Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22/08/2024, 02:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ec074ddabdb6fafa2a583e6c20c57f30N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
ec074ddabdb6fafa2a583e6c20c57f30N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
ec074ddabdb6fafa2a583e6c20c57f30N.exe
-
Size
104KB
-
MD5
ec074ddabdb6fafa2a583e6c20c57f30
-
SHA1
89525504296e8c49c902cfe0da53cb02ce8d1d29
-
SHA256
2ab35869361082b43b68b979bfe7bef961db266dfef4131d42bc0caa5b19010b
-
SHA512
c6577f4f06e42cbd6407475486217dbdca76fc3a0eb333fc7ec3229987f1b2103be350f77cc65bfb9d9874bce7f25bc6419417430c3580c44ca4bc4c2f1c702c
-
SSDEEP
3072:KOKG6bH7UWe5Vx7cEGrhkngpDvchkqbAIQS:KO8nI5Vx4brq2Ahn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfhqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbeejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igchfiof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iakiia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajndioga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jklinohd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjmfjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elpkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Akccap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hoobdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkmnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jngjch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackigjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdpbon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjhcjq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maodigil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Maodigil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpeohh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmeakf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Licfngjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phodcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Akqfkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hninbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjmmepfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eblimcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlbojee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmipblaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgndoeag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpmpnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miofjepg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cioilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgcpokp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpenfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdglmkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afghneoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cikglnkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inomhbeq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcndbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeokal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2544 Hfningai.exe 1152 Hkjafn32.exe 5020 Hninbj32.exe 384 Hfpecg32.exe 3056 Hhnbpb32.exe 1976 Hkmnln32.exe 396 Ibffhhek.exe 1176 Idebdcdo.exe 728 Igcoqocb.exe 1996 Inmgmijo.exe 2364 Ifdonfka.exe 796 Iickkbje.exe 4696 Ikaggmii.exe 2572 Ibkpcg32.exe 1516 Iiehpahb.exe 4640 Ikcdlmgf.exe 2376 Ibnligoc.exe 1092 Iigdfa32.exe 1712 Ikfabm32.exe 1824 Indmnh32.exe 3108 Ienekbld.exe 3336 Jodjhkkj.exe 3480 Jngjch32.exe 5104 Jilnqqbj.exe 3468 Joffnk32.exe 4420 Jnifigpa.exe 2756 Jecofa32.exe 4660 Jiokfpph.exe 3632 Jkmgblok.exe 4852 Jbgoof32.exe 4488 Jeekkafl.exe 3360 Jkodhk32.exe 3352 Jbileede.exe 1064 Jfehed32.exe 3600 Jgfdmlcm.exe 4148 Jpmlnjco.exe 2252 Jblijebc.exe 2300 Jejefqaf.exe 1772 Jghabl32.exe 4344 Kppici32.exe 2496 Kbnepe32.exe 1960 Kelalp32.exe 4556 Kihnmohm.exe 876 Kpbfii32.exe 3696 Kbpbed32.exe 548 Keonap32.exe 3680 Kijjbofj.exe 4228 Klifnj32.exe 4804 Kpdboimg.exe 856 Kngcje32.exe 2032 Kfnkkb32.exe 636 Keakgpko.exe 3428 Khpgckkb.exe 3848 Knippe32.exe 4252 Kbekqdjh.exe 4904 Kiodmn32.exe 2960 Klmpiiai.exe 2140 Kpiljh32.exe 2372 Kfcdfbqo.exe 2580 Kiaqcnpb.exe 1592 Lpkiph32.exe 1492 Lbjelc32.exe 4244 Lehaho32.exe 4220 Lhfmdj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dpnkdq32.exe Dmoohe32.exe File opened for modification C:\Windows\SysWOW64\Pmiikh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ekcgkb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fdamgb32.exe Facqkg32.exe File created C:\Windows\SysWOW64\Cppnfc32.dll Ghhhcomg.exe File opened for modification C:\Windows\SysWOW64\Bfbaonae.exe Bcddcbab.exe File created C:\Windows\SysWOW64\Jjmcnbdm.exe Jhlgfj32.exe File created C:\Windows\SysWOW64\Mhelik32.dll Kjeiodek.exe File created C:\Windows\SysWOW64\Eemfmoce.dll Jbdlop32.exe File created C:\Windows\SysWOW64\Jhidngmn.dll Eciplm32.exe File opened for modification C:\Windows\SysWOW64\Bmladm32.exe Process not Found File created C:\Windows\SysWOW64\Jpmlnjco.exe Jgfdmlcm.exe File created C:\Windows\SysWOW64\Cibncf32.dll Ggilil32.exe File opened for modification C:\Windows\SysWOW64\Eecphp32.exe Ebdcld32.exe File opened for modification C:\Windows\SysWOW64\Gpcfmkff.exe Giinpa32.exe File opened for modification C:\Windows\SysWOW64\Gfeaopqo.exe Fnnjmbpm.exe File created C:\Windows\SysWOW64\Bcjfln32.dll Mfqlfb32.exe File created C:\Windows\SysWOW64\Hgeqca32.dll Process not Found File created C:\Windows\SysWOW64\Helbbkkj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Oblhcj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kqpoakco.exe Kbmoen32.exe File created C:\Windows\SysWOW64\Llodgnja.exe Lnldla32.exe File created C:\Windows\SysWOW64\Mmhgmmbf.exe Mjjkaabc.exe File created C:\Windows\SysWOW64\Pjdhbppo.dll Jofalmmp.exe File opened for modification C:\Windows\SysWOW64\Mleoafmn.exe Mhicpg32.exe File created C:\Windows\SysWOW64\Lepein32.dll Nlphbnoe.exe File created C:\Windows\SysWOW64\Dbpjaeoc.exe Dndnpf32.exe File opened for modification C:\Windows\SysWOW64\Iloidijb.exe Ijqmhnko.exe File opened for modification C:\Windows\SysWOW64\Lnqeqd32.exe Lhfmdj32.exe File created C:\Windows\SysWOW64\Fmhbagkn.dll Nhlpfgbb.exe File opened for modification C:\Windows\SysWOW64\Poomegpf.exe Plpqil32.exe File created C:\Windows\SysWOW64\Bahkih32.exe Bojomm32.exe File created C:\Windows\SysWOW64\Khbiello.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ocihgnam.exe Process not Found File created C:\Windows\SysWOW64\Codhnb32.exe Cmflbf32.exe File created C:\Windows\SysWOW64\Ebdoljdi.dll Process not Found File created C:\Windows\SysWOW64\Klmpiiai.exe Kiodmn32.exe File created C:\Windows\SysWOW64\Qepkbpak.exe Qcaofebg.exe File created C:\Windows\SysWOW64\Ackbmcjl.exe Aoofle32.exe File opened for modification C:\Windows\SysWOW64\Dfdpad32.exe Dokgdkeh.exe File created C:\Windows\SysWOW64\Cdecba32.dll Dheibpje.exe File created C:\Windows\SysWOW64\Gngeik32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bfaigclq.exe Process not Found File created C:\Windows\SysWOW64\Kageaj32.exe Kjmmepfj.exe File created C:\Windows\SysWOW64\Mniallpq.exe Mlkepaam.exe File opened for modification C:\Windows\SysWOW64\Ejchhgid.exe Eciplm32.exe File created C:\Windows\SysWOW64\Dndnpf32.exe Dkfadkgf.exe File opened for modification C:\Windows\SysWOW64\Mlofcf32.exe Process not Found File created C:\Windows\SysWOW64\Aplaoj32.exe Process not Found File created C:\Windows\SysWOW64\Iglhgnlj.dll Oeaoab32.exe File created C:\Windows\SysWOW64\Aoofle32.exe Alqjpi32.exe File created C:\Windows\SysWOW64\Hllbndih.dll Hkpqkcpd.exe File created C:\Windows\SysWOW64\Aednci32.exe Anmfbl32.exe File created C:\Windows\SysWOW64\Amlogfel.exe Process not Found File created C:\Windows\SysWOW64\Dkhgod32.exe Process not Found File created C:\Windows\SysWOW64\Fnpeoe32.dll Bckkca32.exe File created C:\Windows\SysWOW64\Ekodjiol.exe Eiahnnph.exe File opened for modification C:\Windows\SysWOW64\Lopmii32.exe Lnoaaaad.exe File created C:\Windows\SysWOW64\Nckkfp32.exe Process not Found File created C:\Windows\SysWOW64\Nhkikq32.exe Naaqofgj.exe File opened for modification C:\Windows\SysWOW64\Nhkikq32.exe Naaqofgj.exe File created C:\Windows\SysWOW64\Ckclhn32.exe Bheplb32.exe File opened for modification C:\Windows\SysWOW64\Oeaoab32.exe Obcceg32.exe File opened for modification C:\Windows\SysWOW64\Lcgpni32.exe Lqhdbm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10668 11528 Process not Found 1600 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empoiimf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgipcogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckiihok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfqlfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npepkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfbobf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmepam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chglab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Komhll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiodmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjcmebie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faenpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmcolgbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lihfcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajndioga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciafbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhenj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnqeqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Filiii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gklnjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popbpqjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjbhmad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilqoobdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidjbmcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnlgleef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdedak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hildmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiahnnph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knippe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niniei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odhifjkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gldglf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nklbmllg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdhbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aefjii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkabjbih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgloefco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaflgago.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcddcbab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glipgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgclpkac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjehmfch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pqcjepfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmomlnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbnnbmfj.dll" Oblmdhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fffhifdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eleeje32.dll" Lkalplel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqmbmdf.dll" Fmcjpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgmjmjnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jajpge32.dll" Cmklglpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiciibmb.dll" Hpmpnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gebekb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfajq32.dll" Mbgjbkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmanjof.dll" Qemhbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfpffeaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gihgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhdfi32.dll" Ipgbdbqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dlghoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eangpgcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmlijb32.dll" Piijno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dckdjomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclnnc32.dll" Fbajbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mkmkkjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjeiodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecipcemb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbenoa32.dll" Chlflabp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifoah32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpaoan32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Emehdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lknojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhbbnba.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibnligoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpdboimg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjehmfch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ejdocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jqlefl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Piijno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnobcjlg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gohlkq32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpckjfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hammhcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnekbm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohnefj32.dll" Mehjol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnicah32.dll" Niniei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Peieba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eifhdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pemomqcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oaqbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilnjmilq.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnoigkk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmlneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjopcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjjfgb32.dll" Bkmmaeap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlfnaicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galdglpd.dll" Gpbpbecj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fkihnmhj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1904 wrote to memory of 2544 1904 ec074ddabdb6fafa2a583e6c20c57f30N.exe 86 PID 1904 wrote to memory of 2544 1904 ec074ddabdb6fafa2a583e6c20c57f30N.exe 86 PID 1904 wrote to memory of 2544 1904 ec074ddabdb6fafa2a583e6c20c57f30N.exe 86 PID 2544 wrote to memory of 1152 2544 Hfningai.exe 87 PID 2544 wrote to memory of 1152 2544 Hfningai.exe 87 PID 2544 wrote to memory of 1152 2544 Hfningai.exe 87 PID 1152 wrote to memory of 5020 1152 Hkjafn32.exe 88 PID 1152 wrote to memory of 5020 1152 Hkjafn32.exe 88 PID 1152 wrote to memory of 5020 1152 Hkjafn32.exe 88 PID 5020 wrote to memory of 384 5020 Hninbj32.exe 89 PID 5020 wrote to memory of 384 5020 Hninbj32.exe 89 PID 5020 wrote to memory of 384 5020 Hninbj32.exe 89 PID 384 wrote to memory of 3056 384 Hfpecg32.exe 90 PID 384 wrote to memory of 3056 384 Hfpecg32.exe 90 PID 384 wrote to memory of 3056 384 Hfpecg32.exe 90 PID 3056 wrote to memory of 1976 3056 Hhnbpb32.exe 91 PID 3056 wrote to memory of 1976 3056 Hhnbpb32.exe 91 PID 3056 wrote to memory of 1976 3056 Hhnbpb32.exe 91 PID 1976 wrote to memory of 396 1976 Hkmnln32.exe 92 PID 1976 wrote to memory of 396 1976 Hkmnln32.exe 92 PID 1976 wrote to memory of 396 1976 Hkmnln32.exe 92 PID 396 wrote to memory of 1176 396 Ibffhhek.exe 93 PID 396 wrote to memory of 1176 396 Ibffhhek.exe 93 PID 396 wrote to memory of 1176 396 Ibffhhek.exe 93 PID 1176 wrote to memory of 728 1176 Idebdcdo.exe 94 PID 1176 wrote to memory of 728 1176 Idebdcdo.exe 94 PID 1176 wrote to memory of 728 1176 Idebdcdo.exe 94 PID 728 wrote to memory of 1996 728 Igcoqocb.exe 95 PID 728 wrote to memory of 1996 728 Igcoqocb.exe 95 PID 728 wrote to memory of 1996 728 Igcoqocb.exe 95 PID 1996 wrote to memory of 2364 1996 Inmgmijo.exe 96 PID 1996 wrote to memory of 2364 1996 Inmgmijo.exe 96 PID 1996 wrote to memory of 2364 1996 Inmgmijo.exe 96 PID 2364 wrote to memory of 796 2364 Ifdonfka.exe 97 PID 2364 wrote to memory of 796 2364 Ifdonfka.exe 97 PID 2364 wrote to memory of 796 2364 Ifdonfka.exe 97 PID 796 wrote to memory of 4696 796 Iickkbje.exe 98 PID 796 wrote to memory of 4696 796 Iickkbje.exe 98 PID 796 wrote to memory of 4696 796 Iickkbje.exe 98 PID 4696 wrote to memory of 2572 4696 Ikaggmii.exe 99 PID 4696 wrote to memory of 2572 4696 Ikaggmii.exe 99 PID 4696 wrote to memory of 2572 4696 Ikaggmii.exe 99 PID 2572 wrote to memory of 1516 2572 Ibkpcg32.exe 101 PID 2572 wrote to memory of 1516 2572 Ibkpcg32.exe 101 PID 2572 wrote to memory of 1516 2572 Ibkpcg32.exe 101 PID 1516 wrote to memory of 4640 1516 Iiehpahb.exe 102 PID 1516 wrote to memory of 4640 1516 Iiehpahb.exe 102 PID 1516 wrote to memory of 4640 1516 Iiehpahb.exe 102 PID 4640 wrote to memory of 2376 4640 Ikcdlmgf.exe 103 PID 4640 wrote to memory of 2376 4640 Ikcdlmgf.exe 103 PID 4640 wrote to memory of 2376 4640 Ikcdlmgf.exe 103 PID 2376 wrote to memory of 1092 2376 Ibnligoc.exe 105 PID 2376 wrote to memory of 1092 2376 Ibnligoc.exe 105 PID 2376 wrote to memory of 1092 2376 Ibnligoc.exe 105 PID 1092 wrote to memory of 1712 1092 Iigdfa32.exe 106 PID 1092 wrote to memory of 1712 1092 Iigdfa32.exe 106 PID 1092 wrote to memory of 1712 1092 Iigdfa32.exe 106 PID 1712 wrote to memory of 1824 1712 Ikfabm32.exe 107 PID 1712 wrote to memory of 1824 1712 Ikfabm32.exe 107 PID 1712 wrote to memory of 1824 1712 Ikfabm32.exe 107 PID 1824 wrote to memory of 3108 1824 Indmnh32.exe 108 PID 1824 wrote to memory of 3108 1824 Indmnh32.exe 108 PID 1824 wrote to memory of 3108 1824 Indmnh32.exe 108 PID 3108 wrote to memory of 3336 3108 Ienekbld.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec074ddabdb6fafa2a583e6c20c57f30N.exe"C:\Users\Admin\AppData\Local\Temp\ec074ddabdb6fafa2a583e6c20c57f30N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Hfningai.exeC:\Windows\system32\Hfningai.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Hhnbpb32.exeC:\Windows\system32\Hhnbpb32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Ikaggmii.exeC:\Windows\system32\Ikaggmii.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\Ikfabm32.exeC:\Windows\system32\Ikfabm32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe23⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe25⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe26⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe27⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe28⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe29⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe30⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Jbgoof32.exeC:\Windows\system32\Jbgoof32.exe31⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Jeekkafl.exeC:\Windows\system32\Jeekkafl.exe32⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Jkodhk32.exeC:\Windows\system32\Jkodhk32.exe33⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Jbileede.exeC:\Windows\system32\Jbileede.exe34⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe35⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3600 -
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe37⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe38⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe39⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe40⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe41⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe42⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe43⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe44⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Kpbfii32.exeC:\Windows\system32\Kpbfii32.exe45⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Kbpbed32.exeC:\Windows\system32\Kbpbed32.exe46⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Keonap32.exeC:\Windows\system32\Keonap32.exe47⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe48⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Klifnj32.exeC:\Windows\system32\Klifnj32.exe49⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4804 -
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe51⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Kfnkkb32.exeC:\Windows\system32\Kfnkkb32.exe52⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Keakgpko.exeC:\Windows\system32\Keakgpko.exe53⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Khpgckkb.exeC:\Windows\system32\Khpgckkb.exe54⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Knippe32.exeC:\Windows\system32\Knippe32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3848 -
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe56⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4904 -
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe58⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe59⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe60⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Kiaqcnpb.exeC:\Windows\system32\Kiaqcnpb.exe61⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe62⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe63⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe64⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4220 -
C:\Windows\SysWOW64\Lnqeqd32.exeC:\Windows\system32\Lnqeqd32.exe66⤵
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe67⤵PID:3912
-
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe68⤵PID:3676
-
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe69⤵PID:3732
-
C:\Windows\SysWOW64\Locbfd32.exeC:\Windows\system32\Locbfd32.exe70⤵PID:4152
-
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe71⤵
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe72⤵PID:5060
-
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe73⤵PID:896
-
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe74⤵PID:2224
-
C:\Windows\SysWOW64\Llipehgk.exeC:\Windows\system32\Llipehgk.exe75⤵PID:4240
-
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe76⤵PID:4820
-
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe77⤵PID:844
-
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe78⤵PID:1368
-
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe79⤵PID:3380
-
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe80⤵PID:4700
-
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe81⤵PID:3872
-
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe82⤵PID:4960
-
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe83⤵PID:3860
-
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe84⤵PID:456
-
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe85⤵PID:3324
-
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe86⤵
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Mlbbkfoq.exeC:\Windows\system32\Mlbbkfoq.exe87⤵PID:3536
-
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe88⤵PID:4996
-
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe89⤵PID:1524
-
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe90⤵PID:4076
-
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe91⤵
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe92⤵PID:2328
-
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe93⤵PID:4652
-
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe94⤵PID:4740
-
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe95⤵PID:4912
-
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe96⤵
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe97⤵PID:4792
-
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe98⤵PID:5132
-
C:\Windows\SysWOW64\Niklpj32.exeC:\Windows\system32\Niklpj32.exe99⤵PID:5176
-
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe100⤵PID:5220
-
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe101⤵PID:5264
-
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe102⤵PID:5308
-
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe103⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5356 -
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe104⤵PID:5396
-
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe105⤵PID:5444
-
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe106⤵PID:5492
-
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe107⤵PID:5540
-
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe108⤵PID:5580
-
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe109⤵PID:5628
-
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe110⤵PID:5672
-
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe111⤵PID:5716
-
C:\Windows\SysWOW64\Ohgoaehe.exeC:\Windows\system32\Ohgoaehe.exe112⤵PID:5760
-
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe113⤵PID:5804
-
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe114⤵PID:5848
-
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe115⤵PID:5896
-
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe116⤵PID:5948
-
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe117⤵PID:5992
-
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe118⤵PID:6036
-
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe119⤵PID:6080
-
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe120⤵PID:6124
-
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe121⤵PID:5148
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-