Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2024, 06:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ad6ef0f201dc704b75349c184c456ef0N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
ad6ef0f201dc704b75349c184c456ef0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
ad6ef0f201dc704b75349c184c456ef0N.exe
-
Size
72KB
-
MD5
ad6ef0f201dc704b75349c184c456ef0
-
SHA1
14f3031b9fa58e63d1c455884ff5b7502be72d60
-
SHA256
9cd14298b63acbada9a69abb3f168b4a1afb711dfb41e889a4bd39ea86ebbe84
-
SHA512
a569a38e1130ee80b09ead8ffd9df1e5b2886491833abbcd605f04e440a629a33a225c899d70a02f6521ba937c6469ed248f6d353b085200581d41559094f497
-
SSDEEP
1536:620SQ6WyQbFSrUg3/f6I5oDjsPm0S39MMsPgUN3QivEtA:HiLM7Pm2dPgU5QJA
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foplnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oacmchcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chlomnfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liekgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cediab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmiqfoie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egjebn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmdeink.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbfjljhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgbmffn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loqjlg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oajccgmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpkbmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceeaim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbnmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mohplf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcepem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lflpmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ionbcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bejoqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlbnhkqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqdgop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cipebqij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcjaio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oileakbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpjkbcbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cchikf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imbaobmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacboi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpfidh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgehml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cklffq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnjednnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jphkfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlmopqdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eijigg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olidijjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjoadbbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bajqpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmejlcoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oijqbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbijinfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejkenpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idpdfija.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fakfglhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgbepdpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dijppjfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cllkcbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cibagpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goabhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okkalnjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alhpkldp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cddemi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgpobmca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkjejqcl.exe -
Executes dropped EXE 64 IoCs
pid Process 228 Mpchbhjl.exe 4420 Mhjpceko.exe 1456 Mfmpob32.exe 1140 Mmghklif.exe 3088 Mpedgghj.exe 4512 Mjkiephp.exe 4060 Mmiealgc.exe 2212 Mdcmnfop.exe 3556 Nfaijand.exe 1740 Nmlafk32.exe 4416 Npjnbg32.exe 864 Nibbklke.exe 1960 Nplkhf32.exe 404 Nkboeobh.exe 1824 Nalgbi32.exe 3600 Ndjcne32.exe 1556 Nhfoocaa.exe 892 Nkdlkope.exe 4588 Niglfl32.exe 712 Nmbhgjoi.exe 4280 Nandhi32.exe 3980 Npadcfnl.exe 452 Ndmpddfe.exe 4316 Ngklppei.exe 208 Nkghqo32.exe 3128 Nmedmj32.exe 2924 Npcaie32.exe 3376 Ohkijc32.exe 940 Ogmiepcf.exe 1904 Oileakbj.exe 2296 Omgabj32.exe 2396 Oacmchcl.exe 1352 Odaiodbp.exe 4104 Ohmepbki.exe 2208 Ogpfko32.exe 3420 Okkalnjm.exe 4408 Omjnhiiq.exe 1072 Oaejhh32.exe 3632 Ophjdehd.exe 4552 Ohobebig.exe 3780 Ogbbqo32.exe 4020 Oiqomj32.exe 1380 Omlkmign.exe 2284 Oahgnh32.exe 4040 Odfcjc32.exe 4380 Ohaokbfd.exe 1680 Okpkgm32.exe 2184 Oickbjmb.exe 872 Onngci32.exe 2728 Oajccgmd.exe 3736 Opmcod32.exe 3240 Ohdlpa32.exe 4768 Oggllnkl.exe 5012 Oiehhjjp.exe 2328 Onqdhh32.exe 3988 Opopdd32.exe 3956 Pdklebje.exe 3680 Phfhfa32.exe 3776 Pgihanii.exe 3732 Pjgemi32.exe 4320 Pncanhaf.exe 4988 Ppamjcpj.exe 4068 Pdmikb32.exe 1956 Phiekaql.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dnkbcp32.exe Dgaiffii.exe File created C:\Windows\SysWOW64\Elkbhbeb.exe Eimelg32.exe File opened for modification C:\Windows\SysWOW64\Lmcejbbd.exe Lbmqmi32.exe File opened for modification C:\Windows\SysWOW64\Jhocgqjj.exe Jphkfc32.exe File opened for modification C:\Windows\SysWOW64\Pnplqn32.exe Plapdb32.exe File created C:\Windows\SysWOW64\Odhman32.exe Process not Found File created C:\Windows\SysWOW64\Jphnld32.dll Oijqbh32.exe File created C:\Windows\SysWOW64\Lcacmeaa.dll Beaced32.exe File created C:\Windows\SysWOW64\Pnbjlolg.dll Bhgeao32.exe File opened for modification C:\Windows\SysWOW64\Ehekjk32.exe Efgono32.exe File created C:\Windows\SysWOW64\Kanffogf.exe Jpojml32.exe File created C:\Windows\SysWOW64\Lgfojd32.exe Lckbje32.exe File created C:\Windows\SysWOW64\Donloloo.dll Cgjcfgoa.exe File created C:\Windows\SysWOW64\Ddfbadcc.dll Pacahhib.exe File created C:\Windows\SysWOW64\Hmijkj32.dll Ckmmpg32.exe File created C:\Windows\SysWOW64\Niflidok.dll Ghdaokfe.exe File created C:\Windows\SysWOW64\Cpfoehnm.dll Imabnofj.exe File created C:\Windows\SysWOW64\Jhdfpjee.dll Clohhbli.exe File created C:\Windows\SysWOW64\Mfoflccp.dll Fpnfbi32.exe File opened for modification C:\Windows\SysWOW64\Bhgeao32.exe Bammeebe.exe File opened for modification C:\Windows\SysWOW64\Naaejj32.exe Ndmepe32.exe File created C:\Windows\SysWOW64\Cmnciegc.dll Ogmiepcf.exe File created C:\Windows\SysWOW64\Lilbdcfe.exe Lmeapbpa.exe File opened for modification C:\Windows\SysWOW64\Ibhdgjap.exe Iippne32.exe File created C:\Windows\SysWOW64\Ifcdpf32.dll Phmnfp32.exe File created C:\Windows\SysWOW64\Efcnhmeg.dll Fbiooolb.exe File created C:\Windows\SysWOW64\Liimgh32.exe Process not Found File created C:\Windows\SysWOW64\Bqbohocd.exe Bndblcdq.exe File opened for modification C:\Windows\SysWOW64\Dbbdip32.exe Djklgb32.exe File opened for modification C:\Windows\SysWOW64\Mnaghb32.exe Mdibplaf.exe File opened for modification C:\Windows\SysWOW64\Qgalelin.exe Qcepem32.exe File opened for modification C:\Windows\SysWOW64\Hlgjko32.exe Haafnf32.exe File created C:\Windows\SysWOW64\Hpkmajcn.dll Imgbdh32.exe File created C:\Windows\SysWOW64\Njbcqk32.dll Ibhdgjap.exe File created C:\Windows\SysWOW64\Cmfnki32.dll Kmegkp32.exe File created C:\Windows\SysWOW64\Kjhpdofp.dll Bblcda32.exe File created C:\Windows\SysWOW64\Maojmg32.dll Process not Found File created C:\Windows\SysWOW64\Ofadlbhj.exe Olkqnjhd.exe File created C:\Windows\SysWOW64\Bdkmkijf.dll Qfcjhphd.exe File created C:\Windows\SysWOW64\Hndibn32.exe Hjimaole.exe File created C:\Windows\SysWOW64\Cemcqcgi.exe Bocjdiol.exe File created C:\Windows\SysWOW64\Emnjnaja.dll Ednajepe.exe File created C:\Windows\SysWOW64\Canocm32.exe Cnpbgajc.exe File created C:\Windows\SysWOW64\Nmedfcdd.dll Blonbh32.exe File created C:\Windows\SysWOW64\Acghpmin.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nandhi32.exe Nmbhgjoi.exe File opened for modification C:\Windows\SysWOW64\Dohmff32.exe Djkdnool.exe File created C:\Windows\SysWOW64\Jmnakqcc.exe Jjoeoedo.exe File created C:\Windows\SysWOW64\Kihdqkaf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Midmcgif.exe Process not Found File created C:\Windows\SysWOW64\Ckdiqnel.dll Bdiamnpc.exe File created C:\Windows\SysWOW64\Cafagl32.dll Dgkbfjeg.exe File opened for modification C:\Windows\SysWOW64\Ilpfgg32.exe Idinej32.exe File created C:\Windows\SysWOW64\Jcplle32.exe Process not Found File created C:\Windows\SysWOW64\Omlkmign.exe Oiqomj32.exe File created C:\Windows\SysWOW64\Eangjkkd.exe Eblgon32.exe File created C:\Windows\SysWOW64\Lkldlgok.exe Lgqhki32.exe File created C:\Windows\SysWOW64\Boijog32.dll Femigg32.exe File created C:\Windows\SysWOW64\Ldnkeajq.dll Process not Found File created C:\Windows\SysWOW64\Hkheeg32.dll Ancjef32.exe File opened for modification C:\Windows\SysWOW64\Fdgdpdgj.exe Fkopgn32.exe File created C:\Windows\SysWOW64\Acggngam.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kfanen32.exe Process not Found File created C:\Windows\SysWOW64\Dfahjm32.dll Qimfoe32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10664 11408 Process not Found 1257 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqdpfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elojej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goamlkpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnlqig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlbllc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcaoahio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gceaofmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blnhgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgbepdpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqilaplo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dijppjfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgaiffii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbddmejf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anjikoip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ionbcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlafk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnoiqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppdjpcng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggjgofkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjoee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deanhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcanmlea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hobcgdjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ildpbfmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blpemn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpkbmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Benjkijd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecjhmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcgdcome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddklnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhmdeink.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjldocde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbchp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljcjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghdaokfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obgofmjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldmlih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcccom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdhgaid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omigmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkiapn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odnngclb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfhpilbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdfefkll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foplnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddbbngjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeailhme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkbhbeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dllmoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bniacddk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cigcjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faamghko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckbje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkghqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djoohk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihhmgaqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goabhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eangjkkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eenflbll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfacai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjnnmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkopgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kohnpoib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndmepe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dilmeida.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmgcoaie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joikdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gimjag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnhjig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbecljnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jekpljgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djjobedk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqdbbelf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lceajc32.dll" Cklffq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cllkcbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflhqe32.dll" Gffkpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbfjljhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkioojpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eijigg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhmdeink.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpnheh32.dll" Dcmjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcfpn32.dll" Kkgbjkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfhlfj32.dll" Ndmpddfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceeaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiimejap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elepei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkqpcnig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkcjjhgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bammeebe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdalni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjkhme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbcpboc.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmbpbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpkqbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aabocb32.dll" Elepei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpcmoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odpjmcjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdolbijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqdkbakj.dll" Pnenchoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmjpdddo.dll" Benjkijd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baepjpea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjpoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbkggg32.dll" Jmepcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqkhidmg.dll" Gijmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfaph32.dll" Nfaijand.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nppfnige.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhcbji32.dll" Ndpafe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blbabnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoapldei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbmaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfjebllk.dll" Cigcjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldailbk.dll" Bcomonkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nocphd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbiqoa32.dll" Ddpeigle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eelifc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjldocde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2968 wrote to memory of 228 2968 ad6ef0f201dc704b75349c184c456ef0N.exe 92 PID 2968 wrote to memory of 228 2968 ad6ef0f201dc704b75349c184c456ef0N.exe 92 PID 2968 wrote to memory of 228 2968 ad6ef0f201dc704b75349c184c456ef0N.exe 92 PID 228 wrote to memory of 4420 228 Mpchbhjl.exe 93 PID 228 wrote to memory of 4420 228 Mpchbhjl.exe 93 PID 228 wrote to memory of 4420 228 Mpchbhjl.exe 93 PID 4420 wrote to memory of 1456 4420 Mhjpceko.exe 94 PID 4420 wrote to memory of 1456 4420 Mhjpceko.exe 94 PID 4420 wrote to memory of 1456 4420 Mhjpceko.exe 94 PID 1456 wrote to memory of 1140 1456 Mfmpob32.exe 95 PID 1456 wrote to memory of 1140 1456 Mfmpob32.exe 95 PID 1456 wrote to memory of 1140 1456 Mfmpob32.exe 95 PID 1140 wrote to memory of 3088 1140 Mmghklif.exe 96 PID 1140 wrote to memory of 3088 1140 Mmghklif.exe 96 PID 1140 wrote to memory of 3088 1140 Mmghklif.exe 96 PID 3088 wrote to memory of 4512 3088 Mpedgghj.exe 97 PID 3088 wrote to memory of 4512 3088 Mpedgghj.exe 97 PID 3088 wrote to memory of 4512 3088 Mpedgghj.exe 97 PID 4512 wrote to memory of 4060 4512 Mjkiephp.exe 98 PID 4512 wrote to memory of 4060 4512 Mjkiephp.exe 98 PID 4512 wrote to memory of 4060 4512 Mjkiephp.exe 98 PID 4060 wrote to memory of 2212 4060 Mmiealgc.exe 100 PID 4060 wrote to memory of 2212 4060 Mmiealgc.exe 100 PID 4060 wrote to memory of 2212 4060 Mmiealgc.exe 100 PID 2212 wrote to memory of 3556 2212 Mdcmnfop.exe 101 PID 2212 wrote to memory of 3556 2212 Mdcmnfop.exe 101 PID 2212 wrote to memory of 3556 2212 Mdcmnfop.exe 101 PID 3556 wrote to memory of 1740 3556 Nfaijand.exe 102 PID 3556 wrote to memory of 1740 3556 Nfaijand.exe 102 PID 3556 wrote to memory of 1740 3556 Nfaijand.exe 102 PID 1740 wrote to memory of 4416 1740 Nmlafk32.exe 103 PID 1740 wrote to memory of 4416 1740 Nmlafk32.exe 103 PID 1740 wrote to memory of 4416 1740 Nmlafk32.exe 103 PID 4416 wrote to memory of 864 4416 Npjnbg32.exe 104 PID 4416 wrote to memory of 864 4416 Npjnbg32.exe 104 PID 4416 wrote to memory of 864 4416 Npjnbg32.exe 104 PID 864 wrote to memory of 1960 864 Nibbklke.exe 105 PID 864 wrote to memory of 1960 864 Nibbklke.exe 105 PID 864 wrote to memory of 1960 864 Nibbklke.exe 105 PID 1960 wrote to memory of 404 1960 Nplkhf32.exe 106 PID 1960 wrote to memory of 404 1960 Nplkhf32.exe 106 PID 1960 wrote to memory of 404 1960 Nplkhf32.exe 106 PID 404 wrote to memory of 1824 404 Nkboeobh.exe 107 PID 404 wrote to memory of 1824 404 Nkboeobh.exe 107 PID 404 wrote to memory of 1824 404 Nkboeobh.exe 107 PID 1824 wrote to memory of 3600 1824 Nalgbi32.exe 108 PID 1824 wrote to memory of 3600 1824 Nalgbi32.exe 108 PID 1824 wrote to memory of 3600 1824 Nalgbi32.exe 108 PID 3600 wrote to memory of 1556 3600 Ndjcne32.exe 109 PID 3600 wrote to memory of 1556 3600 Ndjcne32.exe 109 PID 3600 wrote to memory of 1556 3600 Ndjcne32.exe 109 PID 1556 wrote to memory of 892 1556 Nhfoocaa.exe 110 PID 1556 wrote to memory of 892 1556 Nhfoocaa.exe 110 PID 1556 wrote to memory of 892 1556 Nhfoocaa.exe 110 PID 892 wrote to memory of 4588 892 Nkdlkope.exe 111 PID 892 wrote to memory of 4588 892 Nkdlkope.exe 111 PID 892 wrote to memory of 4588 892 Nkdlkope.exe 111 PID 4588 wrote to memory of 712 4588 Niglfl32.exe 112 PID 4588 wrote to memory of 712 4588 Niglfl32.exe 112 PID 4588 wrote to memory of 712 4588 Niglfl32.exe 112 PID 712 wrote to memory of 4280 712 Nmbhgjoi.exe 113 PID 712 wrote to memory of 4280 712 Nmbhgjoi.exe 113 PID 712 wrote to memory of 4280 712 Nmbhgjoi.exe 113 PID 4280 wrote to memory of 3980 4280 Nandhi32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad6ef0f201dc704b75349c184c456ef0N.exe"C:\Users\Admin\AppData\Local\Temp\ad6ef0f201dc704b75349c184c456ef0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Mpchbhjl.exeC:\Windows\system32\Mpchbhjl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Mhjpceko.exeC:\Windows\system32\Mhjpceko.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\Mfmpob32.exeC:\Windows\system32\Mfmpob32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Mmghklif.exeC:\Windows\system32\Mmghklif.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Mpedgghj.exeC:\Windows\system32\Mpedgghj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\Mjkiephp.exeC:\Windows\system32\Mjkiephp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Mmiealgc.exeC:\Windows\system32\Mmiealgc.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\Mdcmnfop.exeC:\Windows\system32\Mdcmnfop.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Nfaijand.exeC:\Windows\system32\Nfaijand.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\Nmlafk32.exeC:\Windows\system32\Nmlafk32.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Npjnbg32.exeC:\Windows\system32\Npjnbg32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Nibbklke.exeC:\Windows\system32\Nibbklke.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Nplkhf32.exeC:\Windows\system32\Nplkhf32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Nkboeobh.exeC:\Windows\system32\Nkboeobh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Nalgbi32.exeC:\Windows\system32\Nalgbi32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Ndjcne32.exeC:\Windows\system32\Ndjcne32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Nhfoocaa.exeC:\Windows\system32\Nhfoocaa.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Nkdlkope.exeC:\Windows\system32\Nkdlkope.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Niglfl32.exeC:\Windows\system32\Niglfl32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Nmbhgjoi.exeC:\Windows\system32\Nmbhgjoi.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\SysWOW64\Nandhi32.exeC:\Windows\system32\Nandhi32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Npadcfnl.exeC:\Windows\system32\Npadcfnl.exe23⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Ndmpddfe.exeC:\Windows\system32\Ndmpddfe.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:452 -
C:\Windows\SysWOW64\Ngklppei.exeC:\Windows\system32\Ngklppei.exe25⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Nkghqo32.exeC:\Windows\system32\Nkghqo32.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:208 -
C:\Windows\SysWOW64\Nmedmj32.exeC:\Windows\system32\Nmedmj32.exe27⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Npcaie32.exeC:\Windows\system32\Npcaie32.exe28⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Ohkijc32.exeC:\Windows\system32\Ohkijc32.exe29⤵
- Executes dropped EXE
PID:3376 -
C:\Windows\SysWOW64\Ogmiepcf.exeC:\Windows\system32\Ogmiepcf.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Oileakbj.exeC:\Windows\system32\Oileakbj.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Omgabj32.exeC:\Windows\system32\Omgabj32.exe32⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Oacmchcl.exeC:\Windows\system32\Oacmchcl.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Odaiodbp.exeC:\Windows\system32\Odaiodbp.exe34⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Ohmepbki.exeC:\Windows\system32\Ohmepbki.exe35⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Ogpfko32.exeC:\Windows\system32\Ogpfko32.exe36⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Okkalnjm.exeC:\Windows\system32\Okkalnjm.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Omjnhiiq.exeC:\Windows\system32\Omjnhiiq.exe38⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Oaejhh32.exeC:\Windows\system32\Oaejhh32.exe39⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Ophjdehd.exeC:\Windows\system32\Ophjdehd.exe40⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Ohobebig.exeC:\Windows\system32\Ohobebig.exe41⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Ogbbqo32.exeC:\Windows\system32\Ogbbqo32.exe42⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Oiqomj32.exeC:\Windows\system32\Oiqomj32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4020 -
C:\Windows\SysWOW64\Omlkmign.exeC:\Windows\system32\Omlkmign.exe44⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Oahgnh32.exeC:\Windows\system32\Oahgnh32.exe45⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Odfcjc32.exeC:\Windows\system32\Odfcjc32.exe46⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Ohaokbfd.exeC:\Windows\system32\Ohaokbfd.exe47⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Okpkgm32.exeC:\Windows\system32\Okpkgm32.exe48⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Oickbjmb.exeC:\Windows\system32\Oickbjmb.exe49⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Onngci32.exeC:\Windows\system32\Onngci32.exe50⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Oajccgmd.exeC:\Windows\system32\Oajccgmd.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Opmcod32.exeC:\Windows\system32\Opmcod32.exe52⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Ohdlpa32.exeC:\Windows\system32\Ohdlpa32.exe53⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Oggllnkl.exeC:\Windows\system32\Oggllnkl.exe54⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Oiehhjjp.exeC:\Windows\system32\Oiehhjjp.exe55⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Onqdhh32.exeC:\Windows\system32\Onqdhh32.exe56⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Opopdd32.exeC:\Windows\system32\Opopdd32.exe57⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Pdklebje.exeC:\Windows\system32\Pdklebje.exe58⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Phfhfa32.exeC:\Windows\system32\Phfhfa32.exe59⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Pgihanii.exeC:\Windows\system32\Pgihanii.exe60⤵
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Pjgemi32.exeC:\Windows\system32\Pjgemi32.exe61⤵
- Executes dropped EXE
PID:3732 -
C:\Windows\SysWOW64\Pncanhaf.exeC:\Windows\system32\Pncanhaf.exe62⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Ppamjcpj.exeC:\Windows\system32\Ppamjcpj.exe63⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Pdmikb32.exeC:\Windows\system32\Pdmikb32.exe64⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Phiekaql.exeC:\Windows\system32\Phiekaql.exe65⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Pkgaglpp.exeC:\Windows\system32\Pkgaglpp.exe66⤵PID:2372
-
C:\Windows\SysWOW64\Pjjaci32.exeC:\Windows\system32\Pjjaci32.exe67⤵PID:5152
-
C:\Windows\SysWOW64\Pnenchoc.exeC:\Windows\system32\Pnenchoc.exe68⤵
- Modifies registry class
PID:5192 -
C:\Windows\SysWOW64\Ppdjpcng.exeC:\Windows\system32\Ppdjpcng.exe69⤵
- System Location Discovery: System Language Discovery
PID:5236 -
C:\Windows\SysWOW64\Pdofpb32.exeC:\Windows\system32\Pdofpb32.exe70⤵PID:5276
-
C:\Windows\SysWOW64\Pgnblm32.exeC:\Windows\system32\Pgnblm32.exe71⤵PID:5312
-
C:\Windows\SysWOW64\Pkinmlnm.exeC:\Windows\system32\Pkinmlnm.exe72⤵PID:5360
-
C:\Windows\SysWOW64\Pnhjig32.exeC:\Windows\system32\Pnhjig32.exe73⤵
- Modifies registry class
PID:5392 -
C:\Windows\SysWOW64\Pacfjfej.exeC:\Windows\system32\Pacfjfej.exe74⤵PID:5432
-
C:\Windows\SysWOW64\Ppffec32.exeC:\Windows\system32\Ppffec32.exe75⤵PID:5472
-
C:\Windows\SysWOW64\Phmnfp32.exeC:\Windows\system32\Phmnfp32.exe76⤵
- Drops file in System32 directory
PID:5512 -
C:\Windows\SysWOW64\Pgpobmca.exeC:\Windows\system32\Pgpobmca.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5552 -
C:\Windows\SysWOW64\Pklkbl32.exeC:\Windows\system32\Pklkbl32.exe78⤵PID:5592
-
C:\Windows\SysWOW64\Pnjgog32.exeC:\Windows\system32\Pnjgog32.exe79⤵PID:5636
-
C:\Windows\SysWOW64\Pafcofcg.exeC:\Windows\system32\Pafcofcg.exe80⤵PID:5680
-
C:\Windows\SysWOW64\Pphckb32.exeC:\Windows\system32\Pphckb32.exe81⤵PID:5716
-
C:\Windows\SysWOW64\Phpklp32.exeC:\Windows\system32\Phpklp32.exe82⤵PID:5760
-
C:\Windows\SysWOW64\Pgbkgmao.exeC:\Windows\system32\Pgbkgmao.exe83⤵PID:5792
-
C:\Windows\SysWOW64\Pknghk32.exeC:\Windows\system32\Pknghk32.exe84⤵PID:5832
-
C:\Windows\SysWOW64\Pjahchpb.exeC:\Windows\system32\Pjahchpb.exe85⤵PID:5872
-
C:\Windows\SysWOW64\Pahpee32.exeC:\Windows\system32\Pahpee32.exe86⤵PID:5912
-
C:\Windows\SysWOW64\Qpkppbho.exeC:\Windows\system32\Qpkppbho.exe87⤵PID:5956
-
C:\Windows\SysWOW64\Qdflaa32.exeC:\Windows\system32\Qdflaa32.exe88⤵PID:6000
-
C:\Windows\SysWOW64\Qgehml32.exeC:\Windows\system32\Qgehml32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6032 -
C:\Windows\SysWOW64\Qkqdnkge.exeC:\Windows\system32\Qkqdnkge.exe90⤵PID:6080
-
C:\Windows\SysWOW64\Qjcdih32.exeC:\Windows\system32\Qjcdih32.exe91⤵PID:6112
-
C:\Windows\SysWOW64\Qnopjfgi.exeC:\Windows\system32\Qnopjfgi.exe92⤵PID:4112
-
C:\Windows\SysWOW64\Qajlje32.exeC:\Windows\system32\Qajlje32.exe93⤵PID:996
-
C:\Windows\SysWOW64\Qdihfq32.exeC:\Windows\system32\Qdihfq32.exe94⤵PID:4872
-
C:\Windows\SysWOW64\Qggebl32.exeC:\Windows\system32\Qggebl32.exe95⤵PID:952
-
C:\Windows\SysWOW64\Qjeaog32.exeC:\Windows\system32\Qjeaog32.exe96⤵PID:5184
-
C:\Windows\SysWOW64\Ahgamo32.exeC:\Windows\system32\Ahgamo32.exe97⤵PID:348
-
C:\Windows\SysWOW64\Akenij32.exeC:\Windows\system32\Akenij32.exe98⤵PID:5308
-
C:\Windows\SysWOW64\Ancjef32.exeC:\Windows\system32\Ancjef32.exe99⤵
- Drops file in System32 directory
PID:4876 -
C:\Windows\SysWOW64\Aqbfaa32.exeC:\Windows\system32\Aqbfaa32.exe100⤵PID:5464
-
C:\Windows\SysWOW64\Ahinbo32.exeC:\Windows\system32\Ahinbo32.exe101⤵PID:5536
-
C:\Windows\SysWOW64\Ajjjjghg.exeC:\Windows\system32\Ajjjjghg.exe102⤵PID:5584
-
C:\Windows\SysWOW64\Ababkdij.exeC:\Windows\system32\Ababkdij.exe103⤵PID:5004
-
C:\Windows\SysWOW64\Aqdbfa32.exeC:\Windows\system32\Aqdbfa32.exe104⤵PID:4864
-
C:\Windows\SysWOW64\Adpogp32.exeC:\Windows\system32\Adpogp32.exe105⤵PID:5780
-
C:\Windows\SysWOW64\Agnkck32.exeC:\Windows\system32\Agnkck32.exe106⤵PID:5856
-
C:\Windows\SysWOW64\Akjgdjoj.exeC:\Windows\system32\Akjgdjoj.exe107⤵PID:5324
-
C:\Windows\SysWOW64\Abdoqd32.exeC:\Windows\system32\Abdoqd32.exe108⤵PID:5992
-
C:\Windows\SysWOW64\Aqfolqna.exeC:\Windows\system32\Aqfolqna.exe109⤵PID:6016
-
C:\Windows\SysWOW64\Ahngmnnd.exeC:\Windows\system32\Ahngmnnd.exe110⤵PID:6088
-
C:\Windows\SysWOW64\Agqhik32.exeC:\Windows\system32\Agqhik32.exe111⤵PID:3916
-
C:\Windows\SysWOW64\Aklciimh.exeC:\Windows\system32\Aklciimh.exe112⤵PID:1464
-
C:\Windows\SysWOW64\Anjpeelk.exeC:\Windows\system32\Anjpeelk.exe113⤵PID:1048
-
C:\Windows\SysWOW64\Aqilaplo.exeC:\Windows\system32\Aqilaplo.exe114⤵
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Ahpdcn32.exeC:\Windows\system32\Ahpdcn32.exe115⤵PID:5260
-
C:\Windows\SysWOW64\Ajaqjfbp.exeC:\Windows\system32\Ajaqjfbp.exe116⤵PID:1388
-
C:\Windows\SysWOW64\Anmmkd32.exeC:\Windows\system32\Anmmkd32.exe117⤵PID:5508
-
C:\Windows\SysWOW64\Bqkigp32.exeC:\Windows\system32\Bqkigp32.exe118⤵PID:5628
-
C:\Windows\SysWOW64\Bkamdi32.exeC:\Windows\system32\Bkamdi32.exe119⤵PID:5736
-
C:\Windows\SysWOW64\Bnoiqd32.exeC:\Windows\system32\Bnoiqd32.exe120⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Bbkeacqo.exeC:\Windows\system32\Bbkeacqo.exe121⤵PID:5352
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-