Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
03/05/2024, 03:09
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe
-
Size
430KB
-
MD5
07dd488f9d80678e2a773d3a7245f8f5
-
SHA1
98d333f5b33229dbc7f08c6648bfd519d0c7f58f
-
SHA256
c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830
-
SHA512
9744d16db2148145314789ad0bfa765589da8004a7472d5cfeb1f0ded1f82dfa8bf8227171b53e6bf39ba32a6664b2b7e91b0c4f11a0411316ccaab8f482e5af
-
SSDEEP
3072:1UbnJAOyDvT4ZzrATsk5XVAURfE+HAokWmvEie0RFz3yE2ZwVh16Mz7GFD0AlWsf:eGcF6fXRs+HLlD0rN2ZwVht740Psz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hckjacjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aminee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldmlpbbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odocigqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlednamo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llcpoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldoaklml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocnjidkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfkoeppq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmlnbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfdcjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjeddggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blbknaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojhiqefo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dllfkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdmga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgokmgjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngbpidjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olkhmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibmmhdhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpjnkpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnlaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Helfik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heapdjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnepih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dllfkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbjcolha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngdmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chokikeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbnhphbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfachc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgmha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpeiioac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajckij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfljmdjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Immapg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdlnbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmgjgcgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mncmjfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njfmke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okhfjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhkhibmc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imakkfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jioaqfcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfcbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibojncfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liekmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkjkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgmngglp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgokmgjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmhhehlb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jigollag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mciobn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogaceh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipbdmaah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqklmpdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjmdigk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhaebcen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cojjqlpk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edbklofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nilcjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nafokcol.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/files/0x000d000000023b25-7.dat UPX behavioral2/files/0x000a000000023b8f-14.dat UPX behavioral2/files/0x000a000000023b92-24.dat UPX behavioral2/files/0x000a000000023b96-34.dat UPX behavioral2/files/0x000a000000023b94-32.dat UPX behavioral2/files/0x000a000000023b98-47.dat UPX behavioral2/files/0x000a000000023b9a-55.dat UPX behavioral2/files/0x000a000000023b9c-63.dat UPX behavioral2/files/0x000a000000023b9e-71.dat UPX behavioral2/files/0x000a000000023ba0-80.dat UPX behavioral2/files/0x000a000000023ba2-87.dat UPX behavioral2/files/0x000a000000023ba4-95.dat UPX behavioral2/files/0x000a000000023ba6-103.dat UPX behavioral2/files/0x000a000000023ba8-111.dat UPX behavioral2/files/0x000b000000023b8c-120.dat UPX behavioral2/files/0x000a000000023bab-127.dat UPX behavioral2/files/0x000a000000023bae-135.dat UPX behavioral2/files/0x000a000000023bb0-143.dat UPX behavioral2/files/0x000a000000023bb2-151.dat UPX behavioral2/files/0x000a000000023bb4-159.dat UPX behavioral2/files/0x000a000000023bb6-167.dat UPX behavioral2/files/0x000a000000023bb8-175.dat UPX behavioral2/files/0x000a000000023bba-183.dat UPX behavioral2/files/0x0031000000023bbc-191.dat UPX behavioral2/files/0x0031000000023bbe-199.dat UPX behavioral2/files/0x000a000000023bc0-207.dat UPX behavioral2/files/0x000a000000023bc2-215.dat UPX behavioral2/files/0x000a000000023bc4-223.dat UPX behavioral2/files/0x000a000000023bc6-231.dat UPX behavioral2/files/0x000a000000023bc8-238.dat UPX behavioral2/files/0x000a000000023bca-247.dat UPX behavioral2/files/0x000a000000023bcc-255.dat UPX behavioral2/files/0x000a000000023be3-318.dat UPX behavioral2/files/0x00140000000239cc-348.dat UPX behavioral2/files/0x0008000000023c43-402.dat UPX behavioral2/files/0x0008000000023c9d-474.dat UPX behavioral2/files/0x0007000000023caf-504.dat UPX behavioral2/files/0x0007000000023cb3-516.dat UPX behavioral2/files/0x0007000000023cbc-539.dat UPX behavioral2/files/0x0007000000023cc4-559.dat UPX behavioral2/files/0x0007000000023ced-715.dat UPX behavioral2/files/0x0007000000023cf3-736.dat UPX behavioral2/files/0x0007000000023d05-797.dat UPX behavioral2/files/0x0007000000023d09-810.dat UPX behavioral2/files/0x0007000000023d1b-872.dat UPX behavioral2/files/0x0007000000023d25-906.dat UPX behavioral2/files/0x0007000000023d49-1027.dat UPX behavioral2/files/0x0007000000023d4d-1040.dat UPX behavioral2/files/0x0007000000023d53-1061.dat UPX behavioral2/files/0x0007000000023d5d-1094.dat UPX behavioral2/files/0x0007000000023d63-1113.dat UPX behavioral2/files/0x0007000000023d67-1127.dat UPX behavioral2/files/0x0007000000023d6d-1147.dat UPX behavioral2/files/0x0007000000023d74-1165.dat UPX behavioral2/files/0x0007000000023d7a-1186.dat UPX behavioral2/files/0x0007000000023d80-1205.dat UPX behavioral2/files/0x0007000000023d96-1277.dat UPX behavioral2/files/0x0007000000023d9e-1303.dat UPX behavioral2/files/0x0007000000023da2-1315.dat UPX behavioral2/files/0x0007000000023dac-1348.dat UPX behavioral2/files/0x0007000000023db8-1390.dat UPX behavioral2/files/0x0007000000023dbc-1405.dat UPX behavioral2/files/0x0007000000023dc6-1442.dat UPX behavioral2/files/0x0007000000023dca-1457.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 1376 Dephckaf.exe 4064 Dhnepfpj.exe 3048 Dokjbp32.exe 2308 Dfdbojmq.exe 3752 Dhcnke32.exe 4624 Ejbkehcg.exe 2636 Ejegjh32.exe 1064 Elccfc32.exe 2204 Eflhoigi.exe 1656 Ehjdldfl.exe 3924 Eodlho32.exe 4984 Eqciba32.exe 3848 Ebeejijj.exe 1632 Eoifcnid.exe 3768 Fjnjqfij.exe 1952 Fqhbmqqg.exe 432 Fmocba32.exe 1944 Fcikolnh.exe 3408 Ffggkgmk.exe 3132 Fbnhphbp.exe 2984 Fobiilai.exe 2184 Fijmbb32.exe 1820 Gbcakg32.exe 2512 Gimjhafg.exe 5072 Gfqjafdq.exe 800 Gmkbnp32.exe 3260 Gjocgdkg.exe 2788 Gpklpkio.exe 4372 Gidphq32.exe 2448 Gmoliohh.exe 4536 Gmaioo32.exe 2760 Hjfihc32.exe 2328 Hcnnaikp.exe 4972 Hfljmdjc.exe 2392 Hikfip32.exe 3884 Hpenfjad.exe 3632 Hbckbepg.exe 2852 Hjjbcbqj.exe 4616 Himcoo32.exe 4020 Hadkpm32.exe 3352 Hccglh32.exe 2660 Hfachc32.exe 2216 Hippdo32.exe 3364 Hpihai32.exe 4936 Hbhdmd32.exe 2096 Hjolnb32.exe 1264 Hmmhjm32.exe 2240 Ipldfi32.exe 3176 Ibjqcd32.exe 4836 Ijaida32.exe 2572 Ipnalhii.exe 5060 Ibmmhdhm.exe 3500 Ijdeiaio.exe 1368 Iannfk32.exe 2680 Ibojncfj.exe 3680 Ijfboafl.exe 1108 Ipckgh32.exe 4548 Ifmcdblq.exe 2076 Iikopmkd.exe 2348 Iabgaklg.exe 4032 Idacmfkj.exe 4484 Ibccic32.exe 3232 Iinlemia.exe 2888 Jaedgjjd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aecqac32.dll Chmeobkq.exe File opened for modification C:\Windows\SysWOW64\Eaklidoi.exe Dhbgqohi.exe File created C:\Windows\SysWOW64\Imdgqfbd.exe Ifjodl32.exe File opened for modification C:\Windows\SysWOW64\Dfpgffpm.exe Deokon32.exe File opened for modification C:\Windows\SysWOW64\Ejegjh32.exe Ejbkehcg.exe File created C:\Windows\SysWOW64\Ldmlpbbj.exe Laopdgcg.exe File opened for modification C:\Windows\SysWOW64\Nafokcol.exe Njogjfoj.exe File opened for modification C:\Windows\SysWOW64\Gcagkdba.exe Gkkojgao.exe File created C:\Windows\SysWOW64\Ghekjiam.dll Chokikeb.exe File opened for modification C:\Windows\SysWOW64\Kcifkp32.exe Kmlnbi32.exe File created C:\Windows\SysWOW64\Jlnpomfk.dll Nafokcol.exe File created C:\Windows\SysWOW64\Nqpego32.exe Nbmelbid.exe File created C:\Windows\SysWOW64\Qkmhlekj.exe Pnihcq32.exe File opened for modification C:\Windows\SysWOW64\Gdjjckag.exe Gcimkc32.exe File opened for modification C:\Windows\SysWOW64\Iicbehnq.exe Ibjjhn32.exe File created C:\Windows\SysWOW64\Chokikeb.exe Cmiflbel.exe File created C:\Windows\SysWOW64\Hmmhjm32.exe Hjolnb32.exe File created C:\Windows\SysWOW64\Jpojcf32.exe Jfffjqdf.exe File opened for modification C:\Windows\SysWOW64\Kckbqpnj.exe Kpmfddnf.exe File opened for modification C:\Windows\SysWOW64\Obidhaog.exe Okolkg32.exe File opened for modification C:\Windows\SysWOW64\Cdfbibnb.exe Cojjqlpk.exe File created C:\Windows\SysWOW64\Hmhhehlb.exe Heapdjlp.exe File created C:\Windows\SysWOW64\Keblci32.dll Immapg32.exe File created C:\Windows\SysWOW64\Jcbdhp32.dll Dfpgffpm.exe File opened for modification C:\Windows\SysWOW64\Eodlho32.exe Ehjdldfl.exe File created C:\Windows\SysWOW64\Hiaohfpc.dll Ipckgh32.exe File created C:\Windows\SysWOW64\Lcdegnep.exe Laciofpa.exe File created C:\Windows\SysWOW64\Bdknoa32.dll Nqklmpdd.exe File opened for modification C:\Windows\SysWOW64\Ojhiqefo.exe Ogjmdigk.exe File created C:\Windows\SysWOW64\Hekcnknf.dll Pgopffec.exe File created C:\Windows\SysWOW64\Hqdeld32.dll Kimnbd32.exe File opened for modification C:\Windows\SysWOW64\Lgokmgjm.exe Lpebpm32.exe File created C:\Windows\SysWOW64\Kgfoan32.exe Kckbqpnj.exe File opened for modification C:\Windows\SysWOW64\Lmqgnhmp.exe Liekmj32.exe File created C:\Windows\SysWOW64\Mkbchk32.exe Mcklgm32.exe File created C:\Windows\SysWOW64\Nphhmj32.exe Njnpppkn.exe File opened for modification C:\Windows\SysWOW64\Ocnjidkf.exe Nnqbanmo.exe File created C:\Windows\SysWOW64\Bfkedibe.exe Bclhhnca.exe File created C:\Windows\SysWOW64\Qngfmkdl.dll Ibmmhdhm.exe File created C:\Windows\SysWOW64\Nhdlom32.dll Ffkjlp32.exe File opened for modification C:\Windows\SysWOW64\Hobkfd32.exe Helfik32.exe File created C:\Windows\SysWOW64\Pfolbmje.exe Pmfhig32.exe File created C:\Windows\SysWOW64\Ejegjh32.exe Ejbkehcg.exe File created C:\Windows\SysWOW64\Hbbdholl.exe Hkikkeeo.exe File created C:\Windows\SysWOW64\Jcinbcgc.dll Ibjjhn32.exe File opened for modification C:\Windows\SysWOW64\Mkpgck32.exe Mciobn32.exe File created C:\Windows\SysWOW64\Hidipe32.dll Ogogoi32.exe File created C:\Windows\SysWOW64\Hjakkfbf.dll Ifgbnlmj.exe File created C:\Windows\SysWOW64\Mjddiqoc.dll Jfcbjk32.exe File opened for modification C:\Windows\SysWOW64\Kmkfhc32.exe Klljnp32.exe File opened for modification C:\Windows\SysWOW64\Pmannhhj.exe Pnonbk32.exe File created C:\Windows\SysWOW64\Fbnhphbp.exe Ffggkgmk.exe File created C:\Windows\SysWOW64\Hippdo32.exe Hfachc32.exe File created C:\Windows\SysWOW64\Onholckc.exe Ogogoi32.exe File created C:\Windows\SysWOW64\Mnodjf32.dll Oflgep32.exe File created C:\Windows\SysWOW64\Cjbpaf32.exe Cdhhdlid.exe File created C:\Windows\SysWOW64\Nbmelbid.exe Njfmke32.exe File created C:\Windows\SysWOW64\Odljbk32.dll Ogaceh32.exe File opened for modification C:\Windows\SysWOW64\Pcjapi32.exe Obidhaog.exe File created C:\Windows\SysWOW64\Bfddbh32.dll Ajkaii32.exe File created C:\Windows\SysWOW64\Ldohebqh.exe Lnepih32.exe File created C:\Windows\SysWOW64\Ifclaeem.dll Oboaabga.exe File created C:\Windows\SysWOW64\Oekgfqeg.dll Hkikkeeo.exe File created C:\Windows\SysWOW64\Nnolfdcn.exe Njcpee32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10520 10264 WerFault.exe 535 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhdbhcck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehedfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jehokgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npjebj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofcmfodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmjqmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blbknaib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkgqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ednaqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkalchij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncbknfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkikkeeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhmkaf32.dll" Mlopkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elccfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gimjhafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfjal32.dll" Mipcob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampkqqjm.dll" Elccfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbnhphbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifjodl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjddiqoc.dll" Jfcbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acnlgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaacilcc.dll" Pnihcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmpgldhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll" Ofnckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll" Chokikeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jigollag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldohebqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll" Lklnhlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkepnjng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdhmnlcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll" Mkpgck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njljefql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqklmpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chmeobkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hobkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chagok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnmopdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deanodkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcioiood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjeoglgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfffjqdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpkbebbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mncmjfmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkmlofol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll" Cenahpha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inomojol.dll" Eqciba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfljmdjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll" Lgkhlnbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjiccacq.dll" Melnob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdfjifjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onholckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmkhg32.dll" Okolkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chghdqbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmqgnhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgbnmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdegandp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpeiioac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmkadgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbckbepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll" Njogjfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chokikeb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4076 wrote to memory of 1376 4076 c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe 83 PID 4076 wrote to memory of 1376 4076 c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe 83 PID 4076 wrote to memory of 1376 4076 c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe 83 PID 1376 wrote to memory of 4064 1376 Dephckaf.exe 84 PID 1376 wrote to memory of 4064 1376 Dephckaf.exe 84 PID 1376 wrote to memory of 4064 1376 Dephckaf.exe 84 PID 4064 wrote to memory of 3048 4064 Dhnepfpj.exe 85 PID 4064 wrote to memory of 3048 4064 Dhnepfpj.exe 85 PID 4064 wrote to memory of 3048 4064 Dhnepfpj.exe 85 PID 3048 wrote to memory of 2308 3048 Dokjbp32.exe 86 PID 3048 wrote to memory of 2308 3048 Dokjbp32.exe 86 PID 3048 wrote to memory of 2308 3048 Dokjbp32.exe 86 PID 2308 wrote to memory of 3752 2308 Dfdbojmq.exe 87 PID 2308 wrote to memory of 3752 2308 Dfdbojmq.exe 87 PID 2308 wrote to memory of 3752 2308 Dfdbojmq.exe 87 PID 3752 wrote to memory of 4624 3752 Dhcnke32.exe 88 PID 3752 wrote to memory of 4624 3752 Dhcnke32.exe 88 PID 3752 wrote to memory of 4624 3752 Dhcnke32.exe 88 PID 4624 wrote to memory of 2636 4624 Ejbkehcg.exe 90 PID 4624 wrote to memory of 2636 4624 Ejbkehcg.exe 90 PID 4624 wrote to memory of 2636 4624 Ejbkehcg.exe 90 PID 2636 wrote to memory of 1064 2636 Ejegjh32.exe 91 PID 2636 wrote to memory of 1064 2636 Ejegjh32.exe 91 PID 2636 wrote to memory of 1064 2636 Ejegjh32.exe 91 PID 1064 wrote to memory of 2204 1064 Elccfc32.exe 93 PID 1064 wrote to memory of 2204 1064 Elccfc32.exe 93 PID 1064 wrote to memory of 2204 1064 Elccfc32.exe 93 PID 2204 wrote to memory of 1656 2204 Eflhoigi.exe 94 PID 2204 wrote to memory of 1656 2204 Eflhoigi.exe 94 PID 2204 wrote to memory of 1656 2204 Eflhoigi.exe 94 PID 1656 wrote to memory of 3924 1656 Ehjdldfl.exe 95 PID 1656 wrote to memory of 3924 1656 Ehjdldfl.exe 95 PID 1656 wrote to memory of 3924 1656 Ehjdldfl.exe 95 PID 3924 wrote to memory of 4984 3924 Eodlho32.exe 96 PID 3924 wrote to memory of 4984 3924 Eodlho32.exe 96 PID 3924 wrote to memory of 4984 3924 Eodlho32.exe 96 PID 4984 wrote to memory of 3848 4984 Eqciba32.exe 98 PID 4984 wrote to memory of 3848 4984 Eqciba32.exe 98 PID 4984 wrote to memory of 3848 4984 Eqciba32.exe 98 PID 3848 wrote to memory of 1632 3848 Ebeejijj.exe 99 PID 3848 wrote to memory of 1632 3848 Ebeejijj.exe 99 PID 3848 wrote to memory of 1632 3848 Ebeejijj.exe 99 PID 1632 wrote to memory of 3768 1632 Eoifcnid.exe 100 PID 1632 wrote to memory of 3768 1632 Eoifcnid.exe 100 PID 1632 wrote to memory of 3768 1632 Eoifcnid.exe 100 PID 3768 wrote to memory of 1952 3768 Fjnjqfij.exe 101 PID 3768 wrote to memory of 1952 3768 Fjnjqfij.exe 101 PID 3768 wrote to memory of 1952 3768 Fjnjqfij.exe 101 PID 1952 wrote to memory of 432 1952 Fqhbmqqg.exe 102 PID 1952 wrote to memory of 432 1952 Fqhbmqqg.exe 102 PID 1952 wrote to memory of 432 1952 Fqhbmqqg.exe 102 PID 432 wrote to memory of 1944 432 Fmocba32.exe 103 PID 432 wrote to memory of 1944 432 Fmocba32.exe 103 PID 432 wrote to memory of 1944 432 Fmocba32.exe 103 PID 1944 wrote to memory of 3408 1944 Fcikolnh.exe 104 PID 1944 wrote to memory of 3408 1944 Fcikolnh.exe 104 PID 1944 wrote to memory of 3408 1944 Fcikolnh.exe 104 PID 3408 wrote to memory of 3132 3408 Ffggkgmk.exe 105 PID 3408 wrote to memory of 3132 3408 Ffggkgmk.exe 105 PID 3408 wrote to memory of 3132 3408 Ffggkgmk.exe 105 PID 3132 wrote to memory of 2984 3132 Fbnhphbp.exe 106 PID 3132 wrote to memory of 2984 3132 Fbnhphbp.exe 106 PID 3132 wrote to memory of 2984 3132 Fbnhphbp.exe 106 PID 2984 wrote to memory of 2184 2984 Fobiilai.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe"C:\Users\Admin\AppData\Local\Temp\c3c41745c1c2db2a30cee9442fe83cdbf435991eddd13ef36e25bbcfe3401830.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Dephckaf.exeC:\Windows\system32\Dephckaf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Dhnepfpj.exeC:\Windows\system32\Dhnepfpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Dokjbp32.exeC:\Windows\system32\Dokjbp32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Dfdbojmq.exeC:\Windows\system32\Dfdbojmq.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Dhcnke32.exeC:\Windows\system32\Dhcnke32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Elccfc32.exeC:\Windows\system32\Elccfc32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Eflhoigi.exeC:\Windows\system32\Eflhoigi.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Eodlho32.exeC:\Windows\system32\Eodlho32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Ebeejijj.exeC:\Windows\system32\Ebeejijj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\Eoifcnid.exeC:\Windows\system32\Eoifcnid.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Fjnjqfij.exeC:\Windows\system32\Fjnjqfij.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\Fqhbmqqg.exeC:\Windows\system32\Fqhbmqqg.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Fcikolnh.exeC:\Windows\system32\Fcikolnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe23⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Gbcakg32.exeC:\Windows\system32\Gbcakg32.exe24⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Gimjhafg.exeC:\Windows\system32\Gimjhafg.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Gfqjafdq.exeC:\Windows\system32\Gfqjafdq.exe26⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe27⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe28⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Gpklpkio.exeC:\Windows\system32\Gpklpkio.exe29⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Gidphq32.exeC:\Windows\system32\Gidphq32.exe30⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe31⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe32⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Hjfihc32.exeC:\Windows\system32\Hjfihc32.exe33⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Hcnnaikp.exeC:\Windows\system32\Hcnnaikp.exe34⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4972 -
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe36⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe37⤵
- Executes dropped EXE
PID:3884 -
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3632 -
C:\Windows\SysWOW64\Hjjbcbqj.exeC:\Windows\system32\Hjjbcbqj.exe39⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe40⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe41⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe42⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe44⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe45⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe46⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe48⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe49⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe50⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe51⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe52⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5060 -
C:\Windows\SysWOW64\Ijdeiaio.exeC:\Windows\system32\Ijdeiaio.exe54⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe55⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Ibojncfj.exeC:\Windows\system32\Ibojncfj.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe57⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe59⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe60⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe61⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe62⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Ibccic32.exeC:\Windows\system32\Ibccic32.exe63⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe64⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Jaedgjjd.exeC:\Windows\system32\Jaedgjjd.exe65⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Jdcpcf32.exeC:\Windows\system32\Jdcpcf32.exe66⤵PID:3540
-
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe67⤵PID:2776
-
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe68⤵PID:3492
-
C:\Windows\SysWOW64\Jmkdlkph.exeC:\Windows\system32\Jmkdlkph.exe69⤵PID:2772
-
C:\Windows\SysWOW64\Jdemhe32.exeC:\Windows\system32\Jdemhe32.exe70⤵PID:928
-
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe71⤵PID:1364
-
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe72⤵PID:3876
-
C:\Windows\SysWOW64\Jdhine32.exeC:\Windows\system32\Jdhine32.exe73⤵PID:1676
-
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe75⤵PID:3196
-
C:\Windows\SysWOW64\Jfhbppbc.exeC:\Windows\system32\Jfhbppbc.exe76⤵PID:4200
-
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3096 -
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe78⤵PID:3236
-
C:\Windows\SysWOW64\Jfkoeppq.exeC:\Windows\system32\Jfkoeppq.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2584 -
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe80⤵PID:4580
-
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe81⤵PID:2696
-
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe82⤵PID:3872
-
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe83⤵PID:3080
-
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe84⤵PID:4788
-
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe85⤵PID:1924
-
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe86⤵
- Modifies registry class
PID:5132 -
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe87⤵PID:5196
-
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe88⤵PID:5252
-
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5300 -
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe90⤵PID:5392
-
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe91⤵PID:5440
-
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe92⤵PID:5488
-
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe93⤵PID:5548
-
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe94⤵
- Drops file in System32 directory
PID:5616 -
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe95⤵
- Drops file in System32 directory
PID:5684 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe96⤵PID:5728
-
C:\Windows\SysWOW64\Liekmj32.exeC:\Windows\system32\Liekmj32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5772 -
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe98⤵
- Modifies registry class
PID:5816 -
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe99⤵PID:5864
-
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe100⤵PID:5904
-
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe101⤵PID:5944
-
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe102⤵PID:5984
-
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe103⤵
- Drops file in System32 directory
PID:6028 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6076 -
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe105⤵
- Modifies registry class
PID:6128 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe106⤵PID:5140
-
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3376 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe108⤵
- Modifies registry class
PID:5236 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe109⤵PID:5316
-
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe110⤵
- Drops file in System32 directory
PID:5436 -
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe111⤵PID:5520
-
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe112⤵
- Modifies registry class
PID:5612 -
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe113⤵PID:5720
-
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe114⤵PID:5764
-
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe115⤵PID:5844
-
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe116⤵
- Modifies registry class
PID:5924 -
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe117⤵PID:5452
-
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe118⤵PID:6012
-
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe119⤵
- Modifies registry class
PID:6120 -
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe121⤵
- Modifies registry class
PID:748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-