Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 09:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d6a5bd7de2e09a2cca83569fd1c3bf40N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d6a5bd7de2e09a2cca83569fd1c3bf40N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d6a5bd7de2e09a2cca83569fd1c3bf40N.exe
-
Size
96KB
-
MD5
d6a5bd7de2e09a2cca83569fd1c3bf40
-
SHA1
2b3116154c72edc256a30c44033d36af6c43c7a5
-
SHA256
ad93620702910893062491a59e8d4d8b5a5b06e261aac97b6e7764ae0e6582b9
-
SHA512
f55b140ec497c369cc70b7db1df0a7aadbe791984c10777769816df8663cfc6d79586158b8ebb14d35aa2dfa1679ca94aa103b2cad2071f6baa78804ec02e348
-
SSDEEP
1536:Z6hpRrVLQ7X38jDJG7Y/NLm4T8mmfE2L3sBMu/HCmiDcg3MZRP3cEW3AE:KJyMjDv/NLm4Tq3a6miEo
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbdoof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgmgqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgbloglj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcblpdgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojgjndno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doojec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jemfhacc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmhbqbae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhknodl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fecadghc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpqggh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lobjni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akglloai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apjdikqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flqdlnde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmechmip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnmoijje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emjgim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbmohmoh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaonbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjcikejg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffaong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgqlcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqbcbkab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kamjda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anaomkdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgcjfbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfagighf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hehkajig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klcekpdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ingpmmgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlbcnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njhgbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfgdpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amnlme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgqlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lplfcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paeelgnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kefiopki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljpaqmgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfccogfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmaffnce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dheibpje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joqafgni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ingpmmgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqikmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nabfjpak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adkgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfodeohd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjjkaabc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmfmde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjedh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmaffnce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiahnnph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmhijd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilcldb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngjkfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onkidm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apmhiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhifomdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjlmclqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maggnali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Manmoq32.exe -
Executes dropped EXE 64 IoCs
pid Process 2668 Fpbmfn32.exe 4556 Fjhacf32.exe 4356 Fmfnpa32.exe 4524 Fdqfll32.exe 64 Fjjnifbl.exe 1272 Fmikeaap.exe 4908 Fpggamqc.exe 856 Ffaong32.exe 2156 Fipkjb32.exe 516 Flngfn32.exe 4744 Ffclcgfn.exe 2464 Fibhpbea.exe 2928 Flqdlnde.exe 680 Fdglmkeg.exe 1232 Fffhifdk.exe 4788 Fideeaco.exe 3716 Gdjibj32.exe 4164 Gigaka32.exe 3936 Glengm32.exe 228 Gbofcghl.exe 4808 Gjfnedho.exe 3756 Glgjlm32.exe 1100 Gpcfmkff.exe 2692 Gbabigfj.exe 2384 Gkhkjd32.exe 436 Gmggfp32.exe 336 Gbdoof32.exe 2712 Gfokoelp.exe 4168 Glldgljg.exe 1144 Gdcliikj.exe 4336 Ggahedjn.exe 5008 Gipdap32.exe 2604 Hmlpaoaj.exe 4296 Hpjmnjqn.exe 4964 Hbhijepa.exe 3364 Hibafp32.exe 3584 Hlambk32.exe 3800 Hdhedh32.exe 2256 Hgfapd32.exe 4880 Hlcjhkdp.exe 2260 Hdjbiheb.exe 3192 Hginecde.exe 1812 Hkdjfb32.exe 4852 Hmbfbn32.exe 3788 Hpabni32.exe 1824 Hcpojd32.exe 2076 Hgkkkcbc.exe 1236 Hkfglb32.exe 2160 Hmechmip.exe 1960 Hmechmip.exe 3956 Hpcodihc.exe 1908 Hcblpdgg.exe 4656 Hgmgqc32.exe 3148 Hildmn32.exe 4740 Ingpmmgm.exe 1340 Ipflihfq.exe 4504 Icdheded.exe 2312 Ikkpgafg.exe 2656 Iinqbn32.exe 2788 Iphioh32.exe 2240 Icfekc32.exe 2404 Iknmla32.exe 1412 Ijqmhnko.exe 4644 Iloidijb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fideeaco.exe Fffhifdk.exe File created C:\Windows\SysWOW64\Cdpcal32.exe Caageq32.exe File created C:\Windows\SysWOW64\Hpfbcn32.exe Ghojbq32.exe File opened for modification C:\Windows\SysWOW64\Piocecgj.exe Pfagighf.exe File created C:\Windows\SysWOW64\Jjgobjmp.dll Nndjndbh.exe File created C:\Windows\SysWOW64\Gefklj32.dll Hekgfj32.exe File created C:\Windows\SysWOW64\Bmjkic32.exe Bklomh32.exe File opened for modification C:\Windows\SysWOW64\Iolhkh32.exe Ipihpkkd.exe File created C:\Windows\SysWOW64\Hbgkei32.exe Hpioin32.exe File created C:\Windows\SysWOW64\Mljmhflh.exe Mjlalkmd.exe File created C:\Windows\SysWOW64\Nhoped32.dll Pmhbqbae.exe File created C:\Windows\SysWOW64\Mmnhcb32.exe Mnkggfkb.exe File opened for modification C:\Windows\SysWOW64\Bffcpg32.exe Bnoknihb.exe File created C:\Windows\SysWOW64\Ilchfdgp.dll Dmcain32.exe File opened for modification C:\Windows\SysWOW64\Jghpbk32.exe Joahqn32.exe File opened for modification C:\Windows\SysWOW64\Nfgklkoc.exe Momcpa32.exe File created C:\Windows\SysWOW64\Mjfmcmai.dll Cnkkjh32.exe File created C:\Windows\SysWOW64\Lejgpb32.dll Gnepna32.exe File created C:\Windows\SysWOW64\Ocohmc32.exe Oaplqh32.exe File opened for modification C:\Windows\SysWOW64\Hbldphde.exe Hnphoj32.exe File created C:\Windows\SysWOW64\Gflonn32.dll Ojemig32.exe File created C:\Windows\SysWOW64\Ogpoeg32.dll Addaif32.exe File created C:\Windows\SysWOW64\Kiodpebj.dll Ickglm32.exe File created C:\Windows\SysWOW64\Dbfpagon.dll Aogbfi32.exe File opened for modification C:\Windows\SysWOW64\Jbccge32.exe Johggfha.exe File created C:\Windows\SysWOW64\Hpabni32.exe Hmbfbn32.exe File created C:\Windows\SysWOW64\Hokomfqg.dll Ipdndloi.exe File opened for modification C:\Windows\SysWOW64\Lpjjmg32.exe Ljpaqmgb.exe File created C:\Windows\SysWOW64\Bdcmkgmm.exe Baepolni.exe File opened for modification C:\Windows\SysWOW64\Apjdikqd.exe Amkhmoap.exe File created C:\Windows\SysWOW64\Afhfaddk.exe Adjjeieh.exe File created C:\Windows\SysWOW64\Amdcghbo.dll Jepjhg32.exe File opened for modification C:\Windows\SysWOW64\Klhnfo32.exe Knenkbio.exe File created C:\Windows\SysWOW64\Gimngjie.dll Egened32.exe File opened for modification C:\Windows\SysWOW64\Hhdcmp32.exe Heegad32.exe File created C:\Windows\SysWOW64\Ikbfgppo.exe Idhnkf32.exe File opened for modification C:\Windows\SysWOW64\Oghghb32.exe Ombcji32.exe File created C:\Windows\SysWOW64\Afbgkl32.exe Adcjop32.exe File created C:\Windows\SysWOW64\Afockelf.exe Acqgojmb.exe File opened for modification C:\Windows\SysWOW64\Apmhiq32.exe Amnlme32.exe File created C:\Windows\SysWOW64\Jojdlfeo.exe Jllhpkfk.exe File opened for modification C:\Windows\SysWOW64\Kiphjo32.exe Jahqiaeb.exe File opened for modification C:\Windows\SysWOW64\Aabkbono.exe Qikbaaml.exe File created C:\Windows\SysWOW64\Qfghnikc.dll Lgqfdnah.exe File created C:\Windows\SysWOW64\Fbgihaji.exe Fpimlfke.exe File created C:\Windows\SysWOW64\Kgflcifg.exe Kckqbj32.exe File created C:\Windows\SysWOW64\Lljklo32.exe Kjlopc32.exe File created C:\Windows\SysWOW64\Fmikeaap.exe Fjjnifbl.exe File opened for modification C:\Windows\SysWOW64\Oaplqh32.exe Ojfcdnjc.exe File opened for modification C:\Windows\SysWOW64\Egened32.exe Edgbii32.exe File opened for modification C:\Windows\SysWOW64\Nfldgk32.exe Nbphglbe.exe File opened for modification C:\Windows\SysWOW64\Damfao32.exe Doojec32.exe File created C:\Windows\SysWOW64\Dndgfpbo.exe Dkekjdck.exe File opened for modification C:\Windows\SysWOW64\Hefnkkkj.exe Hbhboolf.exe File created C:\Windows\SysWOW64\Iinjhh32.exe Ifomll32.exe File opened for modification C:\Windows\SysWOW64\Lfgipd32.exe Lcimdh32.exe File opened for modification C:\Windows\SysWOW64\Dhdbhifj.exe Ddifgk32.exe File created C:\Windows\SysWOW64\Nflnbh32.dll Ckbemgcp.exe File created C:\Windows\SysWOW64\Bbdcakkc.dll Gokbgpeg.exe File created C:\Windows\SysWOW64\Nfamlc32.dll Jlkipgpe.exe File created C:\Windows\SysWOW64\Qhkdof32.exe Qaalblgi.exe File opened for modification C:\Windows\SysWOW64\Bllbaa32.exe Bafndi32.exe File created C:\Windows\SysWOW64\Nmkmjjaa.exe Njmqnobn.exe File created C:\Windows\SysWOW64\Bahdob32.exe Boihcf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 17944 17812 WerFault.exe 976 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbofcghl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiokinbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpcal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aonoao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdgglfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emanjldl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpelhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdbpgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnljj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obnehj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iehmmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiagde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knenkbio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbloglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqbliicp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlljnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Innfnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcjgnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glhimp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdheded.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibaeen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nceefd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljpaqmgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opbean32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biiobo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klcekpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnmopk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnaaib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpaihooo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adjjeieh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdolgfbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lclpdncg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjfnedho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkgpbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dheibpje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Digehphc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmeigg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbgbnkfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mablfnne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkdof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbpjaeoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacckp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqdaadln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Figgdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Madjhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgclpkac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllbaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkahilkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gldglf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpgind32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcjjhdjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piocecgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklfgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcehdod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffclcgfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Manmoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knnhjcog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noblkqca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmmlamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjafok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albpkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iajdgcab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhijepa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iohejo32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmpkadnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmjcf32.dll" Gmojkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnpckhnk.dll" Noblkqca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biiobo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfdpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcgpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifaohg32.dll" Aaoaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkgppbgc.dll" Lljdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcndmiqg.dll" Mapppn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aogiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjlopc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhmleng.dll" Ocohmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aamebb32.dll" Coegoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keoaokpd.dll" Hihibbjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieccbbkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpqggh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afcmfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpgal32.dll" Hdhedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enkdaepb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlbcnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmbphg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkncfepb.dll" Mgloefco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akfiji32.dll" Nclbpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipihpkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hidkle32.dll" Fibhpbea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cndeii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jekqmhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknmmg32.dll" Mnjqmpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Occmjg32.dll" Pnmopk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhifomdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omdieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikpjbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqhdbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdmmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhaggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ledepn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdeiqgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfpcgbim.dll" Kdkdgchl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chlflabp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfoann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjpfjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kocgbend.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flpmagqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpaekqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnhqepf.dll" Efgemb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfhndpol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofhknodl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnobcjlg.dll" Gkaclqkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhkdqh32.dll" Joqafgni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilnpcnol.dll" Kqdaadln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokmqben.dll" Akqfkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbmemif.dll" Bffcpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggmkff32.dll" Jpenfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aopemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhijep32.dll" Cdbpgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idknpoad.dll" Ihpcinld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jahqiaeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klcekpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dolmodpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geldkfpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlbejloe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncqlkemc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggkqgaol.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4372 wrote to memory of 2668 4372 d6a5bd7de2e09a2cca83569fd1c3bf40N.exe 82 PID 4372 wrote to memory of 2668 4372 d6a5bd7de2e09a2cca83569fd1c3bf40N.exe 82 PID 4372 wrote to memory of 2668 4372 d6a5bd7de2e09a2cca83569fd1c3bf40N.exe 82 PID 2668 wrote to memory of 4556 2668 Fpbmfn32.exe 83 PID 2668 wrote to memory of 4556 2668 Fpbmfn32.exe 83 PID 2668 wrote to memory of 4556 2668 Fpbmfn32.exe 83 PID 4556 wrote to memory of 4356 4556 Fjhacf32.exe 84 PID 4556 wrote to memory of 4356 4556 Fjhacf32.exe 84 PID 4556 wrote to memory of 4356 4556 Fjhacf32.exe 84 PID 4356 wrote to memory of 4524 4356 Fmfnpa32.exe 85 PID 4356 wrote to memory of 4524 4356 Fmfnpa32.exe 85 PID 4356 wrote to memory of 4524 4356 Fmfnpa32.exe 85 PID 4524 wrote to memory of 64 4524 Fdqfll32.exe 86 PID 4524 wrote to memory of 64 4524 Fdqfll32.exe 86 PID 4524 wrote to memory of 64 4524 Fdqfll32.exe 86 PID 64 wrote to memory of 1272 64 Fjjnifbl.exe 87 PID 64 wrote to memory of 1272 64 Fjjnifbl.exe 87 PID 64 wrote to memory of 1272 64 Fjjnifbl.exe 87 PID 1272 wrote to memory of 4908 1272 Fmikeaap.exe 89 PID 1272 wrote to memory of 4908 1272 Fmikeaap.exe 89 PID 1272 wrote to memory of 4908 1272 Fmikeaap.exe 89 PID 4908 wrote to memory of 856 4908 Fpggamqc.exe 90 PID 4908 wrote to memory of 856 4908 Fpggamqc.exe 90 PID 4908 wrote to memory of 856 4908 Fpggamqc.exe 90 PID 856 wrote to memory of 2156 856 Ffaong32.exe 91 PID 856 wrote to memory of 2156 856 Ffaong32.exe 91 PID 856 wrote to memory of 2156 856 Ffaong32.exe 91 PID 2156 wrote to memory of 516 2156 Fipkjb32.exe 92 PID 2156 wrote to memory of 516 2156 Fipkjb32.exe 92 PID 2156 wrote to memory of 516 2156 Fipkjb32.exe 92 PID 516 wrote to memory of 4744 516 Flngfn32.exe 93 PID 516 wrote to memory of 4744 516 Flngfn32.exe 93 PID 516 wrote to memory of 4744 516 Flngfn32.exe 93 PID 4744 wrote to memory of 2464 4744 Ffclcgfn.exe 94 PID 4744 wrote to memory of 2464 4744 Ffclcgfn.exe 94 PID 4744 wrote to memory of 2464 4744 Ffclcgfn.exe 94 PID 2464 wrote to memory of 2928 2464 Fibhpbea.exe 95 PID 2464 wrote to memory of 2928 2464 Fibhpbea.exe 95 PID 2464 wrote to memory of 2928 2464 Fibhpbea.exe 95 PID 2928 wrote to memory of 680 2928 Flqdlnde.exe 97 PID 2928 wrote to memory of 680 2928 Flqdlnde.exe 97 PID 2928 wrote to memory of 680 2928 Flqdlnde.exe 97 PID 680 wrote to memory of 1232 680 Fdglmkeg.exe 98 PID 680 wrote to memory of 1232 680 Fdglmkeg.exe 98 PID 680 wrote to memory of 1232 680 Fdglmkeg.exe 98 PID 1232 wrote to memory of 4788 1232 Fffhifdk.exe 99 PID 1232 wrote to memory of 4788 1232 Fffhifdk.exe 99 PID 1232 wrote to memory of 4788 1232 Fffhifdk.exe 99 PID 4788 wrote to memory of 3716 4788 Fideeaco.exe 100 PID 4788 wrote to memory of 3716 4788 Fideeaco.exe 100 PID 4788 wrote to memory of 3716 4788 Fideeaco.exe 100 PID 3716 wrote to memory of 4164 3716 Gdjibj32.exe 101 PID 3716 wrote to memory of 4164 3716 Gdjibj32.exe 101 PID 3716 wrote to memory of 4164 3716 Gdjibj32.exe 101 PID 4164 wrote to memory of 3936 4164 Gigaka32.exe 103 PID 4164 wrote to memory of 3936 4164 Gigaka32.exe 103 PID 4164 wrote to memory of 3936 4164 Gigaka32.exe 103 PID 3936 wrote to memory of 228 3936 Glengm32.exe 104 PID 3936 wrote to memory of 228 3936 Glengm32.exe 104 PID 3936 wrote to memory of 228 3936 Glengm32.exe 104 PID 228 wrote to memory of 4808 228 Gbofcghl.exe 105 PID 228 wrote to memory of 4808 228 Gbofcghl.exe 105 PID 228 wrote to memory of 4808 228 Gbofcghl.exe 105 PID 4808 wrote to memory of 3756 4808 Gjfnedho.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6a5bd7de2e09a2cca83569fd1c3bf40N.exe"C:\Users\Admin\AppData\Local\Temp\d6a5bd7de2e09a2cca83569fd1c3bf40N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\Fpbmfn32.exeC:\Windows\system32\Fpbmfn32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Fjhacf32.exeC:\Windows\system32\Fjhacf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Fmfnpa32.exeC:\Windows\system32\Fmfnpa32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Fdqfll32.exeC:\Windows\system32\Fdqfll32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Fjjnifbl.exeC:\Windows\system32\Fjjnifbl.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\Fmikeaap.exeC:\Windows\system32\Fmikeaap.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Fpggamqc.exeC:\Windows\system32\Fpggamqc.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Ffaong32.exeC:\Windows\system32\Ffaong32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Fipkjb32.exeC:\Windows\system32\Fipkjb32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Flngfn32.exeC:\Windows\system32\Flngfn32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\Ffclcgfn.exeC:\Windows\system32\Ffclcgfn.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Fibhpbea.exeC:\Windows\system32\Fibhpbea.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Fdglmkeg.exeC:\Windows\system32\Fdglmkeg.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\Fffhifdk.exeC:\Windows\system32\Fffhifdk.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Fideeaco.exeC:\Windows\system32\Fideeaco.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\Gdjibj32.exeC:\Windows\system32\Gdjibj32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\Gigaka32.exeC:\Windows\system32\Gigaka32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\Glengm32.exeC:\Windows\system32\Glengm32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Gbofcghl.exeC:\Windows\system32\Gbofcghl.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Gjfnedho.exeC:\Windows\system32\Gjfnedho.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Glgjlm32.exeC:\Windows\system32\Glgjlm32.exe23⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Gpcfmkff.exeC:\Windows\system32\Gpcfmkff.exe24⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Gbabigfj.exeC:\Windows\system32\Gbabigfj.exe25⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Gkhkjd32.exeC:\Windows\system32\Gkhkjd32.exe26⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Gmggfp32.exeC:\Windows\system32\Gmggfp32.exe27⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Gbdoof32.exeC:\Windows\system32\Gbdoof32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Gfokoelp.exeC:\Windows\system32\Gfokoelp.exe29⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Glldgljg.exeC:\Windows\system32\Glldgljg.exe30⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Gdcliikj.exeC:\Windows\system32\Gdcliikj.exe31⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Ggahedjn.exeC:\Windows\system32\Ggahedjn.exe32⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Gipdap32.exeC:\Windows\system32\Gipdap32.exe33⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Hmlpaoaj.exeC:\Windows\system32\Hmlpaoaj.exe34⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Hpjmnjqn.exeC:\Windows\system32\Hpjmnjqn.exe35⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Hbhijepa.exeC:\Windows\system32\Hbhijepa.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4964 -
C:\Windows\SysWOW64\Hibafp32.exeC:\Windows\system32\Hibafp32.exe37⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Hlambk32.exeC:\Windows\system32\Hlambk32.exe38⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Hdhedh32.exeC:\Windows\system32\Hdhedh32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:3800 -
C:\Windows\SysWOW64\Hgfapd32.exeC:\Windows\system32\Hgfapd32.exe40⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Hlcjhkdp.exeC:\Windows\system32\Hlcjhkdp.exe41⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Hdjbiheb.exeC:\Windows\system32\Hdjbiheb.exe42⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Hginecde.exeC:\Windows\system32\Hginecde.exe43⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\Hkdjfb32.exeC:\Windows\system32\Hkdjfb32.exe44⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4852 -
C:\Windows\SysWOW64\Hpabni32.exeC:\Windows\system32\Hpabni32.exe46⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Hcpojd32.exeC:\Windows\system32\Hcpojd32.exe47⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Hgkkkcbc.exeC:\Windows\system32\Hgkkkcbc.exe48⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Hkfglb32.exeC:\Windows\system32\Hkfglb32.exe49⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Hmechmip.exeC:\Windows\system32\Hmechmip.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Hmechmip.exeC:\Windows\system32\Hmechmip.exe51⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Hpcodihc.exeC:\Windows\system32\Hpcodihc.exe52⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Hcblpdgg.exeC:\Windows\system32\Hcblpdgg.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Hgmgqc32.exeC:\Windows\system32\Hgmgqc32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Hildmn32.exeC:\Windows\system32\Hildmn32.exe55⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Ingpmmgm.exeC:\Windows\system32\Ingpmmgm.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Ipflihfq.exeC:\Windows\system32\Ipflihfq.exe57⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Icdheded.exeC:\Windows\system32\Icdheded.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4504 -
C:\Windows\SysWOW64\Ikkpgafg.exeC:\Windows\system32\Ikkpgafg.exe59⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Iinqbn32.exeC:\Windows\system32\Iinqbn32.exe60⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Iphioh32.exeC:\Windows\system32\Iphioh32.exe61⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Icfekc32.exeC:\Windows\system32\Icfekc32.exe62⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Iknmla32.exeC:\Windows\system32\Iknmla32.exe63⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Ijqmhnko.exeC:\Windows\system32\Ijqmhnko.exe64⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Iloidijb.exeC:\Windows\system32\Iloidijb.exe65⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Ipjedh32.exeC:\Windows\system32\Ipjedh32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3664 -
C:\Windows\SysWOW64\Iciaqc32.exeC:\Windows\system32\Iciaqc32.exe67⤵PID:2984
-
C:\Windows\SysWOW64\Ikpjbq32.exeC:\Windows\system32\Ikpjbq32.exe68⤵
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Innfnl32.exeC:\Windows\system32\Innfnl32.exe69⤵
- System Location Discovery: System Language Discovery
PID:4856 -
C:\Windows\SysWOW64\Ilafiihp.exeC:\Windows\system32\Ilafiihp.exe70⤵PID:3660
-
C:\Windows\SysWOW64\Idhnkf32.exeC:\Windows\system32\Idhnkf32.exe71⤵
- Drops file in System32 directory
PID:640 -
C:\Windows\SysWOW64\Ikbfgppo.exeC:\Windows\system32\Ikbfgppo.exe72⤵PID:4780
-
C:\Windows\SysWOW64\Inqbclob.exeC:\Windows\system32\Inqbclob.exe73⤵PID:1380
-
C:\Windows\SysWOW64\Igigla32.exeC:\Windows\system32\Igigla32.exe74⤵PID:2132
-
C:\Windows\SysWOW64\Jjgchm32.exeC:\Windows\system32\Jjgchm32.exe75⤵PID:5036
-
C:\Windows\SysWOW64\Jlfpdh32.exeC:\Windows\system32\Jlfpdh32.exe76⤵PID:5096
-
C:\Windows\SysWOW64\Jcphab32.exeC:\Windows\system32\Jcphab32.exe77⤵PID:4848
-
C:\Windows\SysWOW64\Jkgpbp32.exeC:\Windows\system32\Jkgpbp32.exe78⤵
- System Location Discovery: System Language Discovery
PID:5024 -
C:\Windows\SysWOW64\Jnelok32.exeC:\Windows\system32\Jnelok32.exe79⤵PID:2012
-
C:\Windows\SysWOW64\Jpdhkf32.exeC:\Windows\system32\Jpdhkf32.exe80⤵PID:3592
-
C:\Windows\SysWOW64\Jgnqgqan.exeC:\Windows\system32\Jgnqgqan.exe81⤵PID:4864
-
C:\Windows\SysWOW64\Jjlmclqa.exeC:\Windows\system32\Jjlmclqa.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1788 -
C:\Windows\SysWOW64\Jlkipgpe.exeC:\Windows\system32\Jlkipgpe.exe83⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Jcdala32.exeC:\Windows\system32\Jcdala32.exe84⤵PID:2200
-
C:\Windows\SysWOW64\Jklinohd.exeC:\Windows\system32\Jklinohd.exe85⤵PID:4840
-
C:\Windows\SysWOW64\Jnjejjgh.exeC:\Windows\system32\Jnjejjgh.exe86⤵PID:4384
-
C:\Windows\SysWOW64\Jqhafffk.exeC:\Windows\system32\Jqhafffk.exe87⤵PID:2536
-
C:\Windows\SysWOW64\Jgbjbp32.exeC:\Windows\system32\Jgbjbp32.exe88⤵PID:2836
-
C:\Windows\SysWOW64\Jjafok32.exeC:\Windows\system32\Jjafok32.exe89⤵
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe90⤵PID:232
-
C:\Windows\SysWOW64\Jqknkedi.exeC:\Windows\system32\Jqknkedi.exe91⤵PID:5072
-
C:\Windows\SysWOW64\Jdfjld32.exeC:\Windows\system32\Jdfjld32.exe92⤵PID:2308
-
C:\Windows\SysWOW64\Jgeghp32.exeC:\Windows\system32\Jgeghp32.exe93⤵PID:4492
-
C:\Windows\SysWOW64\Kjccdkki.exeC:\Windows\system32\Kjccdkki.exe94⤵PID:2976
-
C:\Windows\SysWOW64\Kmaopfjm.exeC:\Windows\system32\Kmaopfjm.exe95⤵PID:2364
-
C:\Windows\SysWOW64\Kdigadjo.exeC:\Windows\system32\Kdigadjo.exe96⤵PID:2128
-
C:\Windows\SysWOW64\Kkconn32.exeC:\Windows\system32\Kkconn32.exe97⤵PID:1652
-
C:\Windows\SysWOW64\Knalji32.exeC:\Windows\system32\Knalji32.exe98⤵PID:2924
-
C:\Windows\SysWOW64\Kqphfe32.exeC:\Windows\system32\Kqphfe32.exe99⤵PID:1632
-
C:\Windows\SysWOW64\Kdkdgchl.exeC:\Windows\system32\Kdkdgchl.exe100⤵
- Modifies registry class
PID:3504 -
C:\Windows\SysWOW64\Kkeldnpi.exeC:\Windows\system32\Kkeldnpi.exe101⤵PID:5172
-
C:\Windows\SysWOW64\Knchpiom.exeC:\Windows\system32\Knchpiom.exe102⤵PID:5236
-
C:\Windows\SysWOW64\Kmfhkf32.exeC:\Windows\system32\Kmfhkf32.exe103⤵PID:5300
-
C:\Windows\SysWOW64\Kdmqmc32.exeC:\Windows\system32\Kdmqmc32.exe104⤵PID:5340
-
C:\Windows\SysWOW64\Kkgiimng.exeC:\Windows\system32\Kkgiimng.exe105⤵PID:5384
-
C:\Windows\SysWOW64\Kjjiej32.exeC:\Windows\system32\Kjjiej32.exe106⤵PID:5428
-
C:\Windows\SysWOW64\Kqdaadln.exeC:\Windows\system32\Kqdaadln.exe107⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5472 -
C:\Windows\SysWOW64\Kdpmbc32.exeC:\Windows\system32\Kdpmbc32.exe108⤵PID:5516
-
C:\Windows\SysWOW64\Kgninn32.exeC:\Windows\system32\Kgninn32.exe109⤵PID:5560
-
C:\Windows\SysWOW64\Kjmfjj32.exeC:\Windows\system32\Kjmfjj32.exe110⤵PID:5604
-
C:\Windows\SysWOW64\Kmkbfeab.exeC:\Windows\system32\Kmkbfeab.exe111⤵PID:5648
-
C:\Windows\SysWOW64\Lgqfdnah.exeC:\Windows\system32\Lgqfdnah.exe112⤵
- Drops file in System32 directory
PID:5692 -
C:\Windows\SysWOW64\Lqikmc32.exeC:\Windows\system32\Lqikmc32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5732 -
C:\Windows\SysWOW64\Lcggio32.exeC:\Windows\system32\Lcggio32.exe114⤵PID:5772
-
C:\Windows\SysWOW64\Ljaoeini.exeC:\Windows\system32\Ljaoeini.exe115⤵PID:5812
-
C:\Windows\SysWOW64\Lmpkadnm.exeC:\Windows\system32\Lmpkadnm.exe116⤵
- Modifies registry class
PID:5856 -
C:\Windows\SysWOW64\Lqkgbcff.exeC:\Windows\system32\Lqkgbcff.exe117⤵PID:5900
-
C:\Windows\SysWOW64\Lcjcnoej.exeC:\Windows\system32\Lcjcnoej.exe118⤵PID:5944
-
C:\Windows\SysWOW64\Lkalplel.exeC:\Windows\system32\Lkalplel.exe119⤵PID:5988
-
C:\Windows\SysWOW64\Ljclki32.exeC:\Windows\system32\Ljclki32.exe120⤵PID:6032
-
C:\Windows\SysWOW64\Lmbhgd32.exeC:\Windows\system32\Lmbhgd32.exe121⤵PID:6072
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-