Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2024, 15:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dde83b9672f4bf69fa057f3ede75d160N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
dde83b9672f4bf69fa057f3ede75d160N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
dde83b9672f4bf69fa057f3ede75d160N.exe
-
Size
250KB
-
MD5
dde83b9672f4bf69fa057f3ede75d160
-
SHA1
f5cd9c1ffc583f77129b24b122d5dadcc88187bb
-
SHA256
7402111bf5c1bd77ecd642d32bcc097245a6c30f81e2b0aac50d7b582a1462d7
-
SHA512
ca06d9ac28e46384cedbfbb9f17bd9dab36736e388424dab628df6ca5b9d6b8e438fc5abd1069298f160894ae054af8d84420c80c8dabe4ca6d1e0341e642c8a
-
SSDEEP
6144:k9NV7VYvCvfmZ7KRRRGBCvfmZ7KFpNlJTBCvfmZ7d:kJ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghaghfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbiphhhq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acgacegg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogpfko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhgpbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlaoioh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glajeiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mojopk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlhgpag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdlbpldg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chfaenfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbcbnlcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbmmoklg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noaeqjpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acdioc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnicai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nffceq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aljmal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jekpljgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keceoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Donecfao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lipmoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aepmjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epeohn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfmpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhhaclqc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbiphhhq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdfmkjlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kccbjq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 4832 Gkefmjcj.exe 2700 Gndbie32.exe 3292 Gglfbkin.exe 3184 Gjkbnfha.exe 4608 Gbbkocid.exe 4020 Hepgkohh.exe 2340 Hbfdjc32.exe 2984 Heepfn32.exe 3308 Hchqbkkm.exe 4624 Hkaeih32.exe 4440 Hnpaec32.exe 4056 Hkcbnh32.exe 5008 Hnbnjc32.exe 3300 Iapjgo32.exe 3176 Icogcjde.exe 392 Ijiopd32.exe 4148 Indkpcdk.exe 1164 Iabglnco.exe 3132 Iencmm32.exe 4244 Icachjbb.exe 3416 Igmoih32.exe 4336 Ilhkigcd.exe 4860 Ijkled32.exe 3384 Ibbcfa32.exe 3436 Iaedanal.exe 4436 Ieqpbm32.exe 3532 Iholohii.exe 1372 Ilkhog32.exe 2488 Ijmhkchl.exe 3584 Ibdplaho.exe 3144 Iagqgn32.exe 4680 Icfmci32.exe 916 Ihaidhgf.exe 2320 Ijpepcfj.exe 3600 Inkaqb32.exe 412 Iajmmm32.exe 4724 Idhiii32.exe 4508 Ihceigec.exe 3676 Ijbbfc32.exe 3772 Jbijgp32.exe 4284 Jehfcl32.exe 556 Jhfbog32.exe 1336 Jjdokb32.exe 4356 Jblflp32.exe 5124 Jejbhk32.exe 5164 Jdmcdhhe.exe 5204 Jldkeeig.exe 5244 Jnbgaa32.exe 5284 Jbncbpqd.exe 5324 Jelonkph.exe 5364 Jhkljfok.exe 5404 Jjihfbno.exe 5444 Jnedgq32.exe 5484 Jacpcl32.exe 5524 Jdalog32.exe 5560 Jhmhpfmi.exe 5600 Jjkdlall.exe 5636 Jogqlpde.exe 5676 Jbbmmo32.exe 5716 Jeaiij32.exe 5752 Jhoeef32.exe 5792 Jlkafdco.exe 5832 Koimbpbc.exe 5872 Kbeibo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bllhabgk.dll Mbjgcnll.exe File created C:\Windows\SysWOW64\Icoodj32.exe Process not Found File created C:\Windows\SysWOW64\Mhlnii32.dll Process not Found File created C:\Windows\SysWOW64\Fcfjiopj.dll Bpmobi32.exe File created C:\Windows\SysWOW64\Paqebike.exe Process not Found File created C:\Windows\SysWOW64\Gfpdoj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ckkilhjm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lbcedmnl.exe Lklnconj.exe File opened for modification C:\Windows\SysWOW64\Offeahhp.exe Oplmdnpc.exe File created C:\Windows\SysWOW64\Jglaepim.exe Jmgmhgig.exe File opened for modification C:\Windows\SysWOW64\Kaihonhl.exe Kfcdaehf.exe File created C:\Windows\SysWOW64\Lkflpe32.exe Ljephmgl.exe File created C:\Windows\SysWOW64\Gcjcok32.dll Eenflbll.exe File created C:\Windows\SysWOW64\Giqemh32.dll Process not Found File created C:\Windows\SysWOW64\Hfcinq32.exe Hcembe32.exe File created C:\Windows\SysWOW64\Fimonh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lhgdmb32.exe Lehhqg32.exe File created C:\Windows\SysWOW64\Boipkd32.dll Bmddihfj.exe File created C:\Windows\SysWOW64\Jknocljn.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kblpnall.exe Process not Found File created C:\Windows\SysWOW64\Cnbmolhd.exe Process not Found File created C:\Windows\SysWOW64\Bkadoo32.exe Bgfhnpde.exe File opened for modification C:\Windows\SysWOW64\Jnmbjnlm.exe Jlkfbe32.exe File created C:\Windows\SysWOW64\Lkchpoka.exe Kdipce32.exe File created C:\Windows\SysWOW64\Bgkijp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cgiflnoa.exe Process not Found File created C:\Windows\SysWOW64\Icjkef32.dll Ldfhgn32.exe File created C:\Windows\SysWOW64\Hbldkllm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ipjocgdm.exe Process not Found File created C:\Windows\SysWOW64\Doklblnq.dll Apkjddke.exe File created C:\Windows\SysWOW64\Lahjag32.dll Jonlimkg.exe File opened for modification C:\Windows\SysWOW64\Alfcflfb.exe Anccjp32.exe File created C:\Windows\SysWOW64\Ciinhk32.dll Process not Found File created C:\Windows\SysWOW64\Ojcidelf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bnppim32.exe Process not Found File created C:\Windows\SysWOW64\Hfgloiqf.exe Hgbonm32.exe File created C:\Windows\SysWOW64\Hlldaape.exe Process not Found File created C:\Windows\SysWOW64\Ldblon32.exe Process not Found File created C:\Windows\SysWOW64\Mdkhkflh.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pclnon32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oddmoj32.exe Oafacn32.exe File created C:\Windows\SysWOW64\Fhhaclqc.exe Fanigb32.exe File opened for modification C:\Windows\SysWOW64\Cgbppknb.exe Cllkcbnl.exe File created C:\Windows\SysWOW64\Piifki32.dll Process not Found File created C:\Windows\SysWOW64\Hbfdjc32.exe Hepgkohh.exe File opened for modification C:\Windows\SysWOW64\Ihjjln32.exe Iapbodql.exe File created C:\Windows\SysWOW64\Ccipelcf.exe Cnlhme32.exe File created C:\Windows\SysWOW64\Kiikkada.exe Process not Found File created C:\Windows\SysWOW64\Ncqbnhci.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cbpacmbc.exe Process not Found File created C:\Windows\SysWOW64\Ikpgdhfi.dll Process not Found File opened for modification C:\Windows\SysWOW64\Khfkfedn.exe Kdkoef32.exe File created C:\Windows\SysWOW64\Goamlkpk.exe Giddddad.exe File created C:\Windows\SysWOW64\Hmabnnhg.exe Process not Found File created C:\Windows\SysWOW64\Mhgfdmle.exe Process not Found File created C:\Windows\SysWOW64\Kknikplo.dll Icfmci32.exe File created C:\Windows\SysWOW64\Ieaqqigc.dll Lhbkac32.exe File created C:\Windows\SysWOW64\Onmahojj.exe Oddmoj32.exe File created C:\Windows\SysWOW64\Nhafcd32.exe Nmlafk32.exe File opened for modification C:\Windows\SysWOW64\Dhmgdo32.exe Process not Found File created C:\Windows\SysWOW64\Hnpcna32.dll Process not Found File created C:\Windows\SysWOW64\Pfeijqqe.exe Pcfmneaa.exe File created C:\Windows\SysWOW64\Blkkaohc.exe Process not Found File created C:\Windows\SysWOW64\Iblacf32.dll Process not Found -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeohn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goadfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhfoocaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjkbnfha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkaeih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjkgkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jogqlpde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfofjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcidopb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifcben32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abemep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmnpfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpghfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iooimi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boohcpgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laffpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghjhofjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfiiggpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lajhpbme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjdaoni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oafacn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeodqocd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miqlpbap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhoeef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmimdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnlcdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfhhml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edcgnmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbcbnlcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikdpb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijbbfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldbefe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liofdigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iegpaf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcmbpec.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifjngf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oljpld32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeadmn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbgim32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idhiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnkkij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khnfce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hikkdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opdhmmdg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doklblnq.dll" Apkjddke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbmmoklg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipndco32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afekjp32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhhaclqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paifqemd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmifkecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmggpd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlihfgfi.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhdgkdjh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghjhofjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eghimo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhknhabf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeeomegd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enaaiifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhcbji32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgicdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipqcn32.dll" Nmommn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcqeiilk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kapfed32.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3272 wrote to memory of 4832 3272 dde83b9672f4bf69fa057f3ede75d160N.exe 91 PID 3272 wrote to memory of 4832 3272 dde83b9672f4bf69fa057f3ede75d160N.exe 91 PID 3272 wrote to memory of 4832 3272 dde83b9672f4bf69fa057f3ede75d160N.exe 91 PID 4832 wrote to memory of 2700 4832 Gkefmjcj.exe 92 PID 4832 wrote to memory of 2700 4832 Gkefmjcj.exe 92 PID 4832 wrote to memory of 2700 4832 Gkefmjcj.exe 92 PID 2700 wrote to memory of 3292 2700 Gndbie32.exe 93 PID 2700 wrote to memory of 3292 2700 Gndbie32.exe 93 PID 2700 wrote to memory of 3292 2700 Gndbie32.exe 93 PID 3292 wrote to memory of 3184 3292 Gglfbkin.exe 94 PID 3292 wrote to memory of 3184 3292 Gglfbkin.exe 94 PID 3292 wrote to memory of 3184 3292 Gglfbkin.exe 94 PID 3184 wrote to memory of 4608 3184 Gjkbnfha.exe 95 PID 3184 wrote to memory of 4608 3184 Gjkbnfha.exe 95 PID 3184 wrote to memory of 4608 3184 Gjkbnfha.exe 95 PID 4608 wrote to memory of 4020 4608 Gbbkocid.exe 96 PID 4608 wrote to memory of 4020 4608 Gbbkocid.exe 96 PID 4608 wrote to memory of 4020 4608 Gbbkocid.exe 96 PID 4020 wrote to memory of 2340 4020 Hepgkohh.exe 97 PID 4020 wrote to memory of 2340 4020 Hepgkohh.exe 97 PID 4020 wrote to memory of 2340 4020 Hepgkohh.exe 97 PID 2340 wrote to memory of 2984 2340 Hbfdjc32.exe 98 PID 2340 wrote to memory of 2984 2340 Hbfdjc32.exe 98 PID 2340 wrote to memory of 2984 2340 Hbfdjc32.exe 98 PID 2984 wrote to memory of 3308 2984 Heepfn32.exe 99 PID 2984 wrote to memory of 3308 2984 Heepfn32.exe 99 PID 2984 wrote to memory of 3308 2984 Heepfn32.exe 99 PID 3308 wrote to memory of 4624 3308 Hchqbkkm.exe 100 PID 3308 wrote to memory of 4624 3308 Hchqbkkm.exe 100 PID 3308 wrote to memory of 4624 3308 Hchqbkkm.exe 100 PID 4624 wrote to memory of 4440 4624 Hkaeih32.exe 102 PID 4624 wrote to memory of 4440 4624 Hkaeih32.exe 102 PID 4624 wrote to memory of 4440 4624 Hkaeih32.exe 102 PID 4440 wrote to memory of 4056 4440 Hnpaec32.exe 103 PID 4440 wrote to memory of 4056 4440 Hnpaec32.exe 103 PID 4440 wrote to memory of 4056 4440 Hnpaec32.exe 103 PID 4056 wrote to memory of 5008 4056 Hkcbnh32.exe 104 PID 4056 wrote to memory of 5008 4056 Hkcbnh32.exe 104 PID 4056 wrote to memory of 5008 4056 Hkcbnh32.exe 104 PID 5008 wrote to memory of 3300 5008 Hnbnjc32.exe 105 PID 5008 wrote to memory of 3300 5008 Hnbnjc32.exe 105 PID 5008 wrote to memory of 3300 5008 Hnbnjc32.exe 105 PID 3300 wrote to memory of 3176 3300 Iapjgo32.exe 107 PID 3300 wrote to memory of 3176 3300 Iapjgo32.exe 107 PID 3300 wrote to memory of 3176 3300 Iapjgo32.exe 107 PID 3176 wrote to memory of 392 3176 Icogcjde.exe 108 PID 3176 wrote to memory of 392 3176 Icogcjde.exe 108 PID 3176 wrote to memory of 392 3176 Icogcjde.exe 108 PID 392 wrote to memory of 4148 392 Ijiopd32.exe 109 PID 392 wrote to memory of 4148 392 Ijiopd32.exe 109 PID 392 wrote to memory of 4148 392 Ijiopd32.exe 109 PID 4148 wrote to memory of 1164 4148 Indkpcdk.exe 110 PID 4148 wrote to memory of 1164 4148 Indkpcdk.exe 110 PID 4148 wrote to memory of 1164 4148 Indkpcdk.exe 110 PID 1164 wrote to memory of 3132 1164 Iabglnco.exe 111 PID 1164 wrote to memory of 3132 1164 Iabglnco.exe 111 PID 1164 wrote to memory of 3132 1164 Iabglnco.exe 111 PID 3132 wrote to memory of 4244 3132 Iencmm32.exe 112 PID 3132 wrote to memory of 4244 3132 Iencmm32.exe 112 PID 3132 wrote to memory of 4244 3132 Iencmm32.exe 112 PID 4244 wrote to memory of 3416 4244 Icachjbb.exe 113 PID 4244 wrote to memory of 3416 4244 Icachjbb.exe 113 PID 4244 wrote to memory of 3416 4244 Icachjbb.exe 113 PID 3416 wrote to memory of 4336 3416 Igmoih32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\dde83b9672f4bf69fa057f3ede75d160N.exe"C:\Users\Admin\AppData\Local\Temp\dde83b9672f4bf69fa057f3ede75d160N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\Gkefmjcj.exeC:\Windows\system32\Gkefmjcj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Gndbie32.exeC:\Windows\system32\Gndbie32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Gglfbkin.exeC:\Windows\system32\Gglfbkin.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\Gjkbnfha.exeC:\Windows\system32\Gjkbnfha.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\Gbbkocid.exeC:\Windows\system32\Gbbkocid.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Hepgkohh.exeC:\Windows\system32\Hepgkohh.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Hbfdjc32.exeC:\Windows\system32\Hbfdjc32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Heepfn32.exeC:\Windows\system32\Heepfn32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Hchqbkkm.exeC:\Windows\system32\Hchqbkkm.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\Hkaeih32.exeC:\Windows\system32\Hkaeih32.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\Hnpaec32.exeC:\Windows\system32\Hnpaec32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Hkcbnh32.exeC:\Windows\system32\Hkcbnh32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\Hnbnjc32.exeC:\Windows\system32\Hnbnjc32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Iapjgo32.exeC:\Windows\system32\Iapjgo32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\Icogcjde.exeC:\Windows\system32\Icogcjde.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\Ijiopd32.exeC:\Windows\system32\Ijiopd32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Indkpcdk.exeC:\Windows\system32\Indkpcdk.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\Iabglnco.exeC:\Windows\system32\Iabglnco.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Iencmm32.exeC:\Windows\system32\Iencmm32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\Icachjbb.exeC:\Windows\system32\Icachjbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\Igmoih32.exeC:\Windows\system32\Igmoih32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\Ilhkigcd.exeC:\Windows\system32\Ilhkigcd.exe23⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Ijkled32.exeC:\Windows\system32\Ijkled32.exe24⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Ibbcfa32.exeC:\Windows\system32\Ibbcfa32.exe25⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\Iaedanal.exeC:\Windows\system32\Iaedanal.exe26⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Ieqpbm32.exeC:\Windows\system32\Ieqpbm32.exe27⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Iholohii.exeC:\Windows\system32\Iholohii.exe28⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Ilkhog32.exeC:\Windows\system32\Ilkhog32.exe29⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Ijmhkchl.exeC:\Windows\system32\Ijmhkchl.exe30⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Ibdplaho.exeC:\Windows\system32\Ibdplaho.exe31⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Iagqgn32.exeC:\Windows\system32\Iagqgn32.exe32⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Icfmci32.exeC:\Windows\system32\Icfmci32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4680 -
C:\Windows\SysWOW64\Ihaidhgf.exeC:\Windows\system32\Ihaidhgf.exe34⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Ijpepcfj.exeC:\Windows\system32\Ijpepcfj.exe35⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Inkaqb32.exeC:\Windows\system32\Inkaqb32.exe36⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Iajmmm32.exeC:\Windows\system32\Iajmmm32.exe37⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\Idhiii32.exeC:\Windows\system32\Idhiii32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:4724 -
C:\Windows\SysWOW64\Ihceigec.exeC:\Windows\system32\Ihceigec.exe39⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Ijbbfc32.exeC:\Windows\system32\Ijbbfc32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3676 -
C:\Windows\SysWOW64\Jbijgp32.exeC:\Windows\system32\Jbijgp32.exe41⤵
- Executes dropped EXE
PID:3772 -
C:\Windows\SysWOW64\Jehfcl32.exeC:\Windows\system32\Jehfcl32.exe42⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Jhfbog32.exeC:\Windows\system32\Jhfbog32.exe43⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Jjdokb32.exeC:\Windows\system32\Jjdokb32.exe44⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Jblflp32.exeC:\Windows\system32\Jblflp32.exe45⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Jejbhk32.exeC:\Windows\system32\Jejbhk32.exe46⤵
- Executes dropped EXE
PID:5124 -
C:\Windows\SysWOW64\Jdmcdhhe.exeC:\Windows\system32\Jdmcdhhe.exe47⤵
- Executes dropped EXE
PID:5164 -
C:\Windows\SysWOW64\Jldkeeig.exeC:\Windows\system32\Jldkeeig.exe48⤵
- Executes dropped EXE
PID:5204 -
C:\Windows\SysWOW64\Jnbgaa32.exeC:\Windows\system32\Jnbgaa32.exe49⤵
- Executes dropped EXE
PID:5244 -
C:\Windows\SysWOW64\Jbncbpqd.exeC:\Windows\system32\Jbncbpqd.exe50⤵
- Executes dropped EXE
PID:5284 -
C:\Windows\SysWOW64\Jelonkph.exeC:\Windows\system32\Jelonkph.exe51⤵
- Executes dropped EXE
PID:5324 -
C:\Windows\SysWOW64\Jhkljfok.exeC:\Windows\system32\Jhkljfok.exe52⤵
- Executes dropped EXE
PID:5364 -
C:\Windows\SysWOW64\Jjihfbno.exeC:\Windows\system32\Jjihfbno.exe53⤵
- Executes dropped EXE
PID:5404 -
C:\Windows\SysWOW64\Jnedgq32.exeC:\Windows\system32\Jnedgq32.exe54⤵
- Executes dropped EXE
PID:5444 -
C:\Windows\SysWOW64\Jacpcl32.exeC:\Windows\system32\Jacpcl32.exe55⤵
- Executes dropped EXE
PID:5484 -
C:\Windows\SysWOW64\Jdalog32.exeC:\Windows\system32\Jdalog32.exe56⤵
- Executes dropped EXE
PID:5524 -
C:\Windows\SysWOW64\Jhmhpfmi.exeC:\Windows\system32\Jhmhpfmi.exe57⤵
- Executes dropped EXE
PID:5560 -
C:\Windows\SysWOW64\Jjkdlall.exeC:\Windows\system32\Jjkdlall.exe58⤵
- Executes dropped EXE
PID:5600 -
C:\Windows\SysWOW64\Jogqlpde.exeC:\Windows\system32\Jogqlpde.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5636 -
C:\Windows\SysWOW64\Jbbmmo32.exeC:\Windows\system32\Jbbmmo32.exe60⤵
- Executes dropped EXE
PID:5676 -
C:\Windows\SysWOW64\Jeaiij32.exeC:\Windows\system32\Jeaiij32.exe61⤵
- Executes dropped EXE
PID:5716 -
C:\Windows\SysWOW64\Jhoeef32.exeC:\Windows\system32\Jhoeef32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5752 -
C:\Windows\SysWOW64\Jlkafdco.exeC:\Windows\system32\Jlkafdco.exe63⤵
- Executes dropped EXE
PID:5792 -
C:\Windows\SysWOW64\Koimbpbc.exeC:\Windows\system32\Koimbpbc.exe64⤵
- Executes dropped EXE
PID:5832 -
C:\Windows\SysWOW64\Kbeibo32.exeC:\Windows\system32\Kbeibo32.exe65⤵
- Executes dropped EXE
PID:5872 -
C:\Windows\SysWOW64\Keceoj32.exeC:\Windows\system32\Keceoj32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5912 -
C:\Windows\SysWOW64\Khabke32.exeC:\Windows\system32\Khabke32.exe67⤵PID:5952
-
C:\Windows\SysWOW64\Klmnkdal.exeC:\Windows\system32\Klmnkdal.exe68⤵PID:5992
-
C:\Windows\SysWOW64\Koljgppp.exeC:\Windows\system32\Koljgppp.exe69⤵PID:6032
-
C:\Windows\SysWOW64\Kbgfhnhi.exeC:\Windows\system32\Kbgfhnhi.exe70⤵PID:6072
-
C:\Windows\SysWOW64\Kefbdjgm.exeC:\Windows\system32\Kefbdjgm.exe71⤵PID:6108
-
C:\Windows\SysWOW64\Kdhbpf32.exeC:\Windows\system32\Kdhbpf32.exe72⤵PID:2040
-
C:\Windows\SysWOW64\Klpjad32.exeC:\Windows\system32\Klpjad32.exe73⤵PID:1556
-
C:\Windows\SysWOW64\Kkbkmqed.exeC:\Windows\system32\Kkbkmqed.exe74⤵PID:1352
-
C:\Windows\SysWOW64\Kbjbnnfg.exeC:\Windows\system32\Kbjbnnfg.exe75⤵PID:4212
-
C:\Windows\SysWOW64\Kalcik32.exeC:\Windows\system32\Kalcik32.exe76⤵PID:4360
-
C:\Windows\SysWOW64\Kdkoef32.exeC:\Windows\system32\Kdkoef32.exe77⤵
- Drops file in System32 directory
PID:3988 -
C:\Windows\SysWOW64\Khfkfedn.exeC:\Windows\system32\Khfkfedn.exe78⤵PID:5160
-
C:\Windows\SysWOW64\Kkegbpca.exeC:\Windows\system32\Kkegbpca.exe79⤵PID:5232
-
C:\Windows\SysWOW64\Kopcbo32.exeC:\Windows\system32\Kopcbo32.exe80⤵PID:5292
-
C:\Windows\SysWOW64\Kaopoj32.exeC:\Windows\system32\Kaopoj32.exe81⤵PID:5360
-
C:\Windows\SysWOW64\Kejloi32.exeC:\Windows\system32\Kejloi32.exe82⤵PID:5412
-
C:\Windows\SysWOW64\Khihld32.exeC:\Windows\system32\Khihld32.exe83⤵PID:5476
-
C:\Windows\SysWOW64\Klddlckd.exeC:\Windows\system32\Klddlckd.exe84⤵PID:380
-
C:\Windows\SysWOW64\Kocphojh.exeC:\Windows\system32\Kocphojh.exe85⤵PID:5596
-
C:\Windows\SysWOW64\Kaaldjil.exeC:\Windows\system32\Kaaldjil.exe86⤵PID:5672
-
C:\Windows\SysWOW64\Kdpiqehp.exeC:\Windows\system32\Kdpiqehp.exe87⤵PID:5744
-
C:\Windows\SysWOW64\Khkdad32.exeC:\Windows\system32\Khkdad32.exe88⤵PID:4592
-
C:\Windows\SysWOW64\Lkiamp32.exeC:\Windows\system32\Lkiamp32.exe89⤵PID:5880
-
C:\Windows\SysWOW64\Lbqinm32.exeC:\Windows\system32\Lbqinm32.exe90⤵PID:5940
-
C:\Windows\SysWOW64\Lacijjgi.exeC:\Windows\system32\Lacijjgi.exe91⤵PID:4848
-
C:\Windows\SysWOW64\Ldbefe32.exeC:\Windows\system32\Ldbefe32.exe92⤵
- Modifies registry class
PID:6060 -
C:\Windows\SysWOW64\Lhmafcnf.exeC:\Windows\system32\Lhmafcnf.exe93⤵PID:6116
-
C:\Windows\SysWOW64\Lklnconj.exeC:\Windows\system32\Lklnconj.exe94⤵
- Drops file in System32 directory
PID:400 -
C:\Windows\SysWOW64\Lbcedmnl.exeC:\Windows\system32\Lbcedmnl.exe95⤵PID:516
-
C:\Windows\SysWOW64\Laffpi32.exeC:\Windows\system32\Laffpi32.exe96⤵
- System Location Discovery: System Language Discovery
PID:1264 -
C:\Windows\SysWOW64\Lddble32.exeC:\Windows\system32\Lddble32.exe97⤵PID:5212
-
C:\Windows\SysWOW64\Llkjmb32.exeC:\Windows\system32\Llkjmb32.exe98⤵PID:5352
-
C:\Windows\SysWOW64\Lknjhokg.exeC:\Windows\system32\Lknjhokg.exe99⤵PID:5016
-
C:\Windows\SysWOW64\Lahbei32.exeC:\Windows\system32\Lahbei32.exe100⤵PID:5548
-
C:\Windows\SysWOW64\Ldfoad32.exeC:\Windows\system32\Ldfoad32.exe101⤵PID:5664
-
C:\Windows\SysWOW64\Lhbkac32.exeC:\Windows\system32\Lhbkac32.exe102⤵
- Drops file in System32 directory
PID:5800 -
C:\Windows\SysWOW64\Lkqgno32.exeC:\Windows\system32\Lkqgno32.exe103⤵PID:5908
-
C:\Windows\SysWOW64\Lbhool32.exeC:\Windows\system32\Lbhool32.exe104⤵PID:6016
-
C:\Windows\SysWOW64\Lefkkg32.exeC:\Windows\system32\Lefkkg32.exe105⤵PID:4532
-
C:\Windows\SysWOW64\Lhdggb32.exeC:\Windows\system32\Lhdggb32.exe106⤵PID:2772
-
C:\Windows\SysWOW64\Lkcccn32.exeC:\Windows\system32\Lkcccn32.exe107⤵PID:5256
-
C:\Windows\SysWOW64\Lcjldk32.exeC:\Windows\system32\Lcjldk32.exe108⤵PID:5356
-
C:\Windows\SysWOW64\Lehhqg32.exeC:\Windows\system32\Lehhqg32.exe109⤵
- Drops file in System32 directory
PID:5516 -
C:\Windows\SysWOW64\Lhgdmb32.exeC:\Windows\system32\Lhgdmb32.exe110⤵PID:6148
-
C:\Windows\SysWOW64\Mkepineo.exeC:\Windows\system32\Mkepineo.exe111⤵PID:6184
-
C:\Windows\SysWOW64\Mclhjkfa.exeC:\Windows\system32\Mclhjkfa.exe112⤵PID:6224
-
C:\Windows\SysWOW64\Mekdffee.exeC:\Windows\system32\Mekdffee.exe113⤵PID:6264
-
C:\Windows\SysWOW64\Mhiabbdi.exeC:\Windows\system32\Mhiabbdi.exe114⤵PID:6300
-
C:\Windows\SysWOW64\Mkgmoncl.exeC:\Windows\system32\Mkgmoncl.exe115⤵PID:6344
-
C:\Windows\SysWOW64\Mcoepkdo.exeC:\Windows\system32\Mcoepkdo.exe116⤵PID:6380
-
C:\Windows\SysWOW64\Memalfcb.exeC:\Windows\system32\Memalfcb.exe117⤵PID:6416
-
C:\Windows\SysWOW64\Mhknhabf.exeC:\Windows\system32\Mhknhabf.exe118⤵
- Modifies registry class
PID:6460 -
C:\Windows\SysWOW64\Mkjjdmaj.exeC:\Windows\system32\Mkjjdmaj.exe119⤵PID:6496
-
C:\Windows\SysWOW64\Mcabej32.exeC:\Windows\system32\Mcabej32.exe120⤵PID:6536
-
C:\Windows\SysWOW64\Mepnaf32.exeC:\Windows\system32\Mepnaf32.exe121⤵PID:6576
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-