Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/05/2024, 02:04
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
ac186d6277c321071ed478847b3f4ba0be10b6b111a2a55fc730a7b8c0903337.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
ac186d6277c321071ed478847b3f4ba0be10b6b111a2a55fc730a7b8c0903337.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
ac186d6277c321071ed478847b3f4ba0be10b6b111a2a55fc730a7b8c0903337.exe
-
Size
88KB
-
MD5
84b21af7eb856e13d9150f6b0253d371
-
SHA1
69588b039ac8434aa148e9f7065d2925edbbcc14
-
SHA256
ac186d6277c321071ed478847b3f4ba0be10b6b111a2a55fc730a7b8c0903337
-
SHA512
160f340b9a796bff5082b2dd40cbd7fd0859a2a85064509c4302a9da8e1a1a0c9eb60491e8688f689c13d78000807bbeed538fec468ed33ea02d3130a3f7da20
-
SSDEEP
1536:jYYBh15NSjnEDfjMm2FCQtRhQpi3AiRHwrv3twmtXFMz4GWh5BG1nouy8L:r5Nm6fTytRhQpi3A04rMz4XVGtoutL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmdkjmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfflql32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akdafn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcmcebkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejcofica.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gleqdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnbbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnapnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjhckg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebappk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihiabfhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chofhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igbqdlea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkipao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnklgkap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nomkfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpoibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhiomn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iafnjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpkpadnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddaemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emjhmipi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcggef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbjjekhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbflno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paggce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijkocg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iladfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlilqbgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aognbnkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kckhdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cehfkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iflmjihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kabngjla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pecelm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfapjbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apedah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdqnkoep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkcilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnjofo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmkeke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpjkeoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifbphh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlafkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnkdnqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bedhgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmcilp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnaiol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekfpmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bceeqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphcppmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpokjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okinik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnjbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnpciaef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epeoaffo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkobpmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppopja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpckce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfmqigba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcncbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfejjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omklkkpl.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral1/files/0x000c00000001441e-5.dat UPX behavioral1/files/0x0008000000014e3d-19.dat UPX behavioral1/files/0x0007000000014fe1-33.dat UPX behavioral1/files/0x0007000000015c7c-47.dat UPX behavioral1/files/0x0006000000016cd4-60.dat UPX behavioral1/files/0x0006000000016d01-75.dat UPX behavioral1/files/0x0006000000016d24-87.dat UPX behavioral1/files/0x0006000000016d36-101.dat UPX behavioral1/files/0x0006000000016d4a-114.dat UPX behavioral1/files/0x0006000000016d55-127.dat UPX behavioral1/files/0x0006000000016d89-140.dat UPX behavioral1/files/0x000600000001704f-153.dat UPX behavioral1/files/0x000500000001868c-166.dat UPX behavioral1/files/0x00050000000186a0-179.dat UPX behavioral1/files/0x0006000000018ae8-192.dat UPX behavioral1/files/0x0006000000018b33-206.dat UPX behavioral1/files/0x0006000000018b42-222.dat UPX behavioral1/files/0x0006000000018b6a-230.dat UPX behavioral1/files/0x0006000000018b96-242.dat UPX behavioral1/files/0x0006000000018d06-251.dat UPX behavioral1/files/0x00050000000192f4-261.dat UPX behavioral1/files/0x0005000000019333-269.dat UPX behavioral1/files/0x0005000000019377-278.dat UPX behavioral1/files/0x00050000000193b0-287.dat UPX behavioral1/files/0x000500000001946b-300.dat UPX behavioral1/files/0x0005000000019473-310.dat UPX behavioral1/files/0x00050000000194a4-321.dat UPX behavioral1/files/0x00040000000194d8-333.dat UPX behavioral1/files/0x00050000000194ee-346.dat UPX behavioral1/files/0x00050000000194f2-357.dat UPX behavioral1/files/0x0005000000019547-379.dat UPX behavioral1/files/0x000500000001959c-390.dat UPX behavioral1/files/0x00050000000195a2-401.dat UPX behavioral1/files/0x00050000000195a8-427.dat UPX behavioral1/files/0x00050000000195ff-449.dat UPX behavioral1/files/0x00050000000196d8-460.dat UPX behavioral1/files/0x00050000000195aa-436.dat UPX behavioral1/files/0x0005000000019bd6-471.dat UPX behavioral1/files/0x0005000000019bd8-481.dat UPX behavioral1/files/0x00050000000195a6-410.dat UPX behavioral1/files/0x000500000001950c-367.dat UPX behavioral1/files/0x0005000000019cba-492.dat UPX behavioral1/files/0x0005000000019d4d-500.dat UPX behavioral1/files/0x0005000000019f42-510.dat UPX behavioral1/files/0x000500000001a00c-520.dat UPX behavioral1/files/0x000500000001a04c-532.dat UPX behavioral1/files/0x000500000001a31e-540.dat UPX behavioral1/files/0x000500000001a3c5-550.dat UPX behavioral1/files/0x000500000001a3cd-560.dat UPX behavioral1/files/0x000500000001a40b-572.dat UPX behavioral1/files/0x000500000001a42b-582.dat UPX behavioral1/files/0x000500000001a432-592.dat UPX behavioral1/files/0x000500000001a441-603.dat UPX behavioral1/files/0x000500000001a445-614.dat UPX behavioral1/files/0x000500000001a449-625.dat UPX behavioral1/files/0x000500000001a44d-637.dat UPX behavioral1/files/0x000500000001a451-647.dat UPX behavioral1/files/0x000500000001a455-657.dat UPX behavioral1/files/0x000500000001a459-670.dat UPX behavioral1/files/0x000500000001a45d-683.dat UPX behavioral1/files/0x000500000001a461-695.dat UPX behavioral1/files/0x000500000001a465-709.dat UPX behavioral1/files/0x000500000001a46a-722.dat UPX behavioral1/files/0x000500000001a46e-737.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 2224 Iinmfk32.exe 2776 Iegjqk32.exe 1680 Iiecgjba.exe 2656 Ielclkhe.exe 2972 Jbpdeogo.exe 2628 Jdcmbgkj.exe 1148 Jhafhe32.exe 2492 Jgfcja32.exe 2056 Kjglkm32.exe 2360 Kcopdb32.exe 760 Kcamjb32.exe 1900 Kcdjoaee.exe 896 Kfebambf.exe 1696 Ldjpbign.exe 2440 Lbnpkmfg.exe 2556 Lcaiiejc.exe 1928 Liqoflfh.exe 1948 Mfdopp32.exe 2264 Mfglep32.exe 1808 Mpopnejo.exe 1820 Meoell32.exe 1012 Mccbmh32.exe 1096 Mnifja32.exe 2788 Njpgpbpf.exe 2936 Njbdea32.exe 2140 Nallalep.exe 1748 Nmcmgm32.exe 2204 Npdfhhhe.exe 2236 Ohojmjep.exe 2812 Obdojcef.exe 1648 Obgkpb32.exe 2760 Olophhjd.exe 2584 Oehdan32.exe 2940 Ogiaif32.exe 2412 Opaebkmc.exe 2600 Omefkplm.exe 2852 Pdonhj32.exe 2080 Pdakniag.exe 1688 Pnjofo32.exe 1084 Pcghof32.exe 1640 Qackpado.exe 520 Ajnpecbj.exe 1104 Ajqljc32.exe 580 Adfqgl32.exe 2128 Afgmodel.exe 2672 Ackmih32.exe 2132 Aqonbm32.exe 1116 Abpjjeim.exe 1016 Akiobk32.exe 1120 Bbbgod32.exe 1268 Bmhkmm32.exe 1248 Bkklhjnk.exe 1196 Bbeded32.exe 2172 Biolanld.exe 2028 Bnldjekl.exe 2764 Befmfpbi.exe 2032 Bnnaoe32.exe 1964 Behilopf.exe 2652 Bjebdfnn.exe 3004 Baojapfj.exe 1904 Bflbigdb.exe 2692 Cmfkfa32.exe 1216 Cfnoogbo.exe 1620 Cmhglq32.exe -
Loads dropped DLL 64 IoCs
pid Process 1152 ac186d6277c321071ed478847b3f4ba0be10b6b111a2a55fc730a7b8c0903337.exe 1152 ac186d6277c321071ed478847b3f4ba0be10b6b111a2a55fc730a7b8c0903337.exe 2224 Iinmfk32.exe 2224 Iinmfk32.exe 2776 Iegjqk32.exe 2776 Iegjqk32.exe 1680 Iiecgjba.exe 1680 Iiecgjba.exe 2656 Ielclkhe.exe 2656 Ielclkhe.exe 2972 Jbpdeogo.exe 2972 Jbpdeogo.exe 2628 Jdcmbgkj.exe 2628 Jdcmbgkj.exe 1148 Jhafhe32.exe 1148 Jhafhe32.exe 2492 Jgfcja32.exe 2492 Jgfcja32.exe 2056 Kjglkm32.exe 2056 Kjglkm32.exe 2360 Kcopdb32.exe 2360 Kcopdb32.exe 760 Kcamjb32.exe 760 Kcamjb32.exe 1900 Kcdjoaee.exe 1900 Kcdjoaee.exe 896 Kfebambf.exe 896 Kfebambf.exe 1696 Ldjpbign.exe 1696 Ldjpbign.exe 2440 Lbnpkmfg.exe 2440 Lbnpkmfg.exe 2556 Lcaiiejc.exe 2556 Lcaiiejc.exe 1928 Liqoflfh.exe 1928 Liqoflfh.exe 1948 Mfdopp32.exe 1948 Mfdopp32.exe 2264 Mfglep32.exe 2264 Mfglep32.exe 1808 Mpopnejo.exe 1808 Mpopnejo.exe 1820 Meoell32.exe 1820 Meoell32.exe 1012 Mccbmh32.exe 1012 Mccbmh32.exe 1096 Mnifja32.exe 1096 Mnifja32.exe 2788 Njpgpbpf.exe 2788 Njpgpbpf.exe 2936 Njbdea32.exe 2936 Njbdea32.exe 2140 Nallalep.exe 2140 Nallalep.exe 1748 Nmcmgm32.exe 1748 Nmcmgm32.exe 1612 Nbbbdcgi.exe 1612 Nbbbdcgi.exe 2236 Ohojmjep.exe 2236 Ohojmjep.exe 2812 Obdojcef.exe 2812 Obdojcef.exe 1648 Obgkpb32.exe 1648 Obgkpb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fejfmk32.exe Fpmned32.exe File created C:\Windows\SysWOW64\Gdflgo32.exe Gnicoh32.exe File opened for modification C:\Windows\SysWOW64\Lgbibb32.exe Kbeqjl32.exe File opened for modification C:\Windows\SysWOW64\Bapfhg32.exe Akdafn32.exe File created C:\Windows\SysWOW64\Cfhakqek.dll Ggicgopd.exe File opened for modification C:\Windows\SysWOW64\Gmmfaa32.exe Gjojef32.exe File created C:\Windows\SysWOW64\Fijbco32.exe Fdnjkh32.exe File created C:\Windows\SysWOW64\Fbfjkj32.exe Epeajo32.exe File created C:\Windows\SysWOW64\Jimbkh32.exe Jdpjba32.exe File opened for modification C:\Windows\SysWOW64\Ckkcep32.exe Cfnkmi32.exe File opened for modification C:\Windows\SysWOW64\Jjlmkb32.exe Jkdcdf32.exe File created C:\Windows\SysWOW64\Mkohjbah.exe Mbdcepcm.exe File created C:\Windows\SysWOW64\Ffakjm32.dll Kekkiq32.exe File created C:\Windows\SysWOW64\Oepoia32.dll Kpkpadnl.exe File created C:\Windows\SysWOW64\Heliepmn.exe Hbkqdepm.exe File opened for modification C:\Windows\SysWOW64\Efljhq32.exe Eemnnn32.exe File created C:\Windows\SysWOW64\Kdqnkoqm.dll Nomkfk32.exe File created C:\Windows\SysWOW64\Gbadjg32.exe Gqahqd32.exe File opened for modification C:\Windows\SysWOW64\Iikkon32.exe Hmdkjmip.exe File opened for modification C:\Windows\SysWOW64\Ojkeah32.exe Nqbaic32.exe File created C:\Windows\SysWOW64\Bknlaikf.dll Bmhkmm32.exe File opened for modification C:\Windows\SysWOW64\Cgcnghpl.exe Caifjn32.exe File created C:\Windows\SysWOW64\Pkkkap32.dll Mphiqbon.exe File opened for modification C:\Windows\SysWOW64\Cjbmll32.exe Cnklgkap.exe File created C:\Windows\SysWOW64\Mkaohl32.dll Gfejjgli.exe File created C:\Windows\SysWOW64\Bjpjcm32.dll Miiofn32.exe File opened for modification C:\Windows\SysWOW64\Bmelpa32.exe Abkkpd32.exe File created C:\Windows\SysWOW64\Cblfdg32.exe Clbnhmjo.exe File opened for modification C:\Windows\SysWOW64\Hpnkbpdd.exe Hjacjifm.exe File created C:\Windows\SysWOW64\Lhnkffeo.exe Lbcbjlmb.exe File created C:\Windows\SysWOW64\Ncbdnb32.dll Iikkon32.exe File opened for modification C:\Windows\SysWOW64\Mbdcepcm.exe Ladgkmlj.exe File opened for modification C:\Windows\SysWOW64\Ciohqa32.exe Cbepdhgc.exe File created C:\Windows\SysWOW64\Hgmamfed.dll Ffaaoh32.exe File opened for modification C:\Windows\SysWOW64\Acicla32.exe Aahfdihn.exe File opened for modification C:\Windows\SysWOW64\Glpepj32.exe Gajqbakc.exe File opened for modification C:\Windows\SysWOW64\Bdaojbjf.exe Bapfhg32.exe File opened for modification C:\Windows\SysWOW64\Decdmi32.exe Dfngll32.exe File created C:\Windows\SysWOW64\Efbfbl32.dll Jknicnpf.exe File created C:\Windows\SysWOW64\Aqonbm32.exe Ackmih32.exe File opened for modification C:\Windows\SysWOW64\Gpjkeoha.exe Fnibcd32.exe File created C:\Windows\SysWOW64\Efljhq32.exe Eemnnn32.exe File created C:\Windows\SysWOW64\Mnpobefe.exe Mdgkjopd.exe File created C:\Windows\SysWOW64\Jcdadhjb.exe Jjlmkb32.exe File created C:\Windows\SysWOW64\Epfbllkc.dll Onldqejb.exe File created C:\Windows\SysWOW64\Nhjpkq32.dll Qpaohjkk.exe File opened for modification C:\Windows\SysWOW64\Lmfgkh32.exe Lcncbc32.exe File created C:\Windows\SysWOW64\Pahoec32.dll Cblfdg32.exe File opened for modification C:\Windows\SysWOW64\Afgmodel.exe Adfqgl32.exe File opened for modification C:\Windows\SysWOW64\Kcginj32.exe Kindeddf.exe File created C:\Windows\SysWOW64\Kfodfh32.exe Kocpbfei.exe File opened for modification C:\Windows\SysWOW64\Qjfalj32.exe Qdlipplq.exe File opened for modification C:\Windows\SysWOW64\Ogiaif32.exe Oehdan32.exe File created C:\Windows\SysWOW64\Pcbookpp.exe Pcpbik32.exe File created C:\Windows\SysWOW64\Pgdekc32.dll Popgboae.exe File created C:\Windows\SysWOW64\Eciljg32.dll Jkkjeeke.exe File created C:\Windows\SysWOW64\Eccjdobp.dll Epqgopbi.exe File opened for modification C:\Windows\SysWOW64\Pdakniag.exe Pdonhj32.exe File created C:\Windows\SysWOW64\Kffqqm32.exe Jfddkmch.exe File created C:\Windows\SysWOW64\Injlkf32.exe Ilkpac32.exe File created C:\Windows\SysWOW64\Emagacdm.exe Elajgpmj.exe File opened for modification C:\Windows\SysWOW64\Anadojlo.exe Agglbp32.exe File created C:\Windows\SysWOW64\Mldlaa32.dll Gaeqmk32.exe File created C:\Windows\SysWOW64\Iidbakdl.dll Cjhckg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4212 3852 WerFault.exe 747 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgpdglhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Befmfpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iafnjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfdddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfdhmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfglfdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfjkbmim.dll" Kabngjla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbgdf32.dll" Bedhgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfggkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpicbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eimcjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkgldm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfdopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenjme32.dll" Olophhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbkqdepm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiodpjni.dll" Jmlddeio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inhdgdmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfnkmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkdcdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmddik32.dll" Mgfiocfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nallalep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmfkfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfjolf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjembh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeganjdl.dll" Odacbpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfhakqek.dll" Ggicgopd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jimbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgcmbcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gimfed32.dll" Egmabg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfbcidmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Loaokjjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lklfdlbn.dll" Djjeedhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmldop32.dll" Nbbbdcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcghbo32.dll" Ihpfgalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbhljb32.dll" Bnapnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpmmfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkaegg32.dll" Cnklgkap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjggap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kigpbioo.dll" Oekehomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igkjcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdbjl32.dll" Jkdfmoha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcjcme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbajbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gibkmgcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbbgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekfpmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmipdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnfnahkp.dll" Bopknhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imdbjp32.dll" Nameek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eojkndbh.dll" Hoimecmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hihpflaf.dll" Idokma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncloha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eddeladm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnlqk32.dll" Goapjnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kikokf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjchollj.dll" Lefikg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Behilopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbgmigeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icbipe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hajhpgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlgfkmph.dll" Igbqdlea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbcgeilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbiahjpi.dll" Efljhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boeoek32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1152 wrote to memory of 2224 1152 ac186d6277c321071ed478847b3f4ba0be10b6b111a2a55fc730a7b8c0903337.exe 28 PID 1152 wrote to memory of 2224 1152 ac186d6277c321071ed478847b3f4ba0be10b6b111a2a55fc730a7b8c0903337.exe 28 PID 1152 wrote to memory of 2224 1152 ac186d6277c321071ed478847b3f4ba0be10b6b111a2a55fc730a7b8c0903337.exe 28 PID 1152 wrote to memory of 2224 1152 ac186d6277c321071ed478847b3f4ba0be10b6b111a2a55fc730a7b8c0903337.exe 28 PID 2224 wrote to memory of 2776 2224 Iinmfk32.exe 29 PID 2224 wrote to memory of 2776 2224 Iinmfk32.exe 29 PID 2224 wrote to memory of 2776 2224 Iinmfk32.exe 29 PID 2224 wrote to memory of 2776 2224 Iinmfk32.exe 29 PID 2776 wrote to memory of 1680 2776 Iegjqk32.exe 30 PID 2776 wrote to memory of 1680 2776 Iegjqk32.exe 30 PID 2776 wrote to memory of 1680 2776 Iegjqk32.exe 30 PID 2776 wrote to memory of 1680 2776 Iegjqk32.exe 30 PID 1680 wrote to memory of 2656 1680 Iiecgjba.exe 31 PID 1680 wrote to memory of 2656 1680 Iiecgjba.exe 31 PID 1680 wrote to memory of 2656 1680 Iiecgjba.exe 31 PID 1680 wrote to memory of 2656 1680 Iiecgjba.exe 31 PID 2656 wrote to memory of 2972 2656 Ielclkhe.exe 32 PID 2656 wrote to memory of 2972 2656 Ielclkhe.exe 32 PID 2656 wrote to memory of 2972 2656 Ielclkhe.exe 32 PID 2656 wrote to memory of 2972 2656 Ielclkhe.exe 32 PID 2972 wrote to memory of 2628 2972 Jbpdeogo.exe 33 PID 2972 wrote to memory of 2628 2972 Jbpdeogo.exe 33 PID 2972 wrote to memory of 2628 2972 Jbpdeogo.exe 33 PID 2972 wrote to memory of 2628 2972 Jbpdeogo.exe 33 PID 2628 wrote to memory of 1148 2628 Jdcmbgkj.exe 34 PID 2628 wrote to memory of 1148 2628 Jdcmbgkj.exe 34 PID 2628 wrote to memory of 1148 2628 Jdcmbgkj.exe 34 PID 2628 wrote to memory of 1148 2628 Jdcmbgkj.exe 34 PID 1148 wrote to memory of 2492 1148 Jhafhe32.exe 35 PID 1148 wrote to memory of 2492 1148 Jhafhe32.exe 35 PID 1148 wrote to memory of 2492 1148 Jhafhe32.exe 35 PID 1148 wrote to memory of 2492 1148 Jhafhe32.exe 35 PID 2492 wrote to memory of 2056 2492 Jgfcja32.exe 36 PID 2492 wrote to memory of 2056 2492 Jgfcja32.exe 36 PID 2492 wrote to memory of 2056 2492 Jgfcja32.exe 36 PID 2492 wrote to memory of 2056 2492 Jgfcja32.exe 36 PID 2056 wrote to memory of 2360 2056 Kjglkm32.exe 37 PID 2056 wrote to memory of 2360 2056 Kjglkm32.exe 37 PID 2056 wrote to memory of 2360 2056 Kjglkm32.exe 37 PID 2056 wrote to memory of 2360 2056 Kjglkm32.exe 37 PID 2360 wrote to memory of 760 2360 Kcopdb32.exe 38 PID 2360 wrote to memory of 760 2360 Kcopdb32.exe 38 PID 2360 wrote to memory of 760 2360 Kcopdb32.exe 38 PID 2360 wrote to memory of 760 2360 Kcopdb32.exe 38 PID 760 wrote to memory of 1900 760 Kcamjb32.exe 39 PID 760 wrote to memory of 1900 760 Kcamjb32.exe 39 PID 760 wrote to memory of 1900 760 Kcamjb32.exe 39 PID 760 wrote to memory of 1900 760 Kcamjb32.exe 39 PID 1900 wrote to memory of 896 1900 Kcdjoaee.exe 40 PID 1900 wrote to memory of 896 1900 Kcdjoaee.exe 40 PID 1900 wrote to memory of 896 1900 Kcdjoaee.exe 40 PID 1900 wrote to memory of 896 1900 Kcdjoaee.exe 40 PID 896 wrote to memory of 1696 896 Kfebambf.exe 41 PID 896 wrote to memory of 1696 896 Kfebambf.exe 41 PID 896 wrote to memory of 1696 896 Kfebambf.exe 41 PID 896 wrote to memory of 1696 896 Kfebambf.exe 41 PID 1696 wrote to memory of 2440 1696 Ldjpbign.exe 42 PID 1696 wrote to memory of 2440 1696 Ldjpbign.exe 42 PID 1696 wrote to memory of 2440 1696 Ldjpbign.exe 42 PID 1696 wrote to memory of 2440 1696 Ldjpbign.exe 42 PID 2440 wrote to memory of 2556 2440 Lbnpkmfg.exe 43 PID 2440 wrote to memory of 2556 2440 Lbnpkmfg.exe 43 PID 2440 wrote to memory of 2556 2440 Lbnpkmfg.exe 43 PID 2440 wrote to memory of 2556 2440 Lbnpkmfg.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac186d6277c321071ed478847b3f4ba0be10b6b111a2a55fc730a7b8c0903337.exe"C:\Users\Admin\AppData\Local\Temp\ac186d6277c321071ed478847b3f4ba0be10b6b111a2a55fc730a7b8c0903337.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Iinmfk32.exeC:\Windows\system32\Iinmfk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Kjglkm32.exeC:\Windows\system32\Kjglkm32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Kfebambf.exeC:\Windows\system32\Kfebambf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Mfdopp32.exeC:\Windows\system32\Mfdopp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Meoell32.exeC:\Windows\system32\Meoell32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1820 -
C:\Windows\SysWOW64\Mccbmh32.exeC:\Windows\system32\Mccbmh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1012 -
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Njpgpbpf.exeC:\Windows\system32\Njpgpbpf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe29⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe30⤵
- Loads dropped DLL
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236 -
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Obgkpb32.exeC:\Windows\system32\Obgkpb32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe36⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe37⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe38⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe40⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe42⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe43⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe44⤵
- Executes dropped EXE
PID:520 -
C:\Windows\SysWOW64\Ajqljc32.exeC:\Windows\system32\Ajqljc32.exe45⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:580 -
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe47⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe49⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe50⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe51⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Bbbgod32.exeC:\Windows\system32\Bbbgod32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1120 -
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe54⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe55⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe56⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Bnldjekl.exeC:\Windows\system32\Bnldjekl.exe57⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe59⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe61⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Baojapfj.exeC:\Windows\system32\Baojapfj.exe62⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe63⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe65⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe66⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Cbepdhgc.exeC:\Windows\system32\Cbepdhgc.exe67⤵
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe68⤵PID:1492
-
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe69⤵
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe70⤵PID:2720
-
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1556 -
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe72⤵
- Drops file in System32 directory
PID:960 -
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe73⤵
- Drops file in System32 directory
PID:276 -
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2152 -
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe75⤵PID:2144
-
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe76⤵PID:2112
-
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe77⤵PID:1884
-
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe78⤵PID:2884
-
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe79⤵PID:2576
-
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe80⤵PID:2768
-
C:\Windows\SysWOW64\Dbifnj32.exeC:\Windows\system32\Dbifnj32.exe81⤵PID:2592
-
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe82⤵
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe83⤵PID:2544
-
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe84⤵PID:2376
-
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe85⤵PID:1436
-
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe86⤵PID:1712
-
C:\Windows\SysWOW64\Eogmcjef.exeC:\Windows\system32\Eogmcjef.exe87⤵PID:2024
-
C:\Windows\SysWOW64\Eddeladm.exeC:\Windows\system32\Eddeladm.exe88⤵
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe89⤵PID:2684
-
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe90⤵PID:2004
-
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe91⤵PID:1200
-
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe92⤵PID:1560
-
C:\Windows\SysWOW64\Fnacpffh.exeC:\Windows\system32\Fnacpffh.exe93⤵PID:3068
-
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe94⤵PID:1636
-
C:\Windows\SysWOW64\Fqdiga32.exeC:\Windows\system32\Fqdiga32.exe95⤵PID:2136
-
C:\Windows\SysWOW64\Ffaaoh32.exeC:\Windows\system32\Ffaaoh32.exe96⤵
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Goiehm32.exeC:\Windows\system32\Goiehm32.exe97⤵PID:2836
-
C:\Windows\SysWOW64\Gjojef32.exeC:\Windows\system32\Gjojef32.exe98⤵
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Gmmfaa32.exeC:\Windows\system32\Gmmfaa32.exe99⤵PID:2528
-
C:\Windows\SysWOW64\Gfejjgli.exeC:\Windows\system32\Gfejjgli.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe101⤵PID:1940
-
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe102⤵PID:1664
-
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe104⤵PID:2700
-
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe105⤵
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe106⤵PID:1224
-
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe107⤵PID:1144
-
C:\Windows\SysWOW64\Hmkeke32.exeC:\Windows\system32\Hmkeke32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1972 -
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe109⤵PID:2680
-
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2332 -
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe111⤵PID:2464
-
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe112⤵
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe113⤵PID:2408
-
C:\Windows\SysWOW64\Hfhcoj32.exeC:\Windows\system32\Hfhcoj32.exe114⤵PID:2388
-
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe115⤵PID:1108
-
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe116⤵PID:932
-
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2696 -
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe119⤵
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe120⤵PID:1800
-
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe121⤵PID:2688
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-