208 Okbhlm32.exe 106 PID 2208 wrote to memory of 1824 2208 Okbhlm32.exe 106 PID 1824 wrote to memory of 3096 1824 Opopdd32.exe 107 PID 1824 wrote to memory of 3096 1824 Opopdd32.exe 107 PID 1824 wrote to memory of 3096 1824 Opopdd32.exe 107 PID 3096 wrote to memory of 1556 3096 Phiekaql.exe 108 PID 3096 wrote to memory of 1556 3096 Phiekaql.exe 108 PID 3096 wrote to memory of 1556 3096 Phiekaql.exe 108 PID 1556 wrote to memory of 2200 1556 Pnenchoc.exe 109 PID 1556 wrote to memory of 2200 1556 Pnenchoc.exe 109 PID 1556 wrote to memory of 2200 1556 Pnenchoc.exe 109 PID 2200 wrote to memory of 4588 2200 Pgnblm32.exe 110 PID 2200 wrote to memory of 4588 2200 Pgnblm32.exe 110 PID 2200 wrote to memory of 4588 2200 Pgnblm32.exe 110 PID 4588 wrote to memory of 1800 4588 Pphckb32.exe 111 PID 4588 wrote to memory of 1800 4588 Pphckb32.exe 111 PID 4588 wrote to memory of 1800 4588 Pphckb32.exe 111 PID 1800 wrote to memory of 1172 1800 Qpkppbho.exe 112 PID 1800 wrote to memory of 1172 1800 Qpkppbho.exe 112 PID 1800 wrote to memory of 1172 1800 Qpkppbho.exe 112 PID 1172 wrote to memory of 3980 1172 Qhbhapha.exe 113 PID 1172 wrote to memory of 3980 1172 Qhbhapha.exe 113 PID 1172 wrote to memory of 3980 1172 Qhbhapha.exe 113 PID 3980 wrote to memory of 4624 3980 Qpmmfbfl.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc297d8c99b5ee9a6d1b1009ca08ff50N.exe"C:\Users\Admin\AppData\Local\Temp\fc297d8c99b5ee9a6d1b1009ca08ff50N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Mfmpob32.exeC:\Windows\system32\Mfmpob32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\Mmghklif.exeC:\Windows\system32\Mmghklif.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Mdaqhf32.exeC:\Windows\system32\Mdaqhf32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\Nagngjmj.exeC:\Windows\system32\Nagngjmj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Nfdfoala.exeC:\Windows\system32\Nfdfoala.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Nkboeobh.exeC:\Windows\system32\Nkboeobh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Nalgbi32.exeC:\Windows\system32\Nalgbi32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\Nkdlkope.exeC:\Windows\system32\Nkdlkope.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\Nmbhgjoi.exeC:\Windows\system32\Nmbhgjoi.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\Odaiodbp.exeC:\Windows\system32\Odaiodbp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Oinbgk32.exeC:\Windows\system32\Oinbgk32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Ohaokbfd.exeC:\Windows\system32\Ohaokbfd.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Okbhlm32.exeC:\Windows\system32\Okbhlm32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Opopdd32.exeC:\Windows\system32\Opopdd32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Phiekaql.exeC:\Windows\system32\Phiekaql.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Pnenchoc.exeC:\Windows\system32\Pnenchoc.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Pgnblm32.exeC:\Windows\system32\Pgnblm32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Pphckb32.exeC:\Windows\system32\Pphckb32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Qpkppbho.exeC:\Windows\system32\Qpkppbho.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Qhbhapha.exeC:\Windows\system32\Qhbhapha.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Qpmmfbfl.exeC:\Windows\system32\Qpmmfbfl.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\Qdihfq32.exeC:\Windows\system32\Qdihfq32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Akenij32.exeC:\Windows\system32\Akenij32.exe24⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Aaofedkl.exeC:\Windows\system32\Aaofedkl.exe25⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Abdoqd32.exeC:\Windows\system32\Abdoqd32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:764 -
C:\Windows\SysWOW64\Abflfc32.exeC:\Windows\system32\Abflfc32.exe27⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Bbhhlccb.exeC:\Windows\system32\Bbhhlccb.exe28⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Bgeadjai.exeC:\Windows\system32\Bgeadjai.exe29⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Bkcjjhgp.exeC:\Windows\system32\Bkcjjhgp.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3436 -
C:\Windows\SysWOW64\Bnaffdfc.exeC:\Windows\system32\Bnaffdfc.exe31⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Bdlncn32.exeC:\Windows\system32\Bdlncn32.exe32⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Bndblcdq.exeC:\Windows\system32\Bndblcdq.exe33⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Biigildg.exeC:\Windows\system32\Biigildg.exe34⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Bkhceh32.exeC:\Windows\system32\Bkhceh32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Bkjpkg32.exeC:\Windows\system32\Bkjpkg32.exe36⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Cqghcn32.exeC:\Windows\system32\Cqghcn32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Cgaqphgl.exeC:\Windows\system32\Cgaqphgl.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Cbfema32.exeC:\Windows\system32\Cbfema32.exe39⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Cgcmeh32.exeC:\Windows\system32\Cgcmeh32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Cnmebblf.exeC:\Windows\system32\Cnmebblf.exe41⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Cicjokll.exeC:\Windows\system32\Cicjokll.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:440 -
C:\Windows\SysWOW64\Cghgpgqd.exeC:\Windows\system32\Cghgpgqd.exe43⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Capkim32.exeC:\Windows\system32\Capkim32.exe44⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Dndlba32.exeC:\Windows\system32\Dndlba32.exe45⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Dgmpkg32.exeC:\Windows\system32\Dgmpkg32.exe46⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Dnghhqdk.exeC:\Windows\system32\Dnghhqdk.exe47⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Dgomaf32.exeC:\Windows\system32\Dgomaf32.exe48⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Dbdano32.exeC:\Windows\system32\Dbdano32.exe49⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Decmjjie.exeC:\Windows\system32\Decmjjie.exe50⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Dnkbcp32.exeC:\Windows\system32\Dnkbcp32.exe51⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Dajnol32.exeC:\Windows\system32\Dajnol32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Dlobmd32.exeC:\Windows\system32\Dlobmd32.exe53⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Dicbfhni.exeC:\Windows\system32\Dicbfhni.exe54⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Enpknplq.exeC:\Windows\system32\Enpknplq.exe55⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Eangjkkd.exeC:\Windows\system32\Eangjkkd.exe56⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Ehhpge32.exeC:\Windows\system32\Ehhpge32.exe57⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Ejglcq32.exeC:\Windows\system32\Ejglcq32.exe58⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Eaqdpjia.exeC:\Windows\system32\Eaqdpjia.exe59⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Ehklmd32.exeC:\Windows\system32\Ehklmd32.exe60⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Ejiiippb.exeC:\Windows\system32\Ejiiippb.exe61⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Eijigg32.exeC:\Windows\system32\Eijigg32.exe62⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Ebbmpmnb.exeC:\Windows\system32\Ebbmpmnb.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5140 -
C:\Windows\SysWOW64\Eimelg32.exeC:\Windows\system32\Eimelg32.exe64⤵
- Executes dropped EXE
PID:5188 -
C:\Windows\SysWOW64\Elkbhbeb.exeC:\Windows\system32\Elkbhbeb.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5224 -
C:\Windows\SysWOW64\Eoindndf.exeC:\Windows\system32\Eoindndf.exe66⤵PID:5296
-
C:\Windows\SysWOW64\Eecfah32.exeC:\Windows\system32\Eecfah32.exe67⤵PID:5340
-
C:\Windows\SysWOW64\Fhbbmc32.exeC:\Windows\system32\Fhbbmc32.exe68⤵PID:5380
-
C:\Windows\SysWOW64\Fhdocc32.exeC:\Windows\system32\Fhdocc32.exe69⤵PID:5420
-
C:\Windows\SysWOW64\Falcli32.exeC:\Windows\system32\Falcli32.exe70⤵PID:5460
-
C:\Windows\SysWOW64\Fkehdnee.exeC:\Windows\system32\Fkehdnee.exe71⤵PID:5504
-
C:\Windows\SysWOW64\Faopah32.exeC:\Windows\system32\Faopah32.exe72⤵PID:5544
-
C:\Windows\SysWOW64\Flddoa32.exeC:\Windows\system32\Flddoa32.exe73⤵
- System Location Discovery: System Language Discovery
PID:5584 -
C:\Windows\SysWOW64\Fiheheka.exeC:\Windows\system32\Fiheheka.exe74⤵PID:5628
-
C:\Windows\SysWOW64\Fbqiak32.exeC:\Windows\system32\Fbqiak32.exe75⤵
- Drops file in System32 directory
PID:5668 -
C:\Windows\SysWOW64\Geabbfoc.exeC:\Windows\system32\Geabbfoc.exe76⤵PID:5708
-
C:\Windows\SysWOW64\Gahcgg32.exeC:\Windows\system32\Gahcgg32.exe77⤵PID:5748
-
C:\Windows\SysWOW64\Glngep32.exeC:\Windows\system32\Glngep32.exe78⤵PID:5788
-
C:\Windows\SysWOW64\Geflne32.exeC:\Windows\system32\Geflne32.exe79⤵
- System Location Discovery: System Language Discovery
PID:5836 -
C:\Windows\SysWOW64\Ghdhja32.exeC:\Windows\system32\Ghdhja32.exe80⤵PID:5876
-
C:\Windows\SysWOW64\Gammbfqa.exeC:\Windows\system32\Gammbfqa.exe81⤵PID:5916
-
C:\Windows\SysWOW64\Glbapoqh.exeC:\Windows\system32\Glbapoqh.exe82⤵PID:5960
-
C:\Windows\SysWOW64\Hocjaj32.exeC:\Windows\system32\Hocjaj32.exe83⤵PID:6004
-
C:\Windows\SysWOW64\Hiinoc32.exeC:\Windows\system32\Hiinoc32.exe84⤵
- Modifies registry class
PID:6048 -
C:\Windows\SysWOW64\Hlgjko32.exeC:\Windows\system32\Hlgjko32.exe85⤵PID:6084
-
C:\Windows\SysWOW64\Hohcmjic.exeC:\Windows\system32\Hohcmjic.exe86⤵PID:5136
-
C:\Windows\SysWOW64\Hipdpbgf.exeC:\Windows\system32\Hipdpbgf.exe87⤵PID:5204
-
C:\Windows\SysWOW64\Ijdnka32.exeC:\Windows\system32\Ijdnka32.exe88⤵PID:5304
-
C:\Windows\SysWOW64\Ieknpb32.exeC:\Windows\system32\Ieknpb32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5364 -
C:\Windows\SysWOW64\Ilgcblnp.exeC:\Windows\system32\Ilgcblnp.exe90⤵PID:5448
-
C:\Windows\SysWOW64\Iadljc32.exeC:\Windows\system32\Iadljc32.exe91⤵
- Modifies registry class
PID:5528 -
C:\Windows\SysWOW64\Ihndgmdd.exeC:\Windows\system32\Ihndgmdd.exe92⤵PID:5620
-
C:\Windows\SysWOW64\Iohlcg32.exeC:\Windows\system32\Iohlcg32.exe93⤵PID:5744
-
C:\Windows\SysWOW64\Jokiig32.exeC:\Windows\system32\Jokiig32.exe94⤵PID:5816
-
C:\Windows\SysWOW64\Jfgnka32.exeC:\Windows\system32\Jfgnka32.exe95⤵PID:5888
-
C:\Windows\SysWOW64\Jkcfch32.exeC:\Windows\system32\Jkcfch32.exe96⤵PID:5076
-
C:\Windows\SysWOW64\Jcmkjeko.exeC:\Windows\system32\Jcmkjeko.exe97⤵
- System Location Discovery: System Language Discovery
PID:3232 -
C:\Windows\SysWOW64\Jjgcgo32.exeC:\Windows\system32\Jjgcgo32.exe98⤵PID:6016
-
C:\Windows\SysWOW64\Jodlof32.exeC:\Windows\system32\Jodlof32.exe99⤵PID:6092
-
C:\Windows\SysWOW64\Kbbhka32.exeC:\Windows\system32\Kbbhka32.exe100⤵PID:3352
-
C:\Windows\SysWOW64\Kkkldg32.exeC:\Windows\system32\Kkkldg32.exe101⤵PID:5276
-
C:\Windows\SysWOW64\Kjlmbnof.exeC:\Windows\system32\Kjlmbnof.exe102⤵
- Drops file in System32 directory
PID:5416 -
C:\Windows\SysWOW64\Kmjinjnj.exeC:\Windows\system32\Kmjinjnj.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5484 -
C:\Windows\SysWOW64\Kbgafqla.exeC:\Windows\system32\Kbgafqla.exe104⤵PID:5660
-
C:\Windows\SysWOW64\Kokbpe32.exeC:\Windows\system32\Kokbpe32.exe105⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5776 -
C:\Windows\SysWOW64\Kbinlp32.exeC:\Windows\system32\Kbinlp32.exe106⤵PID:5908
-
C:\Windows\SysWOW64\Kicfijal.exeC:\Windows\system32\Kicfijal.exe107⤵PID:5952
-
C:\Windows\SysWOW64\Komoed32.exeC:\Windows\system32\Komoed32.exe108⤵PID:6044
-
C:\Windows\SysWOW64\Kjcccm32.exeC:\Windows\system32\Kjcccm32.exe109⤵PID:5128
-
C:\Windows\SysWOW64\Lckglc32.exeC:\Windows\system32\Lckglc32.exe110⤵PID:5368
-
C:\Windows\SysWOW64\Lfjchn32.exeC:\Windows\system32\Lfjchn32.exe111⤵PID:5552
-
C:\Windows\SysWOW64\Lkflpe32.exeC:\Windows\system32\Lkflpe32.exe112⤵
- System Location Discovery: System Language Discovery
PID:5772 -
C:\Windows\SysWOW64\Lflpmn32.exeC:\Windows\system32\Lflpmn32.exe113⤵PID:2916
-
C:\Windows\SysWOW64\Lijlii32.exeC:\Windows\system32\Lijlii32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5992 -
C:\Windows\SysWOW64\Lpdefc32.exeC:\Windows\system32\Lpdefc32.exe115⤵PID:6104
-
C:\Windows\SysWOW64\Ljjicl32.exeC:\Windows\system32\Ljjicl32.exe116⤵PID:5496
-
C:\Windows\SysWOW64\Lpgalc32.exeC:\Windows\system32\Lpgalc32.exe117⤵PID:5824
-
C:\Windows\SysWOW64\Ljleil32.exeC:\Windows\system32\Ljleil32.exe118⤵PID:6072
-
C:\Windows\SysWOW64\Lmkbeg32.exeC:\Windows\system32\Lmkbeg32.exe119⤵PID:5428
-
C:\Windows\SysWOW64\Lbgjmnno.exeC:\Windows\system32\Lbgjmnno.exe120⤵PID:5944
-
C:\Windows\SysWOW64\Llpofd32.exeC:\Windows\system32\Llpofd32.exe121⤵PID:5576
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-