Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
102s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/09/2024, 04:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b2cca30080a7cc84dd1679bcb11f4020N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
b2cca30080a7cc84dd1679bcb11f4020N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
b2cca30080a7cc84dd1679bcb11f4020N.exe
-
Size
55KB
-
MD5
b2cca30080a7cc84dd1679bcb11f4020
-
SHA1
c2832d71d3082f9476837aec2a6789b4a3a4301b
-
SHA256
51836ae48fdbf5e11b07fe81889ac3550109a58c9a6ebeb1777923890d722211
-
SHA512
8eaadce7b785b9b87ef757bf80576ead46db47728507235881518fb64dd7125ae3f864e88ae4ca73c3834b94c48b066a90d8c9e7aea3f20769dc7f26dc4e36ce
-
SSDEEP
768:27wHDJQKJhpZ60Ft0Bnfff4SEQYcJdx+LkcVIjaYWoJ6g5M6T9FlB11AJZ/1H5lH:GkVQK9tuv4SEKgoa3To4g5bTH/e5
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oidofh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdmoohbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lddgmbpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jieagojp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cflkpblf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igedlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmabggdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mifcejnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfmno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpjmnjqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfipef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malpia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plagcbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keqdmihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcphab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maiccajf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfmcfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Embkoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icnklbmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nibbqicm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cibmlmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nihipdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgobel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhiajmod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maiccajf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljdceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndflak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpfjma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngaionfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aflaie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lclpdncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neqopnhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mngegmbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkadfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nafjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmdlffhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqklon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcnqpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbajbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llgcph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gingkqkd.exe -
Executes dropped EXE 64 IoCs
pid Process 4328 Ekgbccni.exe 3644 Eaakpm32.exe 460 Edpgli32.exe 4788 Egnchd32.exe 2540 Eoekia32.exe 3740 Emhldnkj.exe 412 Fdbdah32.exe 3448 Fgppmd32.exe 1988 Foghnabl.exe 4644 Feapkk32.exe 372 Fhpmgg32.exe 2128 Fojedapj.exe 3980 Fahaplon.exe 4704 Fdfmlhna.exe 1848 Fgeihcme.exe 3364 Folaiqng.exe 2396 Fefjfked.exe 4620 Fhdfbfdh.exe 3116 Fkcboack.exe 1932 Fnaokmco.exe 764 Fehfljca.exe 4552 Fgjccb32.exe 980 Fkeodaai.exe 4196 Fnckpmql.exe 696 Gaogak32.exe 5040 Gdncmghi.exe 5024 Gglpibgm.exe 1152 Gnfhfl32.exe 4420 Gempgj32.exe 4488 Ghklce32.exe 3568 Ggnlobej.exe 2796 Goedpofl.exe 3376 Gnhdkl32.exe 2260 Gepmlimi.exe 4292 Ghniielm.exe 4592 Gkleeplq.exe 4760 Gafmaj32.exe 348 Gddinf32.exe 1332 Ggcfja32.exe 3628 Gojnko32.exe 2568 Gahjgj32.exe 4816 Gdgfce32.exe 4432 Ggeboaob.exe 3668 Gkaopp32.exe 4296 Hnoklk32.exe 1888 Hffcmh32.exe 4996 Hheoid32.exe 2428 Hkckeo32.exe 3216 Hnagak32.exe 4440 Hfipbh32.exe 824 Hdlpneli.exe 4780 Hkehkocf.exe 1780 Hoadkn32.exe 4400 Hnddgjbj.exe 3688 Hfklhhcl.exe 4716 Hdnldd32.exe 2096 Hglipp32.exe 4036 Hocqam32.exe 2080 Hbbmmi32.exe 2104 Hfningai.exe 4792 Hdpiid32.exe 3920 Hgoeep32.exe 2176 Hofmfmhj.exe 2860 Hbdjchgn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bagmdllg.exe Process not Found File created C:\Windows\SysWOW64\Goedpofl.exe Ggnlobej.exe File created C:\Windows\SysWOW64\Gojiiafp.exe Gmimai32.exe File created C:\Windows\SysWOW64\Eepmqdbn.dll Process not Found File created C:\Windows\SysWOW64\Pkbcikkp.dll Process not Found File created C:\Windows\SysWOW64\Mbdiknlb.exe Process not Found File created C:\Windows\SysWOW64\Embkoi32.exe Efhcbodf.exe File created C:\Windows\SysWOW64\Qofcff32.exe Qlggjk32.exe File created C:\Windows\SysWOW64\Jdobpkmb.dll Qhkdof32.exe File created C:\Windows\SysWOW64\Hpaoan32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hjedffig.exe Hhdhon32.exe File created C:\Windows\SysWOW64\Ddpapmqq.dll Ddligq32.exe File opened for modification C:\Windows\SysWOW64\Fniihmpf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fgppmd32.exe Fdbdah32.exe File opened for modification C:\Windows\SysWOW64\Kgknhl32.exe Kihnmohm.exe File opened for modification C:\Windows\SysWOW64\Kijjbofj.exe Kflnfcgg.exe File opened for modification C:\Windows\SysWOW64\Ckclhn32.exe Blqllqqa.exe File opened for modification C:\Windows\SysWOW64\Lfeljd32.exe Process not Found File created C:\Windows\SysWOW64\Loglacfo.exe Lpekef32.exe File created C:\Windows\SysWOW64\Nibbqicm.exe Nchjdo32.exe File created C:\Windows\SysWOW64\Jbaojpgb.exe Jkhgmf32.exe File opened for modification C:\Windows\SysWOW64\Hpchib32.exe Process not Found File created C:\Windows\SysWOW64\Fkikinpo.dll Process not Found File created C:\Windows\SysWOW64\Gphqhffa.dll Oocddono.exe File opened for modification C:\Windows\SysWOW64\Kjgeedch.exe Process not Found File opened for modification C:\Windows\SysWOW64\Obnehj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pjjfdfbb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pgflqkdd.exe Poodpmca.exe File opened for modification C:\Windows\SysWOW64\Knflpoqf.exe Kkhpdcab.exe File created C:\Windows\SysWOW64\Peahgl32.exe Oogpjbbb.exe File opened for modification C:\Windows\SysWOW64\Kemooo32.exe Process not Found File created C:\Windows\SysWOW64\Fpggamqc.exe Fllkqn32.exe File created C:\Windows\SysWOW64\Ibaeen32.exe Process not Found File created C:\Windows\SysWOW64\Gbhibfek.dll Process not Found File created C:\Windows\SysWOW64\Mecegjob.dll Kpdboimg.exe File created C:\Windows\SysWOW64\Bidqko32.exe Bjaqpbkh.exe File created C:\Windows\SysWOW64\Aplpihjd.dll Dpnbog32.exe File opened for modification C:\Windows\SysWOW64\Jkjcbe32.exe Jhlgfj32.exe File created C:\Windows\SysWOW64\Bbnkonbd.exe Bopocbcq.exe File created C:\Windows\SysWOW64\Cgndoeag.exe Cpglnhad.exe File opened for modification C:\Windows\SysWOW64\Geohklaa.exe Gflhoo32.exe File opened for modification C:\Windows\SysWOW64\Kiaqcnpb.exe Kbghfc32.exe File opened for modification C:\Windows\SysWOW64\Ggmmlamj.exe Process not Found File created C:\Windows\SysWOW64\Iponmakp.dll Process not Found File created C:\Windows\SysWOW64\Enkjji32.dll Miofjepg.exe File opened for modification C:\Windows\SysWOW64\Kglmio32.exe Kdmqmc32.exe File opened for modification C:\Windows\SysWOW64\Nnicid32.exe Nlkgmh32.exe File opened for modification C:\Windows\SysWOW64\Nmnqjp32.exe Njpdnedf.exe File created C:\Windows\SysWOW64\Fomnhddq.dll Process not Found File created C:\Windows\SysWOW64\Miaajlho.dll Bpnihiio.exe File opened for modification C:\Windows\SysWOW64\Jgcamf32.exe Jdedak32.exe File created C:\Windows\SysWOW64\Cglblmfn.dll Amjillkj.exe File created C:\Windows\SysWOW64\Nnojho32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cncnob32.exe Process not Found File created C:\Windows\SysWOW64\Oileggkb.exe Ogmijllo.exe File created C:\Windows\SysWOW64\Djmibn32.exe Dfamapjo.exe File created C:\Windows\SysWOW64\Epokedmj.exe Empoiimf.exe File created C:\Windows\SysWOW64\Pkcadhgm.exe Phedhmhi.exe File created C:\Windows\SysWOW64\Dcbknkol.dll Llipehgk.exe File created C:\Windows\SysWOW64\Hnbfbhoh.dll Aompak32.exe File created C:\Windows\SysWOW64\Fpmehf32.dll Pkenjh32.exe File created C:\Windows\SysWOW64\Hhfgeigk.dll Oejbfmpg.exe File created C:\Windows\SysWOW64\Oaifpi32.exe Process not Found File created C:\Windows\SysWOW64\Lnnikdnj.exe Llpmoiof.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13596 12728 Process not Found 1700 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dokgdkeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibffhhek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objpoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcikgacl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbmingjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnmin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdgged32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqndhcdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lndagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnicid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdafkdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjbhmad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjffdalb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjmoag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbbnpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdbdah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aleckinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blqllqqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fojedapj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cikglnkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpihcgoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Polppg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fineoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpnmbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpdfnolo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkbcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekkkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmjaphek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djelgied.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbdjchgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekgbccni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjaifp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcniglmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpmlnjco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igjngh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnpmjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okedcjcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpcodihc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbgeno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gingkqkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inbqhhfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pleaoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiejmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgabc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqmkae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iciaqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enalem32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngcglo32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbpkkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edmpgp32.dll" Dlieda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmnpml32.dll" Ecgcfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjfjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emmkiclm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipmbjgpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqkclhkh.dll" Gkleeplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqhajknb.dll" Amodep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abmmgg32.dll" Bfhadc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhppji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Labnlj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mojhgbdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkjlic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmnhcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jilnqqbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhcfaai.dll" Kbghfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acbldmmh.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieicjl32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lndham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdkdgchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjgeopm.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lndham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjqjajoe.dll" Mlpokp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbponhh.dll" Lpekef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpfcdojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emkbpmep.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdpiid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Majjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbngllob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfcjfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nohjfifo.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifona32.dll" Pabblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejlbhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnpdegjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmcain32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbddfmgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bafehe32.dll" Mkadfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaakdpkj.dll" Olanmgig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqglkmlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchdqkfl.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnndm32.dll" Hkckeo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2032 wrote to memory of 4328 2032 b2cca30080a7cc84dd1679bcb11f4020N.exe 84 PID 2032 wrote to memory of 4328 2032 b2cca30080a7cc84dd1679bcb11f4020N.exe 84 PID 2032 wrote to memory of 4328 2032 b2cca30080a7cc84dd1679bcb11f4020N.exe 84 PID 4328 wrote to memory of 3644 4328 Ekgbccni.exe 85 PID 4328 wrote to memory of 3644 4328 Ekgbccni.exe 85 PID 4328 wrote to memory of 3644 4328 Ekgbccni.exe 85 PID 3644 wrote to memory of 460 3644 Eaakpm32.exe 86 PID 3644 wrote to memory of 460 3644 Eaakpm32.exe 86 PID 3644 wrote to memory of 460 3644 Eaakpm32.exe 86 PID 460 wrote to memory of 4788 460 Edpgli32.exe 87 PID 460 wrote to memory of 4788 460 Edpgli32.exe 87 PID 460 wrote to memory of 4788 460 Edpgli32.exe 87 PID 4788 wrote to memory of 2540 4788 Egnchd32.exe 88 PID 4788 wrote to memory of 2540 4788 Egnchd32.exe 88 PID 4788 wrote to memory of 2540 4788 Egnchd32.exe 88 PID 2540 wrote to memory of 3740 2540 Eoekia32.exe 89 PID 2540 wrote to memory of 3740 2540 Eoekia32.exe 89 PID 2540 wrote to memory of 3740 2540 Eoekia32.exe 89 PID 3740 wrote to memory of 412 3740 Emhldnkj.exe 91 PID 3740 wrote to memory of 412 3740 Emhldnkj.exe 91 PID 3740 wrote to memory of 412 3740 Emhldnkj.exe 91 PID 412 wrote to memory of 3448 412 Fdbdah32.exe 92 PID 412 wrote to memory of 3448 412 Fdbdah32.exe 92 PID 412 wrote to memory of 3448 412 Fdbdah32.exe 92 PID 3448 wrote to memory of 1988 3448 Fgppmd32.exe 93 PID 3448 wrote to memory of 1988 3448 Fgppmd32.exe 93 PID 3448 wrote to memory of 1988 3448 Fgppmd32.exe 93 PID 1988 wrote to memory of 4644 1988 Foghnabl.exe 94 PID 1988 wrote to memory of 4644 1988 Foghnabl.exe 94 PID 1988 wrote to memory of 4644 1988 Foghnabl.exe 94 PID 4644 wrote to memory of 372 4644 Feapkk32.exe 95 PID 4644 wrote to memory of 372 4644 Feapkk32.exe 95 PID 4644 wrote to memory of 372 4644 Feapkk32.exe 95 PID 372 wrote to memory of 2128 372 Fhpmgg32.exe 96 PID 372 wrote to memory of 2128 372 Fhpmgg32.exe 96 PID 372 wrote to memory of 2128 372 Fhpmgg32.exe 96 PID 2128 wrote to memory of 3980 2128 Fojedapj.exe 97 PID 2128 wrote to memory of 3980 2128 Fojedapj.exe 97 PID 2128 wrote to memory of 3980 2128 Fojedapj.exe 97 PID 3980 wrote to memory of 4704 3980 Fahaplon.exe 98 PID 3980 wrote to memory of 4704 3980 Fahaplon.exe 98 PID 3980 wrote to memory of 4704 3980 Fahaplon.exe 98 PID 4704 wrote to memory of 1848 4704 Fdfmlhna.exe 99 PID 4704 wrote to memory of 1848 4704 Fdfmlhna.exe 99 PID 4704 wrote to memory of 1848 4704 Fdfmlhna.exe 99 PID 1848 wrote to memory of 3364 1848 Fgeihcme.exe 101 PID 1848 wrote to memory of 3364 1848 Fgeihcme.exe 101 PID 1848 wrote to memory of 3364 1848 Fgeihcme.exe 101 PID 3364 wrote to memory of 2396 3364 Folaiqng.exe 102 PID 3364 wrote to memory of 2396 3364 Folaiqng.exe 102 PID 3364 wrote to memory of 2396 3364 Folaiqng.exe 102 PID 2396 wrote to memory of 4620 2396 Fefjfked.exe 103 PID 2396 wrote to memory of 4620 2396 Fefjfked.exe 103 PID 2396 wrote to memory of 4620 2396 Fefjfked.exe 103 PID 4620 wrote to memory of 3116 4620 Fhdfbfdh.exe 104 PID 4620 wrote to memory of 3116 4620 Fhdfbfdh.exe 104 PID 4620 wrote to memory of 3116 4620 Fhdfbfdh.exe 104 PID 3116 wrote to memory of 1932 3116 Fkcboack.exe 106 PID 3116 wrote to memory of 1932 3116 Fkcboack.exe 106 PID 3116 wrote to memory of 1932 3116 Fkcboack.exe 106 PID 1932 wrote to memory of 764 1932 Fnaokmco.exe 107 PID 1932 wrote to memory of 764 1932 Fnaokmco.exe 107 PID 1932 wrote to memory of 764 1932 Fnaokmco.exe 107 PID 764 wrote to memory of 4552 764 Fehfljca.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2cca30080a7cc84dd1679bcb11f4020N.exe"C:\Users\Admin\AppData\Local\Temp\b2cca30080a7cc84dd1679bcb11f4020N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Ekgbccni.exeC:\Windows\system32\Ekgbccni.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\Eaakpm32.exeC:\Windows\system32\Eaakpm32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\Edpgli32.exeC:\Windows\system32\Edpgli32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\Egnchd32.exeC:\Windows\system32\Egnchd32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Emhldnkj.exeC:\Windows\system32\Emhldnkj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\Fdbdah32.exeC:\Windows\system32\Fdbdah32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\Fgppmd32.exeC:\Windows\system32\Fgppmd32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\Foghnabl.exeC:\Windows\system32\Foghnabl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Feapkk32.exeC:\Windows\system32\Feapkk32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\Fhpmgg32.exeC:\Windows\system32\Fhpmgg32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\Fojedapj.exeC:\Windows\system32\Fojedapj.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Fahaplon.exeC:\Windows\system32\Fahaplon.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\Fdfmlhna.exeC:\Windows\system32\Fdfmlhna.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\Fgeihcme.exeC:\Windows\system32\Fgeihcme.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Folaiqng.exeC:\Windows\system32\Folaiqng.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\Fefjfked.exeC:\Windows\system32\Fefjfked.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Fhdfbfdh.exeC:\Windows\system32\Fhdfbfdh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Fkcboack.exeC:\Windows\system32\Fkcboack.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Fehfljca.exeC:\Windows\system32\Fehfljca.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Fgjccb32.exeC:\Windows\system32\Fgjccb32.exe23⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Fkeodaai.exeC:\Windows\system32\Fkeodaai.exe24⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Fnckpmql.exeC:\Windows\system32\Fnckpmql.exe25⤵
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\Gaogak32.exeC:\Windows\system32\Gaogak32.exe26⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Gdncmghi.exeC:\Windows\system32\Gdncmghi.exe27⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Gglpibgm.exeC:\Windows\system32\Gglpibgm.exe28⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe29⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Gempgj32.exeC:\Windows\system32\Gempgj32.exe30⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Ghklce32.exeC:\Windows\system32\Ghklce32.exe31⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3568 -
C:\Windows\SysWOW64\Goedpofl.exeC:\Windows\system32\Goedpofl.exe33⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe34⤵
- Executes dropped EXE
PID:3376 -
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe35⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Ghniielm.exeC:\Windows\system32\Ghniielm.exe36⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:4592 -
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe38⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Gddinf32.exeC:\Windows\system32\Gddinf32.exe39⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe40⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Gojnko32.exeC:\Windows\system32\Gojnko32.exe41⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe42⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe43⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe44⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Gkaopp32.exeC:\Windows\system32\Gkaopp32.exe45⤵
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Hnoklk32.exeC:\Windows\system32\Hnoklk32.exe46⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Hffcmh32.exeC:\Windows\system32\Hffcmh32.exe47⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Hheoid32.exeC:\Windows\system32\Hheoid32.exe48⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Hkckeo32.exeC:\Windows\system32\Hkckeo32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Hnagak32.exeC:\Windows\system32\Hnagak32.exe50⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe51⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe52⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe53⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe54⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe55⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Hfklhhcl.exeC:\Windows\system32\Hfklhhcl.exe56⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe57⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe58⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe59⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe60⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Hfningai.exeC:\Windows\system32\Hfningai.exe61⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Hdpiid32.exeC:\Windows\system32\Hdpiid32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:4792 -
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe63⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Hofmfmhj.exeC:\Windows\system32\Hofmfmhj.exe64⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Hbdjchgn.exeC:\Windows\system32\Hbdjchgn.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\Hhnbpb32.exeC:\Windows\system32\Hhnbpb32.exe66⤵PID:3280
-
C:\Windows\SysWOW64\Hgabkoee.exeC:\Windows\system32\Hgabkoee.exe67⤵PID:2136
-
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe68⤵PID:836
-
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe69⤵
- System Location Discovery: System Language Discovery
PID:4192 -
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe70⤵PID:1408
-
C:\Windows\SysWOW64\Ihqoeb32.exeC:\Windows\system32\Ihqoeb32.exe71⤵PID:1540
-
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe72⤵PID:628
-
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe73⤵PID:2584
-
C:\Windows\SysWOW64\Ibicnh32.exeC:\Windows\system32\Ibicnh32.exe74⤵PID:1304
-
C:\Windows\SysWOW64\Idgojc32.exeC:\Windows\system32\Idgojc32.exe75⤵PID:2436
-
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe76⤵PID:1612
-
C:\Windows\SysWOW64\Ikaggmii.exeC:\Windows\system32\Ikaggmii.exe77⤵PID:2932
-
C:\Windows\SysWOW64\Inpccihl.exeC:\Windows\system32\Inpccihl.exe78⤵PID:2684
-
C:\Windows\SysWOW64\Idjlpc32.exeC:\Windows\system32\Idjlpc32.exe79⤵PID:3992
-
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe80⤵PID:1752
-
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe81⤵
- System Location Discovery: System Language Discovery
PID:1316 -
C:\Windows\SysWOW64\Ieliebnf.exeC:\Windows\system32\Ieliebnf.exe82⤵PID:4392
-
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe83⤵PID:5104
-
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe84⤵PID:4812
-
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe85⤵PID:5100
-
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe86⤵PID:4840
-
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe87⤵PID:3620
-
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe88⤵
- Modifies registry class
PID:3888 -
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe89⤵PID:4376
-
C:\Windows\SysWOW64\Jbdbjf32.exeC:\Windows\system32\Jbdbjf32.exe90⤵PID:216
-
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe91⤵PID:4060
-
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe92⤵PID:2132
-
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe93⤵PID:4872
-
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe94⤵PID:3412
-
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe95⤵PID:4068
-
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe96⤵PID:5152
-
C:\Windows\SysWOW64\Jkodhk32.exeC:\Windows\system32\Jkodhk32.exe97⤵PID:5200
-
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe98⤵PID:5244
-
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe99⤵PID:5288
-
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe100⤵PID:5332
-
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe101⤵
- System Location Discovery: System Language Discovery
PID:5392 -
C:\Windows\SysWOW64\Jnpmjf32.exeC:\Windows\system32\Jnpmjf32.exe102⤵
- System Location Discovery: System Language Discovery
PID:5448 -
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe103⤵PID:5512
-
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe104⤵PID:5556
-
C:\Windows\SysWOW64\Jieagojp.exeC:\Windows\system32\Jieagojp.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5600 -
C:\Windows\SysWOW64\Kldmckic.exeC:\Windows\system32\Kldmckic.exe106⤵PID:5644
-
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe107⤵PID:5692
-
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe108⤵PID:5736
-
C:\Windows\SysWOW64\Kfjapcii.exeC:\Windows\system32\Kfjapcii.exe109⤵PID:5780
-
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe110⤵
- Drops file in System32 directory
PID:5824 -
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe111⤵PID:5868
-
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe112⤵PID:5908
-
C:\Windows\SysWOW64\Knefeffd.exeC:\Windows\system32\Knefeffd.exe113⤵PID:5952
-
C:\Windows\SysWOW64\Kbpbed32.exeC:\Windows\system32\Kbpbed32.exe114⤵PID:5992
-
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe115⤵
- Drops file in System32 directory
PID:6036 -
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe116⤵PID:6080
-
C:\Windows\SysWOW64\Khmknk32.exeC:\Windows\system32\Khmknk32.exe117⤵PID:6120
-
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe118⤵
- Drops file in System32 directory
PID:5144 -
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe119⤵PID:5236
-
C:\Windows\SysWOW64\Kfnkkb32.exeC:\Windows\system32\Kfnkkb32.exe120⤵PID:5280
-
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe121⤵PID:5388
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-