Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27/07/2024, 02:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
822d5f8c7432a3a4e84084f81b926850N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
822d5f8c7432a3a4e84084f81b926850N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
822d5f8c7432a3a4e84084f81b926850N.exe
-
Size
1.7MB
-
MD5
822d5f8c7432a3a4e84084f81b926850
-
SHA1
2329647c86138f8057e5e2b4f5de04d3d54d48f5
-
SHA256
97cd79bad6359d820fd4220ade04fdcacc4ec465455844797088378842971b40
-
SHA512
813cfbb1775668d180fd03d28743c4057c44791d95c84bca020f134c13d7d19aa9f64b3ecd88c78536a3d9a823282a7036f1ef940d9d493611b3b6f29eb1e5ee
-
SSDEEP
49152:8ix7/ix7yix7/ix7Xcix7/ix7yix7/ix7:8U/UyU/UXcU/UyU/U
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hojnnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhmcgdim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dglbkcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdckdjki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfmpjejf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdlmdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkmij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khplcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpncka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbladn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gielbcbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfngoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbmllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qidaek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjaknhkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjcdk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdlcon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maleim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfmica32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jocnobga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abnghmoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Folagoqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdhlaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlmbkjlh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhbpaiel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goqkhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igekijlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neamhfjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haefjojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlmbkjlh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnjofafc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igekijlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpglac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egfklkdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blpnga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hngelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laalge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpjjcpkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afboeano.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqcjji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlding32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpkibcbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niabbpio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efccpdpk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkgili32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joahcilp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoiood32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flaikjco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 4840 Cfmamdkm.exe 2780 Cenakl32.exe 2420 Cnffcajl.exe 984 Dhokmgpm.exe 1536 Djmgiboq.exe 3160 Ekifdqec.exe 1824 Eeokaiei.exe 1572 Eonekn32.exe 3948 Fgkgepqj.exe 1000 Fkiokn32.exe 2708 Fhpmjbch.exe 1308 Fahachjh.exe 636 Golamlib.exe 4660 Gdijecgi.exe 1820 Gnaonh32.exe 3044 Gdkgjb32.exe 3936 Goqkhk32.exe 2704 Gekcdeli.exe 3324 Gglpln32.exe 1932 Gochmk32.exe 3348 Gfmpjejf.exe 4036 Goedbkag.exe 3600 Hdbmkaoo.exe 3736 Hklehl32.exe 1356 Hnjadg32.exe 5012 Hhpeapee.exe 928 Hojnnj32.exe 1128 Hdgffq32.exe 4824 Hkqockbf.exe 2456 Hffbpcbl.exe 2528 Hggohl32.exe 556 Hnagdf32.exe 1216 Hdkpapgd.exe 5028 Hkehnj32.exe 640 Inddje32.exe 3796 Idnlgpea.exe 4268 Iglhckde.exe 3068 Infapela.exe 4776 Idpilp32.exe 4644 Igoehk32.exe 1744 Iofmjh32.exe 3756 Ifpefbja.exe 4456 Iohjoh32.exe 388 Ifbblb32.exe 4264 Igcocjnm.exe 3456 Iojgegoo.exe 2804 Ifdoaa32.exe 1688 Igekijlj.exe 3136 Jnpcfd32.exe 704 Jeilbn32.exe 4380 Jkcdohbq.exe 4128 Jbmllb32.exe 1008 Jelihn32.exe 1612 Jkfaehpn.exe 4060 Jndmacoa.exe 3320 Jfkebq32.exe 1116 Jgmajifb.exe 2516 Jnfjfc32.exe 3748 Jeqbcmel.exe 2716 Jkjjpg32.exe 3172 Jbdbmace.exe 4240 Jinkikkb.exe 2392 Kphcfe32.exe 728 Kfbkbpjl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jnpcfd32.exe Igekijlj.exe File opened for modification C:\Windows\SysWOW64\Ganpip32.exe Ggillgao.exe File created C:\Windows\SysWOW64\Lqfgpiaj.exe Lgmbgc32.exe File created C:\Windows\SysWOW64\Bbofiq32.exe Bpqjme32.exe File opened for modification C:\Windows\SysWOW64\Ggoidkgo.exe Ghnifc32.exe File opened for modification C:\Windows\SysWOW64\Qjacbg32.exe Qmnbic32.exe File opened for modification C:\Windows\SysWOW64\Mobbhacd.exe Mdmnjhco.exe File opened for modification C:\Windows\SysWOW64\Ekifdqec.exe Djmgiboq.exe File opened for modification C:\Windows\SysWOW64\Kelkdegc.exe Kjffglgm.exe File opened for modification C:\Windows\SysWOW64\Mjbnigpj.exe Mchflm32.exe File opened for modification C:\Windows\SysWOW64\Ofldjf32.exe Noalnlnl.exe File created C:\Windows\SysWOW64\Cmidaipk.exe Cgoldo32.exe File created C:\Windows\SysWOW64\Agoeglig.dll Ecpmhi32.exe File opened for modification C:\Windows\SysWOW64\Heldna32.exe Ghhddm32.exe File created C:\Windows\SysWOW64\Pmipoifo.dll Jegokqkl.exe File created C:\Windows\SysWOW64\Jidpkbnh.exe Jookniob.exe File opened for modification C:\Windows\SysWOW64\Bonhjcef.exe Bpmhllmg.exe File created C:\Windows\SysWOW64\Dqlahn32.dll Akakkmfk.exe File created C:\Windows\SysWOW64\Hhooblki.dll Process not Found File created C:\Windows\SysWOW64\Heedpj32.dll Ljdbhj32.exe File created C:\Windows\SysWOW64\Ohehpmai.dll Efkfdobg.exe File created C:\Windows\SysWOW64\Lmambick.dll Cdagci32.exe File opened for modification C:\Windows\SysWOW64\Pahnki32.exe Ohpibdgm.exe File created C:\Windows\SysWOW64\Mcjehfnn.dll Lcbmqkfl.exe File created C:\Windows\SysWOW64\Mnohoc32.exe Lcicaj32.exe File opened for modification C:\Windows\SysWOW64\Abcgmb32.exe Aabkejii.exe File opened for modification C:\Windows\SysWOW64\Bakmliao.exe Bffiop32.exe File opened for modification C:\Windows\SysWOW64\Henjij32.exe Hjhfla32.exe File opened for modification C:\Windows\SysWOW64\Cmpcga32.exe Cdgoolpf.exe File created C:\Windows\SysWOW64\Akedfl32.exe Aellib32.exe File created C:\Windows\SysWOW64\Mhmadfij.dll Process not Found File created C:\Windows\SysWOW64\Dlhlna32.dll Nclbca32.exe File created C:\Windows\SysWOW64\Ohepdfao.dll Eqdpkfkj.exe File created C:\Windows\SysWOW64\Poqkmd32.dll Fiidmb32.exe File created C:\Windows\SysWOW64\Ginnhakg.exe Gbdekg32.exe File opened for modification C:\Windows\SysWOW64\Cglgma32.exe Cmfcoh32.exe File created C:\Windows\SysWOW64\Ngcpbkjd.dll Ccmgll32.exe File created C:\Windows\SysWOW64\Ombjhk32.exe Oalicjdk.exe File opened for modification C:\Windows\SysWOW64\Ejjqcf32.exe Edmhko32.exe File created C:\Windows\SysWOW64\Hghlkjod.exe Hjdkaepj.exe File created C:\Windows\SysWOW64\Kiodkm32.exe Process not Found File created C:\Windows\SysWOW64\Jipfpc32.exe Iojbcj32.exe File opened for modification C:\Windows\SysWOW64\Lnbahn32.exe Lgiildoo.exe File opened for modification C:\Windows\SysWOW64\Opldqk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hdgffq32.exe Hojnnj32.exe File created C:\Windows\SysWOW64\Qpnlknig.exe Qjacbg32.exe File opened for modification C:\Windows\SysWOW64\Fddefdon.exe Enkmij32.exe File opened for modification C:\Windows\SysWOW64\Dbikngca.exe Dmmbeqej.exe File opened for modification C:\Windows\SysWOW64\Fmfghg32.exe Fbpcknkk.exe File created C:\Windows\SysWOW64\Pedbfg32.dll Gbbhfg32.exe File opened for modification C:\Windows\SysWOW64\Aichgm32.exe Aqhccj32.exe File created C:\Windows\SysWOW64\Jjbainoa.exe Jaimph32.exe File opened for modification C:\Windows\SysWOW64\Fjihlk32.exe Process not Found File created C:\Windows\SysWOW64\Eonekn32.exe Eeokaiei.exe File created C:\Windows\SysWOW64\Kaglgdip.dll Ioeihkfm.exe File opened for modification C:\Windows\SysWOW64\Fdnijghl.exe Fihelo32.exe File created C:\Windows\SysWOW64\Knpmma32.exe Khfdpgng.exe File created C:\Windows\SysWOW64\Klpane32.exe Klndiepc.exe File created C:\Windows\SysWOW64\Cddjcooo.exe Bfombc32.exe File created C:\Windows\SysWOW64\Mpofem32.dll Fimlji32.exe File created C:\Windows\SysWOW64\Nfofmfge.exe Process not Found File created C:\Windows\SysWOW64\Bndkbe32.dll Process not Found File created C:\Windows\SysWOW64\Inmpfn32.exe Iqipljcd.exe File opened for modification C:\Windows\SysWOW64\Njhgekan.exe Napcme32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1816 6136 Process not Found 1555 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjpecnad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jegffgoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdfhji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Falkmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naicfmeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbmjca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbofiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jncffmlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Headcgjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bakmliao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohicbeme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjgoak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afboeano.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apealm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blpnga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpefdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifpefbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkaifpbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kamjgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhaigc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Memaoanm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffljjogm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlamihjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjepa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aofjch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcjkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diihmhnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghlkjod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffbpcbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiigjjla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkgili32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paaaolgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cleejkgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfanig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efnide32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Belepp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkgpekgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgdfclb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkfaehpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqmlnjio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cibalidl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Debnmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glholimg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plmmlajd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojqcacfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bifbpknj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daeiie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oljgpdji.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohkpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdipoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfjdfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epikcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghnkdaad.dll" Gibhbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nienlfmf.dll" Hcflga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jidpkbnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caknah32.dll" Heldna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lifjahgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcpcgbfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaagkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmeegobg.dll" Liapfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeokaiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqhaia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfnfooo.dll" Cfmamdkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfgkpfjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omgglp32.dll" Emnbgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gifjcfik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agkeoeki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ednoee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apealm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aimojlfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngnglc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanakkhg.dll" Ghipkdce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmmbeqej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khplcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlhlna32.dll" Nclbca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bckijehc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haefjojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efnide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfgona32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadqiooc.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afboeano.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohepdfao.dll" Eqdpkfkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aandpk32.dll" Hiacdokb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfkqbhh.dll" Lhlkoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdipoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkngld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohlfbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qginnkjp.dll" Mlflhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hckebqij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cflhdige.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnaddbnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnpgjcmn.dll" Aeaaqefg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iofmjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cajlenpo.dll" Khdocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdafqklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcgmaei.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfelmpno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Locgepho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhljof32.dll" Kjfdig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiekdaee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmoqjmhm.dll" Lqcjji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mepfllao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnmjojeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keolffhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oojmjo32.dll" Lklnfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nimjjbmk.dll" Pimkelqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noqojm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keabimfi.dll" Bqafii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diicpgje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgamappo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1480 wrote to memory of 4840 1480 822d5f8c7432a3a4e84084f81b926850N.exe 83 PID 1480 wrote to memory of 4840 1480 822d5f8c7432a3a4e84084f81b926850N.exe 83 PID 1480 wrote to memory of 4840 1480 822d5f8c7432a3a4e84084f81b926850N.exe 83 PID 4840 wrote to memory of 2780 4840 Cfmamdkm.exe 84 PID 4840 wrote to memory of 2780 4840 Cfmamdkm.exe 84 PID 4840 wrote to memory of 2780 4840 Cfmamdkm.exe 84 PID 2780 wrote to memory of 2420 2780 Cenakl32.exe 85 PID 2780 wrote to memory of 2420 2780 Cenakl32.exe 85 PID 2780 wrote to memory of 2420 2780 Cenakl32.exe 85 PID 2420 wrote to memory of 984 2420 Cnffcajl.exe 86 PID 2420 wrote to memory of 984 2420 Cnffcajl.exe 86 PID 2420 wrote to memory of 984 2420 Cnffcajl.exe 86 PID 984 wrote to memory of 1536 984 Dhokmgpm.exe 87 PID 984 wrote to memory of 1536 984 Dhokmgpm.exe 87 PID 984 wrote to memory of 1536 984 Dhokmgpm.exe 87 PID 1536 wrote to memory of 3160 1536 Djmgiboq.exe 88 PID 1536 wrote to memory of 3160 1536 Djmgiboq.exe 88 PID 1536 wrote to memory of 3160 1536 Djmgiboq.exe 88 PID 3160 wrote to memory of 1824 3160 Ekifdqec.exe 89 PID 3160 wrote to memory of 1824 3160 Ekifdqec.exe 89 PID 3160 wrote to memory of 1824 3160 Ekifdqec.exe 89 PID 1824 wrote to memory of 1572 1824 Eeokaiei.exe 92 PID 1824 wrote to memory of 1572 1824 Eeokaiei.exe 92 PID 1824 wrote to memory of 1572 1824 Eeokaiei.exe 92 PID 1572 wrote to memory of 3948 1572 Eonekn32.exe 93 PID 1572 wrote to memory of 3948 1572 Eonekn32.exe 93 PID 1572 wrote to memory of 3948 1572 Eonekn32.exe 93 PID 3948 wrote to memory of 1000 3948 Fgkgepqj.exe 95 PID 3948 wrote to memory of 1000 3948 Fgkgepqj.exe 95 PID 3948 wrote to memory of 1000 3948 Fgkgepqj.exe 95 PID 1000 wrote to memory of 2708 1000 Fkiokn32.exe 96 PID 1000 wrote to memory of 2708 1000 Fkiokn32.exe 96 PID 1000 wrote to memory of 2708 1000 Fkiokn32.exe 96 PID 2708 wrote to memory of 1308 2708 Fhpmjbch.exe 97 PID 2708 wrote to memory of 1308 2708 Fhpmjbch.exe 97 PID 2708 wrote to memory of 1308 2708 Fhpmjbch.exe 97 PID 1308 wrote to memory of 636 1308 Fahachjh.exe 98 PID 1308 wrote to memory of 636 1308 Fahachjh.exe 98 PID 1308 wrote to memory of 636 1308 Fahachjh.exe 98 PID 636 wrote to memory of 4660 636 Golamlib.exe 99 PID 636 wrote to memory of 4660 636 Golamlib.exe 99 PID 636 wrote to memory of 4660 636 Golamlib.exe 99 PID 4660 wrote to memory of 1820 4660 Gdijecgi.exe 100 PID 4660 wrote to memory of 1820 4660 Gdijecgi.exe 100 PID 4660 wrote to memory of 1820 4660 Gdijecgi.exe 100 PID 1820 wrote to memory of 3044 1820 Gnaonh32.exe 101 PID 1820 wrote to memory of 3044 1820 Gnaonh32.exe 101 PID 1820 wrote to memory of 3044 1820 Gnaonh32.exe 101 PID 3044 wrote to memory of 3936 3044 Gdkgjb32.exe 102 PID 3044 wrote to memory of 3936 3044 Gdkgjb32.exe 102 PID 3044 wrote to memory of 3936 3044 Gdkgjb32.exe 102 PID 3936 wrote to memory of 2704 3936 Goqkhk32.exe 103 PID 3936 wrote to memory of 2704 3936 Goqkhk32.exe 103 PID 3936 wrote to memory of 2704 3936 Goqkhk32.exe 103 PID 2704 wrote to memory of 3324 2704 Gekcdeli.exe 104 PID 2704 wrote to memory of 3324 2704 Gekcdeli.exe 104 PID 2704 wrote to memory of 3324 2704 Gekcdeli.exe 104 PID 3324 wrote to memory of 1932 3324 Gglpln32.exe 105 PID 3324 wrote to memory of 1932 3324 Gglpln32.exe 105 PID 3324 wrote to memory of 1932 3324 Gglpln32.exe 105 PID 1932 wrote to memory of 3348 1932 Gochmk32.exe 106 PID 1932 wrote to memory of 3348 1932 Gochmk32.exe 106 PID 1932 wrote to memory of 3348 1932 Gochmk32.exe 106 PID 3348 wrote to memory of 4036 3348 Gfmpjejf.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\822d5f8c7432a3a4e84084f81b926850N.exe"C:\Users\Admin\AppData\Local\Temp\822d5f8c7432a3a4e84084f81b926850N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Cfmamdkm.exeC:\Windows\system32\Cfmamdkm.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Cenakl32.exeC:\Windows\system32\Cenakl32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Cnffcajl.exeC:\Windows\system32\Cnffcajl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Dhokmgpm.exeC:\Windows\system32\Dhokmgpm.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\Djmgiboq.exeC:\Windows\system32\Djmgiboq.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Ekifdqec.exeC:\Windows\system32\Ekifdqec.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Eeokaiei.exeC:\Windows\system32\Eeokaiei.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Eonekn32.exeC:\Windows\system32\Eonekn32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Fgkgepqj.exeC:\Windows\system32\Fgkgepqj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Fkiokn32.exeC:\Windows\system32\Fkiokn32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\Fhpmjbch.exeC:\Windows\system32\Fhpmjbch.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Fahachjh.exeC:\Windows\system32\Fahachjh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Golamlib.exeC:\Windows\system32\Golamlib.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Gdijecgi.exeC:\Windows\system32\Gdijecgi.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Gnaonh32.exeC:\Windows\system32\Gnaonh32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Gdkgjb32.exeC:\Windows\system32\Gdkgjb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Goqkhk32.exeC:\Windows\system32\Goqkhk32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Gekcdeli.exeC:\Windows\system32\Gekcdeli.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Gglpln32.exeC:\Windows\system32\Gglpln32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\Gochmk32.exeC:\Windows\system32\Gochmk32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Gfmpjejf.exeC:\Windows\system32\Gfmpjejf.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\Goedbkag.exeC:\Windows\system32\Goedbkag.exe23⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Hdbmkaoo.exeC:\Windows\system32\Hdbmkaoo.exe24⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Hklehl32.exeC:\Windows\system32\Hklehl32.exe25⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Hnjadg32.exeC:\Windows\system32\Hnjadg32.exe26⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Hhpeapee.exeC:\Windows\system32\Hhpeapee.exe27⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Hojnnj32.exeC:\Windows\system32\Hojnnj32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\Hdgffq32.exeC:\Windows\system32\Hdgffq32.exe29⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Hkqockbf.exeC:\Windows\system32\Hkqockbf.exe30⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Hffbpcbl.exeC:\Windows\system32\Hffbpcbl.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\SysWOW64\Hggohl32.exeC:\Windows\system32\Hggohl32.exe32⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Hnagdf32.exeC:\Windows\system32\Hnagdf32.exe33⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Hdkpapgd.exeC:\Windows\system32\Hdkpapgd.exe34⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Hkehnj32.exeC:\Windows\system32\Hkehnj32.exe35⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Inddje32.exeC:\Windows\system32\Inddje32.exe36⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Idnlgpea.exeC:\Windows\system32\Idnlgpea.exe37⤵
- Executes dropped EXE
PID:3796 -
C:\Windows\SysWOW64\Iglhckde.exeC:\Windows\system32\Iglhckde.exe38⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Infapela.exeC:\Windows\system32\Infapela.exe39⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Idpilp32.exeC:\Windows\system32\Idpilp32.exe40⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Igoehk32.exeC:\Windows\system32\Igoehk32.exe41⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Iofmjh32.exeC:\Windows\system32\Iofmjh32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Ifpefbja.exeC:\Windows\system32\Ifpefbja.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3756 -
C:\Windows\SysWOW64\Iohjoh32.exeC:\Windows\system32\Iohjoh32.exe44⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Ifbblb32.exeC:\Windows\system32\Ifbblb32.exe45⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Igcocjnm.exeC:\Windows\system32\Igcocjnm.exe46⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\Iojgegoo.exeC:\Windows\system32\Iojgegoo.exe47⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Ifdoaa32.exeC:\Windows\system32\Ifdoaa32.exe48⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Igekijlj.exeC:\Windows\system32\Igekijlj.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Jnpcfd32.exeC:\Windows\system32\Jnpcfd32.exe50⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Jeilbn32.exeC:\Windows\system32\Jeilbn32.exe51⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Jkcdohbq.exeC:\Windows\system32\Jkcdohbq.exe52⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Jbmllb32.exeC:\Windows\system32\Jbmllb32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Jelihn32.exeC:\Windows\system32\Jelihn32.exe54⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Jkfaehpn.exeC:\Windows\system32\Jkfaehpn.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Jndmacoa.exeC:\Windows\system32\Jndmacoa.exe56⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Jfkebq32.exeC:\Windows\system32\Jfkebq32.exe57⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Jgmajifb.exeC:\Windows\system32\Jgmajifb.exe58⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Jnfjfc32.exeC:\Windows\system32\Jnfjfc32.exe59⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Jeqbcmel.exeC:\Windows\system32\Jeqbcmel.exe60⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Jkjjpg32.exeC:\Windows\system32\Jkjjpg32.exe61⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Jbdbmace.exeC:\Windows\system32\Jbdbmace.exe62⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Jinkikkb.exeC:\Windows\system32\Jinkikkb.exe63⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Kphcfe32.exeC:\Windows\system32\Kphcfe32.exe64⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Kfbkbpjl.exeC:\Windows\system32\Kfbkbpjl.exe65⤵
- Executes dropped EXE
PID:728 -
C:\Windows\SysWOW64\Kgchjh32.exeC:\Windows\system32\Kgchjh32.exe66⤵PID:4628
-
C:\Windows\SysWOW64\Kpkple32.exeC:\Windows\system32\Kpkple32.exe67⤵PID:1268
-
C:\Windows\SysWOW64\Kfehhohi.exeC:\Windows\system32\Kfehhohi.exe68⤵PID:1564
-
C:\Windows\SysWOW64\Khfdpgng.exeC:\Windows\system32\Khfdpgng.exe69⤵
- Drops file in System32 directory
PID:3212 -
C:\Windows\SysWOW64\Knpmma32.exeC:\Windows\system32\Knpmma32.exe70⤵PID:4444
-
C:\Windows\SysWOW64\Kfgdno32.exeC:\Windows\system32\Kfgdno32.exe71⤵PID:1032
-
C:\Windows\SysWOW64\Khhaegle.exeC:\Windows\system32\Khhaegle.exe72⤵PID:4744
-
C:\Windows\SysWOW64\Knbiba32.exeC:\Windows\system32\Knbiba32.exe73⤵PID:2688
-
C:\Windows\SysWOW64\Kfiaco32.exeC:\Windows\system32\Kfiaco32.exe74⤵PID:3248
-
C:\Windows\SysWOW64\Khknkgjb.exeC:\Windows\system32\Khknkgjb.exe75⤵PID:1732
-
C:\Windows\SysWOW64\Kndfhaao.exeC:\Windows\system32\Kndfhaao.exe76⤵PID:4160
-
C:\Windows\SysWOW64\Keondk32.exeC:\Windows\system32\Keondk32.exe77⤵PID:2448
-
C:\Windows\SysWOW64\Llhfaepi.exeC:\Windows\system32\Llhfaepi.exe78⤵PID:4972
-
C:\Windows\SysWOW64\Lfnkonpo.exeC:\Windows\system32\Lfnkonpo.exe79⤵PID:1988
-
C:\Windows\SysWOW64\Lhogff32.exeC:\Windows\system32\Lhogff32.exe80⤵PID:2180
-
C:\Windows\SysWOW64\Lpfogcfo.exeC:\Windows\system32\Lpfogcfo.exe81⤵PID:4504
-
C:\Windows\SysWOW64\Lfqgdn32.exeC:\Windows\system32\Lfqgdn32.exe82⤵PID:5124
-
C:\Windows\SysWOW64\Lhadlfcj.exeC:\Windows\system32\Lhadlfcj.exe83⤵PID:5160
-
C:\Windows\SysWOW64\Lbghiocp.exeC:\Windows\system32\Lbghiocp.exe84⤵PID:5200
-
C:\Windows\SysWOW64\Liapfi32.exeC:\Windows\system32\Liapfi32.exe85⤵
- Modifies registry class
PID:5236 -
C:\Windows\SysWOW64\Lpkibcbj.exeC:\Windows\system32\Lpkibcbj.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5268 -
C:\Windows\SysWOW64\Lfeaomjf.exeC:\Windows\system32\Lfeaomjf.exe87⤵PID:5304
-
C:\Windows\SysWOW64\Llbigdhn.exeC:\Windows\system32\Llbigdhn.exe88⤵PID:5340
-
C:\Windows\SysWOW64\Lbladn32.exeC:\Windows\system32\Lbladn32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5376 -
C:\Windows\SysWOW64\Lifjahgh.exeC:\Windows\system32\Lifjahgh.exe90⤵
- Modifies registry class
PID:5412 -
C:\Windows\SysWOW64\Mobbioeo.exeC:\Windows\system32\Mobbioeo.exe91⤵PID:5452
-
C:\Windows\SysWOW64\Memjfill.exeC:\Windows\system32\Memjfill.exe92⤵PID:5484
-
C:\Windows\SysWOW64\Mlfcbc32.exeC:\Windows\system32\Mlfcbc32.exe93⤵PID:5524
-
C:\Windows\SysWOW64\Mbqkomke.exeC:\Windows\system32\Mbqkomke.exe94⤵PID:5560
-
C:\Windows\SysWOW64\Mhmcgdim.exeC:\Windows\system32\Mhmcgdim.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5592 -
C:\Windows\SysWOW64\Mpdkiajo.exeC:\Windows\system32\Mpdkiajo.exe96⤵PID:5628
-
C:\Windows\SysWOW64\Mfocelal.exeC:\Windows\system32\Mfocelal.exe97⤵PID:5664
-
C:\Windows\SysWOW64\Mimpagqp.exeC:\Windows\system32\Mimpagqp.exe98⤵PID:5700
-
C:\Windows\SysWOW64\Mpghna32.exeC:\Windows\system32\Mpghna32.exe99⤵PID:5740
-
C:\Windows\SysWOW64\Mfapkkpi.exeC:\Windows\system32\Mfapkkpi.exe100⤵PID:5776
-
C:\Windows\SysWOW64\Mhbmbc32.exeC:\Windows\system32\Mhbmbc32.exe101⤵PID:5812
-
C:\Windows\SysWOW64\Moleonmd.exeC:\Windows\system32\Moleonmd.exe102⤵PID:5844
-
C:\Windows\SysWOW64\Mfcmqknf.exeC:\Windows\system32\Mfcmqknf.exe103⤵PID:5880
-
C:\Windows\SysWOW64\Niaimf32.exeC:\Windows\system32\Niaimf32.exe104⤵PID:5920
-
C:\Windows\SysWOW64\Nonbem32.exeC:\Windows\system32\Nonbem32.exe105⤵PID:5952
-
C:\Windows\SysWOW64\Nfejfk32.exeC:\Windows\system32\Nfejfk32.exe106⤵PID:5992
-
C:\Windows\SysWOW64\Nhgfncab.exeC:\Windows\system32\Nhgfncab.exe107⤵PID:6028
-
C:\Windows\SysWOW64\Noqojm32.exeC:\Windows\system32\Noqojm32.exe108⤵
- Modifies registry class
PID:6064 -
C:\Windows\SysWOW64\Nekgggpl.exeC:\Windows\system32\Nekgggpl.exe109⤵PID:6100
-
C:\Windows\SysWOW64\Nhiccb32.exeC:\Windows\system32\Nhiccb32.exe110⤵PID:6132
-
C:\Windows\SysWOW64\Nockpmgl.exeC:\Windows\system32\Nockpmgl.exe111⤵PID:2880
-
C:\Windows\SysWOW64\Nemcmg32.exeC:\Windows\system32\Nemcmg32.exe112⤵PID:4936
-
C:\Windows\SysWOW64\Nlgliaef.exeC:\Windows\system32\Nlgliaef.exe113⤵PID:4492
-
C:\Windows\SysWOW64\Noehelej.exeC:\Windows\system32\Noehelej.exe114⤵PID:2368
-
C:\Windows\SysWOW64\Neopbf32.exeC:\Windows\system32\Neopbf32.exe115⤵PID:2612
-
C:\Windows\SysWOW64\Nlihoq32.exeC:\Windows\system32\Nlihoq32.exe116⤵PID:2216
-
C:\Windows\SysWOW64\Nohdkl32.exeC:\Windows\system32\Nohdkl32.exe117⤵PID:5184
-
C:\Windows\SysWOW64\Neamhfjd.exeC:\Windows\system32\Neamhfjd.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5252 -
C:\Windows\SysWOW64\Ohpidaig.exeC:\Windows\system32\Ohpidaig.exe119⤵PID:5324
-
C:\Windows\SysWOW64\Ocfmajin.exeC:\Windows\system32\Ocfmajin.exe120⤵PID:5372
-
C:\Windows\SysWOW64\Oedjmfha.exeC:\Windows\system32\Oedjmfha.exe121⤵PID:5436
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-