Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 02:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d1a079f7af4070847be768db3635ca3f4f3940b3a065054f53484795f717177b.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
d1a079f7af4070847be768db3635ca3f4f3940b3a065054f53484795f717177b.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
d1a079f7af4070847be768db3635ca3f4f3940b3a065054f53484795f717177b.exe
-
Size
60KB
-
MD5
5e8a1357107e1ba4ff7ea4d7ad100603
-
SHA1
a9a778f3067e7c1f7c8debdbf5a1a18276eb9cab
-
SHA256
d1a079f7af4070847be768db3635ca3f4f3940b3a065054f53484795f717177b
-
SHA512
5e5cef496bb4baa36618a589da0b57e0efb48ef31b4169139581c6550186c061b01d1ba83008e5ef0e0bb00f4215b71486f7a9847ebff5b9a15eebbcfcf0fedc
-
SSDEEP
1536:D4qqDblP8hQDaA/F/aC/D6QnVLSLFjoB86l1rs:0pP86OY/f/+QKFjoB86l1rs
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okolfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfnmcnjn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnhjig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blqlgdhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acgfec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddcogo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nipokfil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icdhdfcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbcelacq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkkgbmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfgbec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdmjdkda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehdib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkamdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcfnqccd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knmkak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejaecdnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imfdaigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nejgbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojnfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Albkieqj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdbpjmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dedceddg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeigilml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dekapfke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdklebje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmahff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihheqd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odelpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igmjhnej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfemmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdagbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opgloh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgngqico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcndab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ammnhilb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nejbaqgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgpcklpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjdfgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djbbhafj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oijgmokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpeejfjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blgddd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggicbe32.exe -
Executes dropped EXE 64 IoCs
pid Process 4036 Mhiabbdi.exe 4460 Mcoepkdo.exe 1004 Mdpagc32.exe 3188 Mlgjhp32.exe 2744 Madbagif.exe 3672 Mdbnmbhj.exe 2120 Mhnjna32.exe 1080 Mafofggd.exe 4744 Mhpgca32.exe 3184 Mahklf32.exe 5108 Medglemj.exe 828 Nlnpio32.exe 1228 Nakhaf32.exe 2292 Nlqloo32.exe 4400 Nfiagd32.exe 636 Nhgmcp32.exe 464 Ncmaai32.exe 5000 Nlefjnno.exe 4020 Nkhfek32.exe 1320 Nfnjbdep.exe 4268 Nhlfoodc.exe 4708 Nkjckkcg.exe 2884 Ncaklhdi.exe 964 Nfpghccm.exe 3316 Obfhmd32.exe 512 Ollljmhg.exe 1644 Okolfj32.exe 2340 Ofdqcc32.exe 2116 Oloipmfd.exe 4132 Ochamg32.exe 4680 Odjmdocp.exe 620 Okceaikl.exe 2248 Ocknbglo.exe 3432 Ofijnbkb.exe 4748 Ocmjhfjl.exe 3700 Pijcpmhc.exe 3332 Pkholi32.exe 2836 Pfncia32.exe 4180 Pmhkflnj.exe 624 Pecpknke.exe 1020 Pmjhlklg.exe 2228 Pbgqdb32.exe 432 Peempn32.exe 1088 Pokanf32.exe 3120 Pfeijqqe.exe 1528 Pmoagk32.exe 3744 Pcijce32.exe 4540 Qifbll32.exe 3216 Qckfid32.exe 2032 Qelcamcj.exe 3044 Qkfkng32.exe 4812 Qpbgnecp.exe 1372 Amfhgj32.exe 3992 Acppddig.exe 4120 Aealll32.exe 4516 Alkeifga.exe 1104 Abemep32.exe 1960 Aecialmb.exe 5028 Almanf32.exe 3816 Acdioc32.exe 2728 Afceko32.exe 32 Aiabhj32.exe 900 Ammnhilb.exe 4224 Acgfec32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qmekbhdn.dll Ndmgnkja.exe File created C:\Windows\SysWOW64\Imcqacfq.exe Ihheqd32.exe File opened for modification C:\Windows\SysWOW64\Cblebgfh.exe Clbmfm32.exe File created C:\Windows\SysWOW64\Iooimi32.exe Ilqmam32.exe File created C:\Windows\SysWOW64\Blnhgn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bmhibi32.exe Bnehgmob.exe File created C:\Windows\SysWOW64\Aeigilml.exe Abjkmqni.exe File created C:\Windows\SysWOW64\Aecialmb.exe Abemep32.exe File opened for modification C:\Windows\SysWOW64\Cfcoblfb.exe Cpifeb32.exe File opened for modification C:\Windows\SysWOW64\Hjjldpdf.exe Gdmcki32.exe File opened for modification C:\Windows\SysWOW64\Dhbqalle.exe Diopep32.exe File created C:\Windows\SysWOW64\Pagebpan.dll Hjnndime.exe File opened for modification C:\Windows\SysWOW64\Jokpcmmj.exe Ijngkf32.exe File created C:\Windows\SysWOW64\Jkplilgk.exe Process not Found File created C:\Windows\SysWOW64\Ldblon32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ggdigekj.exe Gdfmkjlg.exe File created C:\Windows\SysWOW64\Dkokbn32.exe Dedceddg.exe File created C:\Windows\SysWOW64\Lkmkfncf.exe Ldccid32.exe File opened for modification C:\Windows\SysWOW64\Nfeepdbg.exe Npkmcj32.exe File created C:\Windows\SysWOW64\Ejldginl.dll Process not Found File created C:\Windows\SysWOW64\Mqbgcd32.dll Gojnfb32.exe File created C:\Windows\SysWOW64\Doepod32.dll Hahedoci.exe File created C:\Windows\SysWOW64\Cokmqnam.dll Enllgbcl.exe File opened for modification C:\Windows\SysWOW64\Dolinf32.exe Dpihbjmg.exe File created C:\Windows\SysWOW64\Hcabhido.exe Hhlnjpdi.exe File opened for modification C:\Windows\SysWOW64\Capkim32.exe Cjfclcpg.exe File created C:\Windows\SysWOW64\Ocicekcm.dll Adjnaj32.exe File opened for modification C:\Windows\SysWOW64\Ccigpbga.exe Cqkkcghn.exe File created C:\Windows\SysWOW64\Njiccd32.dll Pnenchoc.exe File created C:\Windows\SysWOW64\Bjhpqn32.exe Bgicdc32.exe File opened for modification C:\Windows\SysWOW64\Pacahhib.exe Process not Found File created C:\Windows\SysWOW64\Lgefmhck.dll Odkcpi32.exe File created C:\Windows\SysWOW64\Offeahhp.exe Odhiemil.exe File created C:\Windows\SysWOW64\Ldobocab.dll Mnggnh32.exe File created C:\Windows\SysWOW64\Doqpjoik.dll Albpff32.exe File created C:\Windows\SysWOW64\Bejhhd32.exe Bnppkj32.exe File created C:\Windows\SysWOW64\Gfmmle32.dll Process not Found File created C:\Windows\SysWOW64\Oicimc32.dll Moglpedd.exe File created C:\Windows\SysWOW64\Gedohfmp.exe Gojgkl32.exe File opened for modification C:\Windows\SysWOW64\Lpdefc32.exe Lkiiee32.exe File created C:\Windows\SysWOW64\Qoecli32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Qiocde32.exe Process not Found File created C:\Windows\SysWOW64\Kccbjq32.exe Jepbodhg.exe File created C:\Windows\SysWOW64\Kmmmnp32.exe Kiaqnagj.exe File opened for modification C:\Windows\SysWOW64\Qfcjhphd.exe Qpibke32.exe File created C:\Windows\SysWOW64\Ecnbgian.exe Eqpfknbj.exe File created C:\Windows\SysWOW64\Jpjqaldi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Diafqi32.exe Dajnol32.exe File opened for modification C:\Windows\SysWOW64\Ekeacmel.exe Ecoiapdj.exe File created C:\Windows\SysWOW64\Lfbqdb32.dll Process not Found File created C:\Windows\SysWOW64\Nmlhaa32.exe Mhppik32.exe File opened for modification C:\Windows\SysWOW64\Pboblika.exe Pmbjcb32.exe File opened for modification C:\Windows\SysWOW64\Ikbfbdgf.exe Ihdjfhhc.exe File created C:\Windows\SysWOW64\Lhbggd32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pdeffgff.exe Pbfjjlgc.exe File opened for modification C:\Windows\SysWOW64\Iooimi32.exe Ilqmam32.exe File created C:\Windows\SysWOW64\Mpkkeehd.dll Bjqjpp32.exe File opened for modification C:\Windows\SysWOW64\Faqflb32.exe Flcndk32.exe File created C:\Windows\SysWOW64\Homcjh32.dll Mkadam32.exe File created C:\Windows\SysWOW64\Pehnboko.exe Opkfjgmh.exe File opened for modification C:\Windows\SysWOW64\Obfhmd32.exe Nfpghccm.exe File opened for modification C:\Windows\SysWOW64\Jhjcbljf.exe Jbpkfa32.exe File opened for modification C:\Windows\SysWOW64\Cddjofbj.exe Cmmbmiag.exe File created C:\Windows\SysWOW64\Ibgkgjnj.dll Enoddi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1164 14744 Process not Found 1418 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klibdcjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adpogp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkajnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjemle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhcbidcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkgejncb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agikne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggicbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elilmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jookjpam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpmqoqbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icpecm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apobakpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqkmpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faopah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfqjhmhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlbdba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqkkcghn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnoefagj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlhaee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdphnmjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mihbpalh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdgolq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcifmdeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkfmjnii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkqdnkge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmhlijpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gablgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkholi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcpojk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oplmdnpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qipqibmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkcjjhgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmbamdkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eieplhlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edoncm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogjpld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albkieqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgffka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jobfdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goipae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1a079f7af4070847be768db3635ca3f4f3940b3a065054f53484795f717177b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlgjhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbfcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmnmbbgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbpjik32.dll" Aghdco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjekp32.dll" Cpmqoqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgagnd32.dll" Ileflmpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklmbbeg.dll" Jcknee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icnmcc32.dll" Flcndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdfbfb32.dll" Jjnqap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcjimnjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mihbpalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eggbbhkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gablgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooaiflce.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjlalacf.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aghdco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhiabbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bampkqcn.dll" Dbehienn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoindndf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpmqoqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aocbgkic.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckoifgmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iamlhdea.dll" Dnienqbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbqjdd32.dll" Aneppo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elenahhh.dll" Fpimgjbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knifging.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghhgh32.dll" Cemndbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdaejejc.dll" Hepoddcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfahkn32.dll" Jnoopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoalo32.dll" Lbgcch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikgahofh.dll" Ofmbkipk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqendklg.dll" Oinkmdml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgggockk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbehienn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjkiephp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adnilfnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agobna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgjpfqpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpnepk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okkalnjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qelcamcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilkbqmk.dll" Fjlpbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keekjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dicbfhni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odhiemil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efllohoa.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehglag32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bleoga32.dll" Khpcid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnhqicgm.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mopeofjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glngep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpflmkci.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khpcid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfcoblfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekifdefc.dll" Bkdqdokk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cndpaojf.dll" Cblebgfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heohinog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clohhbli.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4672 wrote to memory of 4036 4672 d1a079f7af4070847be768db3635ca3f4f3940b3a065054f53484795f717177b.exe 90 PID 4672 wrote to memory of 4036 4672 d1a079f7af4070847be768db3635ca3f4f3940b3a065054f53484795f717177b.exe 90 PID 4672 wrote to memory of 4036 4672 d1a079f7af4070847be768db3635ca3f4f3940b3a065054f53484795f717177b.exe 90 PID 4036 wrote to memory of 4460 4036 Mhiabbdi.exe 91 PID 4036 wrote to memory of 4460 4036 Mhiabbdi.exe 91 PID 4036 wrote to memory of 4460 4036 Mhiabbdi.exe 91 PID 4460 wrote to memory of 1004 4460 Mcoepkdo.exe 92 PID 4460 wrote to memory of 1004 4460 Mcoepkdo.exe 92 PID 4460 wrote to memory of 1004 4460 Mcoepkdo.exe 92 PID 1004 wrote to memory of 3188 1004 Mdpagc32.exe 93 PID 1004 wrote to memory of 3188 1004 Mdpagc32.exe 93 PID 1004 wrote to memory of 3188 1004 Mdpagc32.exe 93 PID 3188 wrote to memory of 2744 3188 Mlgjhp32.exe 94 PID 3188 wrote to memory of 2744 3188 Mlgjhp32.exe 94 PID 3188 wrote to memory of 2744 3188 Mlgjhp32.exe 94 PID 2744 wrote to memory of 3672 2744 Madbagif.exe 95 PID 2744 wrote to memory of 3672 2744 Madbagif.exe 95 PID 2744 wrote to memory of 3672 2744 Madbagif.exe 95 PID 3672 wrote to memory of 2120 3672 Mdbnmbhj.exe 96 PID 3672 wrote to memory of 2120 3672 Mdbnmbhj.exe 96 PID 3672 wrote to memory of 2120 3672 Mdbnmbhj.exe 96 PID 2120 wrote to memory of 1080 2120 Mhnjna32.exe 98 PID 2120 wrote to memory of 1080 2120 Mhnjna32.exe 98 PID 2120 wrote to memory of 1080 2120 Mhnjna32.exe 98 PID 1080 wrote to memory of 4744 1080 Mafofggd.exe 99 PID 1080 wrote to memory of 4744 1080 Mafofggd.exe 99 PID 1080 wrote to memory of 4744 1080 Mafofggd.exe 99 PID 4744 wrote to memory of 3184 4744 Mhpgca32.exe 101 PID 4744 wrote to memory of 3184 4744 Mhpgca32.exe 101 PID 4744 wrote to memory of 3184 4744 Mhpgca32.exe 101 PID 3184 wrote to memory of 5108 3184 Mahklf32.exe 102 PID 3184 wrote to memory of 5108 3184 Mahklf32.exe 102 PID 3184 wrote to memory of 5108 3184 Mahklf32.exe 102 PID 5108 wrote to memory of 828 5108 Medglemj.exe 103 PID 5108 wrote to memory of 828 5108 Medglemj.exe 103 PID 5108 wrote to memory of 828 5108 Medglemj.exe 103 PID 828 wrote to memory of 1228 828 Nlnpio32.exe 104 PID 828 wrote to memory of 1228 828 Nlnpio32.exe 104 PID 828 wrote to memory of 1228 828 Nlnpio32.exe 104 PID 1228 wrote to memory of 2292 1228 Nakhaf32.exe 105 PID 1228 wrote to memory of 2292 1228 Nakhaf32.exe 105 PID 1228 wrote to memory of 2292 1228 Nakhaf32.exe 105 PID 2292 wrote to memory of 4400 2292 Nlqloo32.exe 107 PID 2292 wrote to memory of 4400 2292 Nlqloo32.exe 107 PID 2292 wrote to memory of 4400 2292 Nlqloo32.exe 107 PID 4400 wrote to memory of 636 4400 Nfiagd32.exe 108 PID 4400 wrote to memory of 636 4400 Nfiagd32.exe 108 PID 4400 wrote to memory of 636 4400 Nfiagd32.exe 108 PID 636 wrote to memory of 464 636 Nhgmcp32.exe 109 PID 636 wrote to memory of 464 636 Nhgmcp32.exe 109 PID 636 wrote to memory of 464 636 Nhgmcp32.exe 109 PID 464 wrote to memory of 5000 464 Ncmaai32.exe 110 PID 464 wrote to memory of 5000 464 Ncmaai32.exe 110 PID 464 wrote to memory of 5000 464 Ncmaai32.exe 110 PID 5000 wrote to memory of 4020 5000 Nlefjnno.exe 111 PID 5000 wrote to memory of 4020 5000 Nlefjnno.exe 111 PID 5000 wrote to memory of 4020 5000 Nlefjnno.exe 111 PID 4020 wrote to memory of 1320 4020 Nkhfek32.exe 112 PID 4020 wrote to memory of 1320 4020 Nkhfek32.exe 112 PID 4020 wrote to memory of 1320 4020 Nkhfek32.exe 112 PID 1320 wrote to memory of 4268 1320 Nfnjbdep.exe 113 PID 1320 wrote to memory of 4268 1320 Nfnjbdep.exe 113 PID 1320 wrote to memory of 4268 1320 Nfnjbdep.exe 113 PID 4268 wrote to memory of 4708 4268 Nhlfoodc.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1a079f7af4070847be768db3635ca3f4f3940b3a065054f53484795f717177b.exe"C:\Users\Admin\AppData\Local\Temp\d1a079f7af4070847be768db3635ca3f4f3940b3a065054f53484795f717177b.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\Mhiabbdi.exeC:\Windows\system32\Mhiabbdi.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\Mcoepkdo.exeC:\Windows\system32\Mcoepkdo.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Mdpagc32.exeC:\Windows\system32\Mdpagc32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Mlgjhp32.exeC:\Windows\system32\Mlgjhp32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Madbagif.exeC:\Windows\system32\Madbagif.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Mdbnmbhj.exeC:\Windows\system32\Mdbnmbhj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Mhnjna32.exeC:\Windows\system32\Mhnjna32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Mafofggd.exeC:\Windows\system32\Mafofggd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Mhpgca32.exeC:\Windows\system32\Mhpgca32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Mahklf32.exeC:\Windows\system32\Mahklf32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\Medglemj.exeC:\Windows\system32\Medglemj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\Nlnpio32.exeC:\Windows\system32\Nlnpio32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\Nakhaf32.exeC:\Windows\system32\Nakhaf32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Nlqloo32.exeC:\Windows\system32\Nlqloo32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Nfiagd32.exeC:\Windows\system32\Nfiagd32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Nhgmcp32.exeC:\Windows\system32\Nhgmcp32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Ncmaai32.exeC:\Windows\system32\Ncmaai32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\Nlefjnno.exeC:\Windows\system32\Nlefjnno.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Nkhfek32.exeC:\Windows\system32\Nkhfek32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Nfnjbdep.exeC:\Windows\system32\Nfnjbdep.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Nhlfoodc.exeC:\Windows\system32\Nhlfoodc.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Nkjckkcg.exeC:\Windows\system32\Nkjckkcg.exe23⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Ncaklhdi.exeC:\Windows\system32\Ncaklhdi.exe24⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Nfpghccm.exeC:\Windows\system32\Nfpghccm.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:964 -
C:\Windows\SysWOW64\Obfhmd32.exeC:\Windows\system32\Obfhmd32.exe26⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Ollljmhg.exeC:\Windows\system32\Ollljmhg.exe27⤵
- Executes dropped EXE
PID:512 -
C:\Windows\SysWOW64\Okolfj32.exeC:\Windows\system32\Okolfj32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Ofdqcc32.exeC:\Windows\system32\Ofdqcc32.exe29⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Oloipmfd.exeC:\Windows\system32\Oloipmfd.exe30⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Ochamg32.exeC:\Windows\system32\Ochamg32.exe31⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Odjmdocp.exeC:\Windows\system32\Odjmdocp.exe32⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Okceaikl.exeC:\Windows\system32\Okceaikl.exe33⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Ocknbglo.exeC:\Windows\system32\Ocknbglo.exe34⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Ofijnbkb.exeC:\Windows\system32\Ofijnbkb.exe35⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Ocmjhfjl.exeC:\Windows\system32\Ocmjhfjl.exe36⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Pijcpmhc.exeC:\Windows\system32\Pijcpmhc.exe37⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Pkholi32.exeC:\Windows\system32\Pkholi32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3332 -
C:\Windows\SysWOW64\Pfncia32.exeC:\Windows\system32\Pfncia32.exe39⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Pmhkflnj.exeC:\Windows\system32\Pmhkflnj.exe40⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Pecpknke.exeC:\Windows\system32\Pecpknke.exe41⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Pmjhlklg.exeC:\Windows\system32\Pmjhlklg.exe42⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Pbgqdb32.exeC:\Windows\system32\Pbgqdb32.exe43⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Peempn32.exeC:\Windows\system32\Peempn32.exe44⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Pokanf32.exeC:\Windows\system32\Pokanf32.exe45⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Pfeijqqe.exeC:\Windows\system32\Pfeijqqe.exe46⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Pmoagk32.exeC:\Windows\system32\Pmoagk32.exe47⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Pcijce32.exeC:\Windows\system32\Pcijce32.exe48⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Qifbll32.exeC:\Windows\system32\Qifbll32.exe49⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Qckfid32.exeC:\Windows\system32\Qckfid32.exe50⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Qelcamcj.exeC:\Windows\system32\Qelcamcj.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Qkfkng32.exeC:\Windows\system32\Qkfkng32.exe52⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Qpbgnecp.exeC:\Windows\system32\Qpbgnecp.exe53⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Amfhgj32.exeC:\Windows\system32\Amfhgj32.exe54⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Acppddig.exeC:\Windows\system32\Acppddig.exe55⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Aealll32.exeC:\Windows\system32\Aealll32.exe56⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Alkeifga.exeC:\Windows\system32\Alkeifga.exe57⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Abemep32.exeC:\Windows\system32\Abemep32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\Aecialmb.exeC:\Windows\system32\Aecialmb.exe59⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Almanf32.exeC:\Windows\system32\Almanf32.exe60⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Acdioc32.exeC:\Windows\system32\Acdioc32.exe61⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Afceko32.exeC:\Windows\system32\Afceko32.exe62⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Aiabhj32.exeC:\Windows\system32\Aiabhj32.exe63⤵
- Executes dropped EXE
PID:32 -
C:\Windows\SysWOW64\Ammnhilb.exeC:\Windows\system32\Ammnhilb.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Acgfec32.exeC:\Windows\system32\Acgfec32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Aidomjaf.exeC:\Windows\system32\Aidomjaf.exe66⤵PID:3984
-
C:\Windows\SysWOW64\Albkieqj.exeC:\Windows\system32\Albkieqj.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4808 -
C:\Windows\SysWOW64\Bejobk32.exeC:\Windows\system32\Bejobk32.exe68⤵PID:2720
-
C:\Windows\SysWOW64\Bldgoeog.exeC:\Windows\system32\Bldgoeog.exe69⤵PID:2460
-
C:\Windows\SysWOW64\Bfjllnnm.exeC:\Windows\system32\Bfjllnnm.exe70⤵PID:5152
-
C:\Windows\SysWOW64\Bihhhi32.exeC:\Windows\system32\Bihhhi32.exe71⤵PID:5196
-
C:\Windows\SysWOW64\Blgddd32.exeC:\Windows\system32\Blgddd32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5240 -
C:\Windows\SysWOW64\Beoimjce.exeC:\Windows\system32\Beoimjce.exe73⤵PID:5284
-
C:\Windows\SysWOW64\Bliajd32.exeC:\Windows\system32\Bliajd32.exe74⤵PID:5328
-
C:\Windows\SysWOW64\Bbcignbo.exeC:\Windows\system32\Bbcignbo.exe75⤵PID:5372
-
C:\Windows\SysWOW64\Beaecjab.exeC:\Windows\system32\Beaecjab.exe76⤵PID:5412
-
C:\Windows\SysWOW64\Blknpdho.exeC:\Windows\system32\Blknpdho.exe77⤵PID:5456
-
C:\Windows\SysWOW64\Bbefln32.exeC:\Windows\system32\Bbefln32.exe78⤵PID:5500
-
C:\Windows\SysWOW64\Bipnihgi.exeC:\Windows\system32\Bipnihgi.exe79⤵PID:5540
-
C:\Windows\SysWOW64\Cpifeb32.exeC:\Windows\system32\Cpifeb32.exe80⤵
- Drops file in System32 directory
PID:5584 -
C:\Windows\SysWOW64\Cfcoblfb.exeC:\Windows\system32\Cfcoblfb.exe81⤵
- Modifies registry class
PID:5628 -
C:\Windows\SysWOW64\Clpgkcdj.exeC:\Windows\system32\Clpgkcdj.exe82⤵PID:5668
-
C:\Windows\SysWOW64\Cdgolq32.exeC:\Windows\system32\Cdgolq32.exe83⤵
- System Location Discovery: System Language Discovery
PID:5712 -
C:\Windows\SysWOW64\Cffkhl32.exeC:\Windows\system32\Cffkhl32.exe84⤵PID:5756
-
C:\Windows\SysWOW64\Clbdpc32.exeC:\Windows\system32\Clbdpc32.exe85⤵PID:5796
-
C:\Windows\SysWOW64\Cdjlap32.exeC:\Windows\system32\Cdjlap32.exe86⤵PID:5848
-
C:\Windows\SysWOW64\Cifdjg32.exeC:\Windows\system32\Cifdjg32.exe87⤵PID:5892
-
C:\Windows\SysWOW64\Cboibm32.exeC:\Windows\system32\Cboibm32.exe88⤵PID:5936
-
C:\Windows\SysWOW64\Ciiaogon.exeC:\Windows\system32\Ciiaogon.exe89⤵PID:5980
-
C:\Windows\SysWOW64\Cdnelpod.exeC:\Windows\system32\Cdnelpod.exe90⤵PID:6024
-
C:\Windows\SysWOW64\Clijablo.exeC:\Windows\system32\Clijablo.exe91⤵PID:6068
-
C:\Windows\SysWOW64\Dbcbnlcl.exeC:\Windows\system32\Dbcbnlcl.exe92⤵PID:6112
-
C:\Windows\SysWOW64\Debnjgcp.exeC:\Windows\system32\Debnjgcp.exe93⤵PID:4952
-
C:\Windows\SysWOW64\Ddcogo32.exeC:\Windows\system32\Ddcogo32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5180 -
C:\Windows\SysWOW64\Dlncla32.exeC:\Windows\system32\Dlncla32.exe95⤵PID:5268
-
C:\Windows\SysWOW64\Dgdgijhp.exeC:\Windows\system32\Dgdgijhp.exe96⤵PID:5320
-
C:\Windows\SysWOW64\Dmnpfd32.exeC:\Windows\system32\Dmnpfd32.exe97⤵PID:5404
-
C:\Windows\SysWOW64\Ddhhbngi.exeC:\Windows\system32\Ddhhbngi.exe98⤵PID:5472
-
C:\Windows\SysWOW64\Dpoiho32.exeC:\Windows\system32\Dpoiho32.exe99⤵PID:5548
-
C:\Windows\SysWOW64\Dekapfke.exeC:\Windows\system32\Dekapfke.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5616 -
C:\Windows\SysWOW64\Edlann32.exeC:\Windows\system32\Edlann32.exe101⤵PID:5684
-
C:\Windows\SysWOW64\Emeffcid.exeC:\Windows\system32\Emeffcid.exe102⤵PID:5752
-
C:\Windows\SysWOW64\Elhfbp32.exeC:\Windows\system32\Elhfbp32.exe103⤵PID:5832
-
C:\Windows\SysWOW64\Edoncm32.exeC:\Windows\system32\Edoncm32.exe104⤵
- System Location Discovery: System Language Discovery
PID:5904 -
C:\Windows\SysWOW64\Eljchpnl.exeC:\Windows\system32\Eljchpnl.exe105⤵PID:5964
-
C:\Windows\SysWOW64\Ecdkdj32.exeC:\Windows\system32\Ecdkdj32.exe106⤵PID:6040
-
C:\Windows\SysWOW64\Edcgnmml.exeC:\Windows\system32\Edcgnmml.exe107⤵PID:6096
-
C:\Windows\SysWOW64\Egbdjhlp.exeC:\Windows\system32\Egbdjhlp.exe108⤵PID:2332
-
C:\Windows\SysWOW64\Enllgbcl.exeC:\Windows\system32\Enllgbcl.exe109⤵
- Drops file in System32 directory
PID:4276 -
C:\Windows\SysWOW64\Edfddl32.exeC:\Windows\system32\Edfddl32.exe110⤵PID:5252
-
C:\Windows\SysWOW64\Feimadoe.exeC:\Windows\system32\Feimadoe.exe111⤵PID:5384
-
C:\Windows\SysWOW64\Fpoaom32.exeC:\Windows\system32\Fpoaom32.exe112⤵PID:5496
-
C:\Windows\SysWOW64\Feljgd32.exeC:\Windows\system32\Feljgd32.exe113⤵PID:5596
-
C:\Windows\SysWOW64\Fdmjdkda.exeC:\Windows\system32\Fdmjdkda.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5704 -
C:\Windows\SysWOW64\Ffnglc32.exeC:\Windows\system32\Ffnglc32.exe115⤵PID:5820
-
C:\Windows\SysWOW64\Fcbgfhii.exeC:\Windows\system32\Fcbgfhii.exe116⤵PID:5928
-
C:\Windows\SysWOW64\Fjlpbb32.exeC:\Windows\system32\Fjlpbb32.exe117⤵
- Modifies registry class
PID:6036 -
C:\Windows\SysWOW64\Ffcpgcfj.exeC:\Windows\system32\Ffcpgcfj.exe118⤵PID:6120
-
C:\Windows\SysWOW64\Glmhdm32.exeC:\Windows\system32\Glmhdm32.exe119⤵PID:5168
-
C:\Windows\SysWOW64\Gfemmb32.exeC:\Windows\system32\Gfemmb32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5344 -
C:\Windows\SysWOW64\Gdfmkjlg.exeC:\Windows\system32\Gdfmkjlg.exe121⤵
- Drops file in System32 directory
PID:5528
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-