Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/12/2024, 00:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe
Resource
win7-20241023-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe
-
Size
78KB
-
MD5
58a738f37f58db9e50e7058271e83738
-
SHA1
71ce80628a78eee5321981ad3abb0588650dcbe2
-
SHA256
77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555
-
SHA512
31e732532cae3e4492799728284bc6616ded0096016d1c0019b96b5f2184630766f755e0f2889b4a147eca631f1f52adf14833cb8e3616eae165122614c02cb5
-
SSDEEP
1536:rTcUrrw4zsj8ekt7aSr5co+jzif46yf5oAnqDM+4yyd:DsiaSr5c1jziACuq4cyd
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afinioip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpofii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Malpia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ollnhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epjajeqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dapkni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpjmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kflnfcgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aggegh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olbdhn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmgjia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phcomcng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkepaam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igpdfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enbjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcjiff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alqjpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cidjbmcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgjejhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkgpbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hffcmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cibmlmeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efdjgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhknpmma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifnhpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmiclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljfhqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmmfmhll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkjhoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caienjfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faenpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdpbon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjpijpdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhlpfgbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcelmhen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eokqkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlkepaam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dckdjomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghhhcomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oloahhki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jklinohd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dndnpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cceddf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knfeeimj.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2600 Fdkggg32.exe 2628 Fkeodaai.exe 908 Gaogak32.exe 2644 Gdncmghi.exe 1108 Gglpibgm.exe 5116 Gnfhfl32.exe 2968 Gempgj32.exe 1788 Ghklce32.exe 3332 Gkjhoq32.exe 3796 Gadqlkep.exe 2388 Gdbmhf32.exe 3188 Gkleeplq.exe 2072 Gafmaj32.exe 1220 Gddinf32.exe 1016 Gkobjpin.exe 5012 Gdgfce32.exe 3668 Hnoklk32.exe 4480 Hffcmh32.exe 4376 Hghoeqmp.exe 2436 Hnagak32.exe 1528 Hfipbh32.exe 4408 Hgjljpkm.exe 1512 Hoadkn32.exe 4712 Hfklhhcl.exe 396 Hglipp32.exe 644 Hocqam32.exe 3268 Hfningai.exe 3104 Hgoeep32.exe 4280 Hofmfmhj.exe 4036 Hfpecg32.exe 3988 Hgabkoee.exe 4692 Inkjhi32.exe 1784 Ifbbig32.exe 1764 Igcoqocb.exe 5032 Iokgal32.exe 784 Ibicnh32.exe 2828 Iickkbje.exe 2864 Igfkfo32.exe 952 Iomcgl32.exe 1424 Ibkpcg32.exe 3544 Ifgldfio.exe 4472 Idjlpc32.exe 892 Ighhln32.exe 2892 Iigdfa32.exe 3036 Ikfabm32.exe 3156 Iijaka32.exe 4636 Igmagnkg.exe 1028 Jodjhkkj.exe 3468 Jfnbdecg.exe 2348 Jilnqqbj.exe 3944 Jgonlm32.exe 4604 Jbdbjf32.exe 2392 Jecofa32.exe 3080 Jkmgblok.exe 4228 Jnkcogno.exe 4512 Jbgoof32.exe 820 Jiaglp32.exe 1280 Jpkphjeb.exe 3676 Jnnpdg32.exe 720 Jehhaaci.exe 2480 Jblijebc.exe 552 Jejefqaf.exe 3464 Kldmckic.exe 1772 Knbiofhg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cepjip32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pfepdg32.exe Process not Found File created C:\Windows\SysWOW64\Pknjieep.dll Process not Found File created C:\Windows\SysWOW64\Knaalh32.dll Mejpje32.exe File created C:\Windows\SysWOW64\Anbpqqmm.dll Nobdbkhf.exe File created C:\Windows\SysWOW64\Gpbkpm32.dll Dcigeooj.exe File created C:\Windows\SysWOW64\Hhblffgn.dll Process not Found File created C:\Windows\SysWOW64\Jbccge32.exe Process not Found File created C:\Windows\SysWOW64\Eokqkh32.exe Emmdom32.exe File created C:\Windows\SysWOW64\Gdoihpbk.exe Gpcmga32.exe File created C:\Windows\SysWOW64\Nkiebg32.dll Gpcmga32.exe File opened for modification C:\Windows\SysWOW64\Ihdafkdg.exe Iqmidndd.exe File created C:\Windows\SysWOW64\Bfjkjgbh.dll Eidlnd32.exe File created C:\Windows\SysWOW64\Bmkcqn32.exe Biogppeg.exe File opened for modification C:\Windows\SysWOW64\Hahokfag.exe Process not Found File created C:\Windows\SysWOW64\Oeoblb32.exe Obafpg32.exe File created C:\Windows\SysWOW64\Bpmhce32.dll Emjgim32.exe File created C:\Windows\SysWOW64\Fenghpla.dll Enbjad32.exe File created C:\Windows\SysWOW64\Bcnbjd32.dll Kechmoil.exe File opened for modification C:\Windows\SysWOW64\Pefhlaie.exe Pakllc32.exe File created C:\Windows\SysWOW64\Kjhloj32.exe Kgipcogp.exe File created C:\Windows\SysWOW64\Balenlhn.dll Odmbaj32.exe File created C:\Windows\SysWOW64\Ikfabm32.exe Iigdfa32.exe File created C:\Windows\SysWOW64\Nhnlkfpp.exe Neppokal.exe File created C:\Windows\SysWOW64\Pmaffnce.exe Pkbjjbda.exe File opened for modification C:\Windows\SysWOW64\Lnjgfb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Neclenfo.exe Nmlddqem.exe File created C:\Windows\SysWOW64\Djiono32.dll Eoideh32.exe File created C:\Windows\SysWOW64\Mcpcdg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qbonoghb.exe Process not Found File created C:\Windows\SysWOW64\Gadqlkep.exe Gkjhoq32.exe File created C:\Windows\SysWOW64\Jnkcogno.exe Jkmgblok.exe File created C:\Windows\SysWOW64\Mhdjehhj.exe Mefmimif.exe File created C:\Windows\SysWOW64\Gckdpj32.dll Emphocjj.exe File created C:\Windows\SysWOW64\Cmbgdl32.exe Process not Found File created C:\Windows\SysWOW64\Hbobifpp.dll Process not Found File created C:\Windows\SysWOW64\Mibime32.dll Ghpocngo.exe File created C:\Windows\SysWOW64\Igegpo32.dll Ahgjejhd.exe File opened for modification C:\Windows\SysWOW64\Mnmdme32.exe Mgclpkac.exe File opened for modification C:\Windows\SysWOW64\Fihnomjp.exe Efjbcakl.exe File created C:\Windows\SysWOW64\Pkoaeldi.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dndgfpbo.exe Process not Found File created C:\Windows\SysWOW64\Jpehef32.dll Process not Found File created C:\Windows\SysWOW64\Nefped32.exe Nbgcih32.exe File created C:\Windows\SysWOW64\Bjicdmmd.exe Abbkcpma.exe File created C:\Windows\SysWOW64\Qdbdcg32.exe Qachgk32.exe File created C:\Windows\SysWOW64\Ojdgnn32.exe Process not Found File created C:\Windows\SysWOW64\Hhknpmma.exe Hdpbon32.exe File opened for modification C:\Windows\SysWOW64\Qhmqdemc.exe Qdbdcg32.exe File created C:\Windows\SysWOW64\Mokmdh32.exe Process not Found File created C:\Windows\SysWOW64\Oghghb32.exe Process not Found File created C:\Windows\SysWOW64\Nhegig32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bpedeiff.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jecofa32.exe Jbdbjf32.exe File created C:\Windows\SysWOW64\Ocjggbdl.dll Gpcfmkff.exe File opened for modification C:\Windows\SysWOW64\Hibafp32.exe Hgdejd32.exe File created C:\Windows\SysWOW64\Koodbl32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gngeik32.exe Process not Found File created C:\Windows\SysWOW64\Ckfphc32.exe Cihclh32.exe File created C:\Windows\SysWOW64\Dpdaepai.exe Dmfeidbe.exe File created C:\Windows\SysWOW64\Dddjmo32.dll Process not Found File created C:\Windows\SysWOW64\Gegkpf32.exe Process not Found File created C:\Windows\SysWOW64\Dpofmcef.dll Dfjgaq32.exe File created C:\Windows\SysWOW64\Aljejh32.dll Knfeeimj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12528 11792 Process not Found 1679 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lblaabdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgehfkop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qepkbpak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbphg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jknfcofa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehcdfch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibafp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecefqnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfnegggi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgaijaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ophjiaql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglgjeci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehlkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akamff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gafmaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klkcdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elbhjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdnabjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmolepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oghppm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcqpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccmgiaig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqdlnde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emjgim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ighhln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oigllh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmaffnce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdjeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejchhgid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqdaadln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abponp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blielbfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnnpdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjomap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leenhhdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkhapk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocamjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdamgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofmfmhj.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oohnonij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afinioip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qadoba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eplgeokq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbfldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anaemfem.dll" Jcgnbaeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmofee32.dll" Dabhdinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faimhjhp.dll" Efjimhnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmcka32.dll" Hpofii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edhjghdk.dll" Clchbqoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgpilmfi.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgieglah.dll" Pifnhpmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbjmhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifbbig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbpnlg.dll" Iijaka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhjckcgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqpoakco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbnnbmfj.dll" Oaompd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkbmqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkalplel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnipbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmkcqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkldkg32.dll" Nmgjia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmejc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elgaeolp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojigdcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gceegdko.dll" Camddhoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgoeep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fineoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihnkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nefped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhidngmn.dll" Eblpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafpga32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmfdddkc.dll" Fdkggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aijnep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hahqkaaa.dll" Bhnikc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffceip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqklon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecgdnkl.dll" Bkdcbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pddhbipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ankkea32.dll" Eehicoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hipmfjee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppejnh32.dll" Aaiimadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgbdc32.dll" Gpecbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glkmmefl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmdcfidg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpjccmbf.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aidoeq32.dll" Lhdqnj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2000 wrote to memory of 2600 2000 77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe 82 PID 2000 wrote to memory of 2600 2000 77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe 82 PID 2000 wrote to memory of 2600 2000 77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe 82 PID 2600 wrote to memory of 2628 2600 Fdkggg32.exe 83 PID 2600 wrote to memory of 2628 2600 Fdkggg32.exe 83 PID 2600 wrote to memory of 2628 2600 Fdkggg32.exe 83 PID 2628 wrote to memory of 908 2628 Fkeodaai.exe 84 PID 2628 wrote to memory of 908 2628 Fkeodaai.exe 84 PID 2628 wrote to memory of 908 2628 Fkeodaai.exe 84 PID 908 wrote to memory of 2644 908 Gaogak32.exe 85 PID 908 wrote to memory of 2644 908 Gaogak32.exe 85 PID 908 wrote to memory of 2644 908 Gaogak32.exe 85 PID 2644 wrote to memory of 1108 2644 Gdncmghi.exe 86 PID 2644 wrote to memory of 1108 2644 Gdncmghi.exe 86 PID 2644 wrote to memory of 1108 2644 Gdncmghi.exe 86 PID 1108 wrote to memory of 5116 1108 Gglpibgm.exe 87 PID 1108 wrote to memory of 5116 1108 Gglpibgm.exe 87 PID 1108 wrote to memory of 5116 1108 Gglpibgm.exe 87 PID 5116 wrote to memory of 2968 5116 Gnfhfl32.exe 88 PID 5116 wrote to memory of 2968 5116 Gnfhfl32.exe 88 PID 5116 wrote to memory of 2968 5116 Gnfhfl32.exe 88 PID 2968 wrote to memory of 1788 2968 Gempgj32.exe 89 PID 2968 wrote to memory of 1788 2968 Gempgj32.exe 89 PID 2968 wrote to memory of 1788 2968 Gempgj32.exe 89 PID 1788 wrote to memory of 3332 1788 Ghklce32.exe 90 PID 1788 wrote to memory of 3332 1788 Ghklce32.exe 90 PID 1788 wrote to memory of 3332 1788 Ghklce32.exe 90 PID 3332 wrote to memory of 3796 3332 Gkjhoq32.exe 91 PID 3332 wrote to memory of 3796 3332 Gkjhoq32.exe 91 PID 3332 wrote to memory of 3796 3332 Gkjhoq32.exe 91 PID 3796 wrote to memory of 2388 3796 Gadqlkep.exe 92 PID 3796 wrote to memory of 2388 3796 Gadqlkep.exe 92 PID 3796 wrote to memory of 2388 3796 Gadqlkep.exe 92 PID 2388 wrote to memory of 3188 2388 Gdbmhf32.exe 93 PID 2388 wrote to memory of 3188 2388 Gdbmhf32.exe 93 PID 2388 wrote to memory of 3188 2388 Gdbmhf32.exe 93 PID 3188 wrote to memory of 2072 3188 Gkleeplq.exe 94 PID 3188 wrote to memory of 2072 3188 Gkleeplq.exe 94 PID 3188 wrote to memory of 2072 3188 Gkleeplq.exe 94 PID 2072 wrote to memory of 1220 2072 Gafmaj32.exe 95 PID 2072 wrote to memory of 1220 2072 Gafmaj32.exe 95 PID 2072 wrote to memory of 1220 2072 Gafmaj32.exe 95 PID 1220 wrote to memory of 1016 1220 Gddinf32.exe 96 PID 1220 wrote to memory of 1016 1220 Gddinf32.exe 96 PID 1220 wrote to memory of 1016 1220 Gddinf32.exe 96 PID 1016 wrote to memory of 5012 1016 Gkobjpin.exe 97 PID 1016 wrote to memory of 5012 1016 Gkobjpin.exe 97 PID 1016 wrote to memory of 5012 1016 Gkobjpin.exe 97 PID 5012 wrote to memory of 3668 5012 Gdgfce32.exe 98 PID 5012 wrote to memory of 3668 5012 Gdgfce32.exe 98 PID 5012 wrote to memory of 3668 5012 Gdgfce32.exe 98 PID 3668 wrote to memory of 4480 3668 Hnoklk32.exe 99 PID 3668 wrote to memory of 4480 3668 Hnoklk32.exe 99 PID 3668 wrote to memory of 4480 3668 Hnoklk32.exe 99 PID 4480 wrote to memory of 4376 4480 Hffcmh32.exe 100 PID 4480 wrote to memory of 4376 4480 Hffcmh32.exe 100 PID 4480 wrote to memory of 4376 4480 Hffcmh32.exe 100 PID 4376 wrote to memory of 2436 4376 Hghoeqmp.exe 101 PID 4376 wrote to memory of 2436 4376 Hghoeqmp.exe 101 PID 4376 wrote to memory of 2436 4376 Hghoeqmp.exe 101 PID 2436 wrote to memory of 1528 2436 Hnagak32.exe 102 PID 2436 wrote to memory of 1528 2436 Hnagak32.exe 102 PID 2436 wrote to memory of 1528 2436 Hnagak32.exe 102 PID 1528 wrote to memory of 4408 1528 Hfipbh32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe"C:\Users\Admin\AppData\Local\Temp\77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Fdkggg32.exeC:\Windows\system32\Fdkggg32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Fkeodaai.exeC:\Windows\system32\Fkeodaai.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Gaogak32.exeC:\Windows\system32\Gaogak32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Gdncmghi.exeC:\Windows\system32\Gdncmghi.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Gglpibgm.exeC:\Windows\system32\Gglpibgm.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\Gempgj32.exeC:\Windows\system32\Gempgj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Ghklce32.exeC:\Windows\system32\Ghklce32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Gkjhoq32.exeC:\Windows\system32\Gkjhoq32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\Gadqlkep.exeC:\Windows\system32\Gadqlkep.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Gddinf32.exeC:\Windows\system32\Gddinf32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Gkobjpin.exeC:\Windows\system32\Gkobjpin.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Hnoklk32.exeC:\Windows\system32\Hnoklk32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Hffcmh32.exeC:\Windows\system32\Hffcmh32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Hnagak32.exeC:\Windows\system32\Hnagak32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Hgjljpkm.exeC:\Windows\system32\Hgjljpkm.exe23⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe24⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Hfklhhcl.exeC:\Windows\system32\Hfklhhcl.exe25⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe26⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe27⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Hfningai.exeC:\Windows\system32\Hfningai.exe28⤵
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:3104 -
C:\Windows\SysWOW64\Hofmfmhj.exeC:\Windows\system32\Hofmfmhj.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4280 -
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe31⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Hgabkoee.exeC:\Windows\system32\Hgabkoee.exe32⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Inkjhi32.exeC:\Windows\system32\Inkjhi32.exe33⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe35⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe36⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Ibicnh32.exeC:\Windows\system32\Ibicnh32.exe37⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe38⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe39⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe40⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe41⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe42⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Idjlpc32.exeC:\Windows\system32\Idjlpc32.exe43⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:892 -
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Ikfabm32.exeC:\Windows\system32\Ikfabm32.exe46⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:3156 -
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe48⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe49⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Jfnbdecg.exeC:\Windows\system32\Jfnbdecg.exe50⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe51⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe52⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Jbdbjf32.exeC:\Windows\system32\Jbdbjf32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4604 -
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe54⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3080 -
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe56⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Jbgoof32.exeC:\Windows\system32\Jbgoof32.exe57⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe58⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe59⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3676 -
C:\Windows\SysWOW64\Jehhaaci.exeC:\Windows\system32\Jehhaaci.exe61⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe62⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe63⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Kldmckic.exeC:\Windows\system32\Kldmckic.exe64⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Knbiofhg.exeC:\Windows\system32\Knbiofhg.exe65⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Kfjapcii.exeC:\Windows\system32\Kfjapcii.exe66⤵PID:1728
-
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe67⤵PID:4120
-
C:\Windows\SysWOW64\Knefeffd.exeC:\Windows\system32\Knefeffd.exe68⤵PID:1584
-
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4660 -
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe70⤵PID:1860
-
C:\Windows\SysWOW64\Klifnj32.exeC:\Windows\system32\Klifnj32.exe71⤵PID:1352
-
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe72⤵PID:3484
-
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe73⤵PID:3660
-
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe74⤵
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe75⤵PID:1752
-
C:\Windows\SysWOW64\Kechmoil.exeC:\Windows\system32\Kechmoil.exe76⤵
- Drops file in System32 directory
PID:3516 -
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe77⤵PID:2652
-
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe78⤵PID:2084
-
C:\Windows\SysWOW64\Kbghfc32.exeC:\Windows\system32\Kbghfc32.exe79⤵PID:700
-
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe80⤵PID:3852
-
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe81⤵
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Llpmoiof.exeC:\Windows\system32\Llpmoiof.exe82⤵PID:3456
-
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe83⤵PID:468
-
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe84⤵PID:3644
-
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe85⤵
- System Location Discovery: System Language Discovery
PID:1432 -
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe86⤵PID:532
-
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe87⤵PID:4948
-
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe88⤵PID:316
-
C:\Windows\SysWOW64\Lfjjga32.exeC:\Windows\system32\Lfjjga32.exe89⤵PID:4984
-
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe90⤵PID:880
-
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe91⤵PID:3112
-
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe92⤵PID:1964
-
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe93⤵PID:1924
-
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe94⤵PID:2712
-
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe95⤵PID:5080
-
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe96⤵PID:5016
-
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe97⤵PID:2244
-
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe98⤵PID:1392
-
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe99⤵PID:4596
-
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe100⤵PID:1076
-
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe101⤵PID:1832
-
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe102⤵PID:2404
-
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe103⤵
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe104⤵PID:3388
-
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe105⤵PID:220
-
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe106⤵PID:1416
-
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe107⤵PID:3940
-
C:\Windows\SysWOW64\Mpnnle32.exeC:\Windows\system32\Mpnnle32.exe108⤵PID:4084
-
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe109⤵PID:2472
-
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe110⤵PID:2444
-
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe111⤵PID:3360
-
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe112⤵PID:5036
-
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe113⤵PID:4932
-
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe114⤵PID:4044
-
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4804 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe116⤵PID:3912
-
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe117⤵PID:2940
-
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe118⤵
- Drops file in System32 directory
PID:4832 -
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe119⤵PID:1484
-
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe120⤵PID:3848
-
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe121⤵PID:4224
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-