Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/04/2024, 23:24
Static task
static1
Behavioral task
behavioral1
Sample
91352527c4eca6bdfdb0898f762babdc15e27d103144ecfa31bb546ebc196fbc.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
91352527c4eca6bdfdb0898f762babdc15e27d103144ecfa31bb546ebc196fbc.exe
Resource
win10v2004-20240226-en
General
-
Target
91352527c4eca6bdfdb0898f762babdc15e27d103144ecfa31bb546ebc196fbc.exe
-
Size
243KB
-
MD5
86c1384b7eac799a2c9924ab6d06675e
-
SHA1
d4a68a1859ec86db3cd90042850a9bb1b8be5d5f
-
SHA256
91352527c4eca6bdfdb0898f762babdc15e27d103144ecfa31bb546ebc196fbc
-
SHA512
5e6cdb1c25cf442d27be4b952ab9f6b57f24cea4af4920cbc18368790572ce54699f0e3505a7d452b00ef492cd1f589573dc515d713045d62792e59f98216bd6
-
SSDEEP
6144:527zx544JKzwesDzjhZAKqDuvlU2zlNgwTnAWtlhjQ:5qzxu4zliol5LhDAalhj
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eggmge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpodlbng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckeimm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqdbdbna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abcppq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dickplko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Legjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcbeqaia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjokdipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkleeplq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemqih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfenglqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adgbpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkckeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hepgkohh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijlgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bldgoeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddcogo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdpmpdbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfklhhcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohgoaehe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpbbch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mckemg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gepmlimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Likcilhh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeicejia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjficg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjkdlall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emhldnkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klmpiiai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apkjddke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pflibgil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knbbep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjpbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldanqkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loopdmpk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eleiam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adgbpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcghch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcnmin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmigoagp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mccokj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpllbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgqeappe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkbkdkpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihbponja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ealkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhfbog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhlfoodc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okfbgiij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kefkme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hffcmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeekkafl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jejefqaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqfoamfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkhpdcab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhlml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deokon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gafmaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpdboimg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbaojpgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkoplk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nepgjaeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlkgmh32.exe -
Detects executables built or packed with MPress PE compressor 63 IoCs
resource yara_rule behavioral2/files/0x0008000000023211-7.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023218-15.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002321a-23.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002321c-31.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002321e-40.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/4460-41-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023220-48.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023223-55.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023225-63.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023227-71.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0008000000023215-80.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002322a-87.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002322c-96.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002322e-104.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023230-112.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023232-120.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023234-128.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023236-135.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023238-143.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002323a-151.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/2940-153-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002323d-159.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002323f-167.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023241-176.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023243-183.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023245-191.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023247-199.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023249-208.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002324b-215.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002324d-224.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002324f-231.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/1576-233-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023251-239.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023253-247.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023255-255.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/3404-293-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/224-287-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2676-299-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/996-305-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1564-315-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3924-330-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4056-340-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3904-346-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2104-352-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1568-358-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/5036-364-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2860-370-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232a0-484.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232fc-768.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002339c-1269.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000233c6-1400.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000233cc-1417.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023415-1618.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002344b-1775.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023455-1805.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002349c-1988.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000234db-2193.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000234ef-2256.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023507-2327.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023533-2461.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023543-2508.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002354d-2537.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023575-2658.dat INDICATOR_EXE_Packed_MPress -
Executes dropped EXE 64 IoCs
pid Process 3408 Edkdkplj.exe 2424 Eoaihhlp.exe 2008 Eleiam32.exe 2156 Elgfgl32.exe 4460 Ehnglm32.exe 4000 Fohoigfh.exe 2552 Fkopnh32.exe 920 Fomhdg32.exe 1596 Flqimk32.exe 1964 Ffimfqgm.exe 1196 Flceckoj.exe 4864 Fcmnpe32.exe 3600 Fhjfhl32.exe 4012 Gbbkaako.exe 3212 Ghlcnk32.exe 2040 Gcagkdba.exe 1996 Gmjlcj32.exe 2808 Gokdeeec.exe 2940 Gicinj32.exe 4428 Gfgjgo32.exe 4660 Hfifmnij.exe 2188 Hkfoeega.exe 3844 Hflcbngh.exe 1292 Heapdjlp.exe 4340 Hcbpab32.exe 396 Jifhaenk.exe 3652 Jpppnp32.exe 3040 Kiidgeki.exe 1576 Kpbmco32.exe 964 Klimip32.exe 2956 Kfoafi32.exe 1684 Klljnp32.exe 1036 Kipkhdeq.exe 4156 Kpjcdn32.exe 4360 Kefkme32.exe 3588 Kplpjn32.exe 224 Liddbc32.exe 3404 Ldjhpl32.exe 2676 Ligqhc32.exe 996 Lfkaag32.exe 1564 Lmdina32.exe 1704 Ldoaklml.exe 1348 Likjcbkc.exe 3924 Ldanqkki.exe 4924 Lgokmgjm.exe 4056 Lmiciaaj.exe 3904 Mdckfk32.exe 2104 Mmlpoqpg.exe 1568 Mdehlk32.exe 5036 Mibpda32.exe 2860 Mckemg32.exe 3964 Miemjaci.exe 5028 Mpoefk32.exe 2036 Mgimcebb.exe 3332 Mmbfpp32.exe 1396 Mdmnlj32.exe 2832 Mnebeogl.exe 888 Ndokbi32.exe 3912 Nepgjaeg.exe 2500 Nljofl32.exe 4464 Njnpppkn.exe 2836 Nphhmj32.exe 3592 Njqmepik.exe 1716 Nloiakho.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Epjajeqo.exe Djmibn32.exe File created C:\Windows\SysWOW64\Mlmgnn32.dll Bbgeno32.exe File opened for modification C:\Windows\SysWOW64\Kpbmco32.exe Kiidgeki.exe File created C:\Windows\SysWOW64\Nloiakho.exe Njqmepik.exe File created C:\Windows\SysWOW64\Kfnkkb32.exe Kpdboimg.exe File created C:\Windows\SysWOW64\Oljaccjf.exe Oepifi32.exe File created C:\Windows\SysWOW64\Bgnkhg32.exe Ajjjocap.exe File created C:\Windows\SysWOW64\Noiilpik.dll Bppfmigl.exe File opened for modification C:\Windows\SysWOW64\Kcndbp32.exe Kmdlffhj.exe File created C:\Windows\SysWOW64\Pmeoqlpl.exe Pdngpo32.exe File created C:\Windows\SysWOW64\Bhgngp32.dll Jnifigpa.exe File opened for modification C:\Windows\SysWOW64\Dmoohe32.exe Ccgjopal.exe File opened for modification C:\Windows\SysWOW64\Ieqpbm32.exe Ibbcfa32.exe File created C:\Windows\SysWOW64\Aijnep32.exe Aflaie32.exe File created C:\Windows\SysWOW64\Mkddhfnh.dll Bdcmkgmm.exe File created C:\Windows\SysWOW64\Fjinnekj.dll Fglnkm32.exe File created C:\Windows\SysWOW64\Nebmekoi.exe Nohehq32.exe File opened for modification C:\Windows\SysWOW64\Nibbqicm.exe Ngdfdmdi.exe File created C:\Windows\SysWOW64\Npbceggm.exe Mokmdh32.exe File created C:\Windows\SysWOW64\Nailkcbb.dll Fcneeo32.exe File opened for modification C:\Windows\SysWOW64\Nomlek32.exe Nhbciqln.exe File opened for modification C:\Windows\SysWOW64\Qfjcep32.exe Qppkhfec.exe File created C:\Windows\SysWOW64\Gdojoeki.dll Okailj32.exe File created C:\Windows\SysWOW64\Iphcjp32.dll Bffkij32.exe File opened for modification C:\Windows\SysWOW64\Hffcmh32.exe Gkaopp32.exe File created C:\Windows\SysWOW64\Ehmbndpm.dll Lemkcnaa.exe File created C:\Windows\SysWOW64\Kjcejfha.dll Faenpf32.exe File opened for modification C:\Windows\SysWOW64\Nbbnbemf.exe Nkhfek32.exe File created C:\Windows\SysWOW64\Odbgdp32.exe Nhlfoodc.exe File created C:\Windows\SysWOW64\Gadiippo.dll Oaplqh32.exe File created C:\Windows\SysWOW64\Dinjjf32.exe Debnjgcp.exe File opened for modification C:\Windows\SysWOW64\Kpjcdn32.exe Kipkhdeq.exe File created C:\Windows\SysWOW64\Cajlhqjp.exe Bfhhoi32.exe File opened for modification C:\Windows\SysWOW64\Chcddk32.exe Cajlhqjp.exe File created C:\Windows\SysWOW64\Ifolfj32.dll Nojanpej.exe File created C:\Windows\SysWOW64\Lefqkm32.dll Pcpikkge.exe File created C:\Windows\SysWOW64\Lenicahg.exe Lcnmin32.exe File created C:\Windows\SysWOW64\Nlkgmh32.exe Nmigoagp.exe File created C:\Windows\SysWOW64\Mgcail32.dll Cmqmma32.exe File created C:\Windows\SysWOW64\Danecp32.exe Dfiafg32.exe File created C:\Windows\SysWOW64\Eolhbc32.exe Egdqae32.exe File opened for modification C:\Windows\SysWOW64\Mbedga32.exe Mpghkf32.exe File opened for modification C:\Windows\SysWOW64\Dpckjfgg.exe Djfcaohp.exe File created C:\Windows\SysWOW64\Paihbi32.dll Jdnoplhh.exe File created C:\Windows\SysWOW64\Ofgmib32.exe Ochamg32.exe File created C:\Windows\SysWOW64\Qamhhedg.dll Klimip32.exe File created C:\Windows\SysWOW64\Fgjccb32.exe Fdkggg32.exe File created C:\Windows\SysWOW64\Jpkbko32.dll Inainbcn.exe File created C:\Windows\SysWOW64\Djfoankj.dll Dkbocbog.exe File created C:\Windows\SysWOW64\Gmdcfidg.exe Gblbca32.exe File created C:\Windows\SysWOW64\Oipgkfab.dll Mlhqcgnk.exe File opened for modification C:\Windows\SysWOW64\Gddbcp32.exe Ginnfgop.exe File created C:\Windows\SysWOW64\Lmgnid32.dll Emhkdmlg.exe File created C:\Windows\SysWOW64\Mdcajc32.dll Mjnnbk32.exe File opened for modification C:\Windows\SysWOW64\Ddmhhd32.exe Dcnlnaom.exe File created C:\Windows\SysWOW64\Eknanh32.dll Ndnnianm.exe File created C:\Windows\SysWOW64\Iholohii.exe Ieqpbm32.exe File opened for modification C:\Windows\SysWOW64\Gicinj32.exe Gokdeeec.exe File opened for modification C:\Windows\SysWOW64\Moaogand.exe Moobbb32.exe File opened for modification C:\Windows\SysWOW64\Ppmcdq32.exe Phelcc32.exe File created C:\Windows\SysWOW64\Iophkojl.dll Kdigadjo.exe File opened for modification C:\Windows\SysWOW64\Edionhpn.exe Enkmfolf.exe File created C:\Windows\SysWOW64\Mjidgkog.exe Jhifomdj.exe File created C:\Windows\SysWOW64\Nlaqpipg.dll Pgioqq32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7216 7312 WerFault.exe 871 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhepna32.dll" Hfningai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikaqhj32.dll" Mhppji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgplfcko.dll" Ajjjocap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onocomdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfedh32.dll" Fkfcqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Padnaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgimcebb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfhhoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfjcep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nklbmllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciepangh.dll" Lfealaol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hncmmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oocddono.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjmodffo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjdokb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mekdffee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aealll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beoimjce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjknp32.dll" Ndokbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll" Pjmehkqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jklinohd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckdkhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enqjamin.dll" Jhlgfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipckmjqi.dll" Dkdliame.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdafnpqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbeibo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkgcea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anclbkbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbelcblk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpppnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbhhgenc.dll" Emaedo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgninn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blqhpg32.dll" Ngndaccj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pimfpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkepineo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmmeak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fddqghpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlqomd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llflea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loopdmpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhkjej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhlejcpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmpbqoqg.dll" Cfcjfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amkabind.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anmjcieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfningai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efccmidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipligd32.dll" Hdbfodfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejgcaq32.dll" Agbkmijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmckbjdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qqhcpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbfheo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpbopfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emnbdioi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mblcnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mglfplgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkldkg32.dll" Ngjbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iihqganf.dll" Lfkaag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdmpje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kijchhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafkni32.dll" Akcjkfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmnajl32.dll" Mjdebfnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hghfnioq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefnemqj.dll" Amkabind.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3576 wrote to memory of 3408 3576 91352527c4eca6bdfdb0898f762babdc15e27d103144ecfa31bb546ebc196fbc.exe 86 PID 3576 wrote to memory of 3408 3576 91352527c4eca6bdfdb0898f762babdc15e27d103144ecfa31bb546ebc196fbc.exe 86 PID 3576 wrote to memory of 3408 3576 91352527c4eca6bdfdb0898f762babdc15e27d103144ecfa31bb546ebc196fbc.exe 86 PID 3408 wrote to memory of 2424 3408 Edkdkplj.exe 87 PID 3408 wrote to memory of 2424 3408 Edkdkplj.exe 87 PID 3408 wrote to memory of 2424 3408 Edkdkplj.exe 87 PID 2424 wrote to memory of 2008 2424 Eoaihhlp.exe 88 PID 2424 wrote to memory of 2008 2424 Eoaihhlp.exe 88 PID 2424 wrote to memory of 2008 2424 Eoaihhlp.exe 88 PID 2008 wrote to memory of 2156 2008 Eleiam32.exe 90 PID 2008 wrote to memory of 2156 2008 Eleiam32.exe 90 PID 2008 wrote to memory of 2156 2008 Eleiam32.exe 90 PID 2156 wrote to memory of 4460 2156 Elgfgl32.exe 91 PID 2156 wrote to memory of 4460 2156 Elgfgl32.exe 91 PID 2156 wrote to memory of 4460 2156 Elgfgl32.exe 91 PID 4460 wrote to memory of 4000 4460 Ehnglm32.exe 92 PID 4460 wrote to memory of 4000 4460 Ehnglm32.exe 92 PID 4460 wrote to memory of 4000 4460 Ehnglm32.exe 92 PID 4000 wrote to memory of 2552 4000 Fohoigfh.exe 93 PID 4000 wrote to memory of 2552 4000 Fohoigfh.exe 93 PID 4000 wrote to memory of 2552 4000 Fohoigfh.exe 93 PID 2552 wrote to memory of 920 2552 Fkopnh32.exe 94 PID 2552 wrote to memory of 920 2552 Fkopnh32.exe 94 PID 2552 wrote to memory of 920 2552 Fkopnh32.exe 94 PID 920 wrote to memory of 1596 920 Fomhdg32.exe 96 PID 920 wrote to memory of 1596 920 Fomhdg32.exe 96 PID 920 wrote to memory of 1596 920 Fomhdg32.exe 96 PID 1596 wrote to memory of 1964 1596 Flqimk32.exe 97 PID 1596 wrote to memory of 1964 1596 Flqimk32.exe 97 PID 1596 wrote to memory of 1964 1596 Flqimk32.exe 97 PID 1964 wrote to memory of 1196 1964 Ffimfqgm.exe 98 PID 1964 wrote to memory of 1196 1964 Ffimfqgm.exe 98 PID 1964 wrote to memory of 1196 1964 Ffimfqgm.exe 98 PID 1196 wrote to memory of 4864 1196 Flceckoj.exe 99 PID 1196 wrote to memory of 4864 1196 Flceckoj.exe 99 PID 1196 wrote to memory of 4864 1196 Flceckoj.exe 99 PID 4864 wrote to memory of 3600 4864 Fcmnpe32.exe 100 PID 4864 wrote to memory of 3600 4864 Fcmnpe32.exe 100 PID 4864 wrote to memory of 3600 4864 Fcmnpe32.exe 100 PID 3600 wrote to memory of 4012 3600 Fhjfhl32.exe 101 PID 3600 wrote to memory of 4012 3600 Fhjfhl32.exe 101 PID 3600 wrote to memory of 4012 3600 Fhjfhl32.exe 101 PID 4012 wrote to memory of 3212 4012 Gbbkaako.exe 102 PID 4012 wrote to memory of 3212 4012 Gbbkaako.exe 102 PID 4012 wrote to memory of 3212 4012 Gbbkaako.exe 102 PID 3212 wrote to memory of 2040 3212 Ghlcnk32.exe 103 PID 3212 wrote to memory of 2040 3212 Ghlcnk32.exe 103 PID 3212 wrote to memory of 2040 3212 Ghlcnk32.exe 103 PID 2040 wrote to memory of 1996 2040 Gcagkdba.exe 104 PID 2040 wrote to memory of 1996 2040 Gcagkdba.exe 104 PID 2040 wrote to memory of 1996 2040 Gcagkdba.exe 104 PID 1996 wrote to memory of 2808 1996 Gmjlcj32.exe 105 PID 1996 wrote to memory of 2808 1996 Gmjlcj32.exe 105 PID 1996 wrote to memory of 2808 1996 Gmjlcj32.exe 105 PID 2808 wrote to memory of 2940 2808 Gokdeeec.exe 106 PID 2808 wrote to memory of 2940 2808 Gokdeeec.exe 106 PID 2808 wrote to memory of 2940 2808 Gokdeeec.exe 106 PID 2940 wrote to memory of 4428 2940 Gicinj32.exe 107 PID 2940 wrote to memory of 4428 2940 Gicinj32.exe 107 PID 2940 wrote to memory of 4428 2940 Gicinj32.exe 107 PID 4428 wrote to memory of 4660 4428 Gfgjgo32.exe 108 PID 4428 wrote to memory of 4660 4428 Gfgjgo32.exe 108 PID 4428 wrote to memory of 4660 4428 Gfgjgo32.exe 108 PID 4660 wrote to memory of 2188 4660 Hfifmnij.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\91352527c4eca6bdfdb0898f762babdc15e27d103144ecfa31bb546ebc196fbc.exe"C:\Users\Admin\AppData\Local\Temp\91352527c4eca6bdfdb0898f762babdc15e27d103144ecfa31bb546ebc196fbc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Elgfgl32.exeC:\Windows\system32\Elgfgl32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Fomhdg32.exeC:\Windows\system32\Fomhdg32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\Flqimk32.exeC:\Windows\system32\Flqimk32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Fcmnpe32.exeC:\Windows\system32\Fcmnpe32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Ghlcnk32.exeC:\Windows\system32\Ghlcnk32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Gcagkdba.exeC:\Windows\system32\Gcagkdba.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Gokdeeec.exeC:\Windows\system32\Gokdeeec.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Gicinj32.exeC:\Windows\system32\Gicinj32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Gfgjgo32.exeC:\Windows\system32\Gfgjgo32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Hfifmnij.exeC:\Windows\system32\Hfifmnij.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe23⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe24⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\SysWOW64\Heapdjlp.exeC:\Windows\system32\Heapdjlp.exe25⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Hcbpab32.exeC:\Windows\system32\Hcbpab32.exe26⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Jifhaenk.exeC:\Windows\system32\Jifhaenk.exe27⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Jpppnp32.exeC:\Windows\system32\Jpppnp32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:3652 -
C:\Windows\SysWOW64\Kiidgeki.exeC:\Windows\system32\Kiidgeki.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Kpbmco32.exeC:\Windows\system32\Kpbmco32.exe30⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Klimip32.exeC:\Windows\system32\Klimip32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:964 -
C:\Windows\SysWOW64\Kfoafi32.exeC:\Windows\system32\Kfoafi32.exe32⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Klljnp32.exeC:\Windows\system32\Klljnp32.exe33⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Kipkhdeq.exeC:\Windows\system32\Kipkhdeq.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\Kpjcdn32.exeC:\Windows\system32\Kpjcdn32.exe35⤵
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\Kefkme32.exeC:\Windows\system32\Kefkme32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Kplpjn32.exeC:\Windows\system32\Kplpjn32.exe37⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Liddbc32.exeC:\Windows\system32\Liddbc32.exe38⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Ldjhpl32.exeC:\Windows\system32\Ldjhpl32.exe39⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Ligqhc32.exeC:\Windows\system32\Ligqhc32.exe40⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:996 -
C:\Windows\SysWOW64\Lmdina32.exeC:\Windows\system32\Lmdina32.exe42⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Ldoaklml.exeC:\Windows\system32\Ldoaklml.exe43⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Likjcbkc.exeC:\Windows\system32\Likjcbkc.exe44⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Ldanqkki.exeC:\Windows\system32\Ldanqkki.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Lgokmgjm.exeC:\Windows\system32\Lgokmgjm.exe46⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Lmiciaaj.exeC:\Windows\system32\Lmiciaaj.exe47⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Mdckfk32.exeC:\Windows\system32\Mdckfk32.exe48⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\SysWOW64\Mmlpoqpg.exeC:\Windows\system32\Mmlpoqpg.exe49⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Mdehlk32.exeC:\Windows\system32\Mdehlk32.exe50⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Mibpda32.exeC:\Windows\system32\Mibpda32.exe51⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Mckemg32.exeC:\Windows\system32\Mckemg32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Miemjaci.exeC:\Windows\system32\Miemjaci.exe53⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Mpoefk32.exeC:\Windows\system32\Mpoefk32.exe54⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Mgimcebb.exeC:\Windows\system32\Mgimcebb.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Mmbfpp32.exeC:\Windows\system32\Mmbfpp32.exe56⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Mdmnlj32.exeC:\Windows\system32\Mdmnlj32.exe57⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Menjdbgj.exeC:\Windows\system32\Menjdbgj.exe58⤵PID:1520
-
C:\Windows\SysWOW64\Mnebeogl.exeC:\Windows\system32\Mnebeogl.exe59⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Ndokbi32.exeC:\Windows\system32\Ndokbi32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Nepgjaeg.exeC:\Windows\system32\Nepgjaeg.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Nljofl32.exeC:\Windows\system32\Nljofl32.exe62⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Njnpppkn.exeC:\Windows\system32\Njnpppkn.exe63⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Nphhmj32.exeC:\Windows\system32\Nphhmj32.exe64⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Njqmepik.exeC:\Windows\system32\Njqmepik.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3592 -
C:\Windows\SysWOW64\Nloiakho.exeC:\Windows\system32\Nloiakho.exe66⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Njciko32.exeC:\Windows\system32\Njciko32.exe67⤵PID:4368
-
C:\Windows\SysWOW64\Nlaegk32.exeC:\Windows\system32\Nlaegk32.exe68⤵PID:1700
-
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe69⤵PID:3248
-
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe70⤵PID:3508
-
C:\Windows\SysWOW64\Olcbmj32.exeC:\Windows\system32\Olcbmj32.exe71⤵PID:4624
-
C:\Windows\SysWOW64\Ogifjcdp.exeC:\Windows\system32\Ogifjcdp.exe72⤵PID:2244
-
C:\Windows\SysWOW64\Olfobjbg.exeC:\Windows\system32\Olfobjbg.exe73⤵PID:2824
-
C:\Windows\SysWOW64\Ogkcpbam.exeC:\Windows\system32\Ogkcpbam.exe74⤵PID:1136
-
C:\Windows\SysWOW64\Oneklm32.exeC:\Windows\system32\Oneklm32.exe75⤵PID:4480
-
C:\Windows\SysWOW64\Odocigqg.exeC:\Windows\system32\Odocigqg.exe76⤵PID:4824
-
C:\Windows\SysWOW64\Onhhamgg.exeC:\Windows\system32\Onhhamgg.exe77⤵PID:5072
-
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe78⤵PID:2448
-
C:\Windows\SysWOW64\Ofcmfodb.exeC:\Windows\system32\Ofcmfodb.exe79⤵PID:1384
-
C:\Windows\SysWOW64\Oqhacgdh.exeC:\Windows\system32\Oqhacgdh.exe80⤵PID:4964
-
C:\Windows\SysWOW64\Ogbipa32.exeC:\Windows\system32\Ogbipa32.exe81⤵PID:4456
-
C:\Windows\SysWOW64\Ojaelm32.exeC:\Windows\system32\Ojaelm32.exe82⤵PID:4884
-
C:\Windows\SysWOW64\Pmoahijl.exeC:\Windows\system32\Pmoahijl.exe83⤵PID:4860
-
C:\Windows\SysWOW64\Pgefeajb.exeC:\Windows\system32\Pgefeajb.exe84⤵PID:4600
-
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe85⤵PID:4284
-
C:\Windows\SysWOW64\Pdifoehl.exeC:\Windows\system32\Pdifoehl.exe86⤵PID:4856
-
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe87⤵PID:2364
-
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe88⤵PID:4396
-
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe89⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4796 -
C:\Windows\SysWOW64\Pdmpje32.exeC:\Windows\system32\Pdmpje32.exe91⤵
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Pnfdcjkg.exeC:\Windows\system32\Pnfdcjkg.exe92⤵PID:4424
-
C:\Windows\SysWOW64\Pdpmpdbd.exeC:\Windows\system32\Pdpmpdbd.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2144 -
C:\Windows\SysWOW64\Pjmehkqk.exeC:\Windows\system32\Pjmehkqk.exe94⤵
- Modifies registry class
PID:4768 -
C:\Windows\SysWOW64\Qdbiedpa.exeC:\Windows\system32\Qdbiedpa.exe95⤵PID:5124
-
C:\Windows\SysWOW64\Qgqeappe.exeC:\Windows\system32\Qgqeappe.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5164 -
C:\Windows\SysWOW64\Qmmnjfnl.exeC:\Windows\system32\Qmmnjfnl.exe97⤵PID:5208
-
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe98⤵PID:5252
-
C:\Windows\SysWOW64\Qffbbldm.exeC:\Windows\system32\Qffbbldm.exe99⤵PID:5292
-
C:\Windows\SysWOW64\Anmjcieo.exeC:\Windows\system32\Anmjcieo.exe100⤵
- Modifies registry class
PID:5332 -
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5372 -
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe102⤵PID:5412
-
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe103⤵PID:5452
-
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe104⤵PID:5492
-
C:\Windows\SysWOW64\Ajfhnjhq.exeC:\Windows\system32\Ajfhnjhq.exe105⤵PID:5532
-
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe106⤵PID:5572
-
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe107⤵PID:5624
-
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe108⤵PID:5664
-
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe109⤵PID:5712
-
C:\Windows\SysWOW64\Ajkaii32.exeC:\Windows\system32\Ajkaii32.exe110⤵PID:5756
-
C:\Windows\SysWOW64\Aepefb32.exeC:\Windows\system32\Aepefb32.exe111⤵PID:5796
-
C:\Windows\SysWOW64\Bmkjkd32.exeC:\Windows\system32\Bmkjkd32.exe112⤵PID:5844
-
C:\Windows\SysWOW64\Bcebhoii.exeC:\Windows\system32\Bcebhoii.exe113⤵PID:5896
-
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5932 -
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe115⤵PID:5984
-
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe116⤵PID:6036
-
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe117⤵
- Drops file in System32 directory
PID:6088 -
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe118⤵PID:6128
-
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:5156 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe120⤵
- Drops file in System32 directory
PID:5228 -
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe121⤵PID:5328
-
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe122⤵PID:5360
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-