Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 23:54
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
91b3d17137193d1dc90d5143b71ef14b835213308fb8cc0ae3734c54e4f65e98.exe
Resource
win7-20240215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
91b3d17137193d1dc90d5143b71ef14b835213308fb8cc0ae3734c54e4f65e98.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
91b3d17137193d1dc90d5143b71ef14b835213308fb8cc0ae3734c54e4f65e98.exe
-
Size
242KB
-
MD5
1a027580fa8d7a0233d865c68eb1c1c5
-
SHA1
04f7824c4798bb75fd890b777b14289fa8458053
-
SHA256
91b3d17137193d1dc90d5143b71ef14b835213308fb8cc0ae3734c54e4f65e98
-
SHA512
42bc3b8e1a99bbe40e569bf4bfd6057181f84b9f2258f80da7e75dc25a67687c6aa6c604b23c4dffb9a0e8a1983c2acc453462133bc122aff8bf2d952413a89a
-
SSDEEP
3072:YTz6/fYyhIXnq2SV6V8ZLB6V16VKcWmjRrzKbKcWmjRrzK8VHkdYaM88KC:8z6Qq2SV66LB6X62UyHEYa0
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dohfbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eocenh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjqjih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcbiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eekaebcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gblngpbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlaegk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdaldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cehkhecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhqcam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajanck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahkobekf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daolnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chghdqbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Likjcbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnihcq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgciaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ambgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdcpcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpebpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edihepnm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfbibnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njnpppkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhnnep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnocof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obdkma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlbgha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkedibe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnocof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balfaiil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkkojgao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acqimo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bchomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnapdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhohlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fchddejl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Majopeii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mamleegg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fooeif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfeopj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdhdajea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njqmepik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdffocib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daolnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqpego32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkaiqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbgqohi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lffhfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdkhapfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpjcdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Balfaiil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okeieh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpaifalo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odpjcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eadopc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfankifm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocnjidkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odapnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqdqof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijaida32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojopad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgallfcq.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/files/0x000d000000023b28-7.dat UPX behavioral2/files/0x000a000000023b92-15.dat UPX behavioral2/files/0x000a000000023b94-23.dat UPX behavioral2/files/0x000a000000023b96-32.dat UPX behavioral2/memory/2536-37-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/files/0x000a000000023b98-40.dat UPX behavioral2/files/0x000a000000023b9a-47.dat UPX behavioral2/files/0x000a000000023b9c-55.dat UPX behavioral2/files/0x000a000000023b9e-63.dat UPX behavioral2/memory/5060-64-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/files/0x000a000000023ba0-71.dat UPX behavioral2/files/0x000a000000023ba2-74.dat UPX behavioral2/memory/4324-85-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/files/0x000a000000023ba4-87.dat UPX behavioral2/memory/2168-89-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/files/0x000a000000023ba6-95.dat UPX behavioral2/memory/2732-96-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/files/0x000a000000023ba8-103.dat UPX behavioral2/memory/2292-105-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/files/0x000a000000023baa-106.dat UPX behavioral2/files/0x000a000000023bac-118.dat UPX behavioral2/memory/3924-121-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/3868-119-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/files/0x000a000000023bae-128.dat UPX behavioral2/files/0x000a000000023bb0-134.dat UPX behavioral2/memory/3280-136-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/files/0x000a000000023bb2-143.dat UPX behavioral2/memory/4376-144-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/files/0x000b000000023b8e-150.dat UPX behavioral2/files/0x000a000000023bb5-158.dat UPX behavioral2/memory/4316-157-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/files/0x000a000000023bb7-167.dat UPX behavioral2/files/0x000a000000023bb9-173.dat UPX behavioral2/files/0x000a000000023bbb-181.dat UPX behavioral2/files/0x0031000000023bbd-190.dat UPX behavioral2/files/0x0031000000023bbf-198.dat UPX behavioral2/files/0x000a000000023bc1-204.dat UPX behavioral2/files/0x000a000000023bc3-212.dat UPX behavioral2/files/0x000a000000023bc5-220.dat UPX behavioral2/files/0x000a000000023bc7-228.dat UPX behavioral2/memory/2708-229-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/files/0x000a000000023bc9-237.dat UPX behavioral2/files/0x000a000000023bcb-244.dat UPX behavioral2/memory/1672-249-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/files/0x000a000000023bcd-252.dat UPX behavioral2/memory/1168-258-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/2272-265-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/files/0x000a000000023bd8-283.dat UPX behavioral2/memory/3604-329-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/2812-345-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/3908-375-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/files/0x0008000000023c4e-393.dat UPX behavioral2/memory/4840-392-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/4932-403-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/files/0x0008000000023c67-405.dat UPX behavioral2/memory/2524-410-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/684-422-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/1640-437-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/files/0x0007000000023cad-474.dat UPX behavioral2/memory/1212-512-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/3548-519-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/4812-525-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/3828-532-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/4856-538-0x0000000000400000-0x0000000000467000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
pid Process 5104 Hcnnaikp.exe 3656 Habnjm32.exe 4788 Hbckbepg.exe 2536 Hfofbd32.exe 2808 Himcoo32.exe 440 Hippdo32.exe 2360 Hbhdmd32.exe 5060 Hfcpncdk.exe 2904 Haidklda.exe 4324 Ijaida32.exe 2168 Impepm32.exe 2732 Ibmmhdhm.exe 2292 Iannfk32.exe 3868 Icljbg32.exe 3924 Iiibkn32.exe 3884 Ibagcc32.exe 3280 Ijhodq32.exe 4376 Iikopmkd.exe 4316 Ibccic32.exe 4528 Imihfl32.exe 2448 Jpgdbg32.exe 1376 Jdcpcf32.exe 1292 Jagqlj32.exe 3100 Jibeql32.exe 2716 Jmnaakne.exe 3104 Jfffjqdf.exe 972 Jidbflcj.exe 4404 Jbmfoa32.exe 2708 Jkdnpo32.exe 860 Jpaghf32.exe 1672 Jkfkfohj.exe 1168 Jiikak32.exe 2272 Kgmlkp32.exe 2104 Kkihknfg.exe 1912 Kmgdgjek.exe 2244 Kdaldd32.exe 3680 Kgphpo32.exe 3996 Kinemkko.exe 1568 Kphmie32.exe 5008 Kbfiep32.exe 3524 Kipabjil.exe 3068 Kagichjo.exe 4352 Kdffocib.exe 2844 Kkpnlm32.exe 3604 Kibnhjgj.exe 2944 Kdhbec32.exe 2812 Kgfoan32.exe 4312 Kkbkamnl.exe 4308 Lmqgnhmp.exe 2528 Ldkojb32.exe 3912 Lkdggmlj.exe 1576 Laopdgcg.exe 3908 Ldmlpbbj.exe 4512 Lijdhiaa.exe 4660 Laalifad.exe 4840 Ldohebqh.exe 4932 Lcbiao32.exe 3576 Lnhmng32.exe 2524 Lcdegnep.exe 4008 Lgpagm32.exe 684 Lnjjdgee.exe 3044 Laefdf32.exe 1640 Lddbqa32.exe 2120 Lgbnmm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jlineehd.dll Lpnlpnih.exe File opened for modification C:\Windows\SysWOW64\Jidbflcj.exe Jfffjqdf.exe File created C:\Windows\SysWOW64\Khchklef.dll Jlbgha32.exe File opened for modification C:\Windows\SysWOW64\Jioaqfcc.exe Jcbihpel.exe File opened for modification C:\Windows\SysWOW64\Dfpgffpm.exe Daconoae.exe File opened for modification C:\Windows\SysWOW64\Lcbiao32.exe Ldohebqh.exe File created C:\Windows\SysWOW64\Ipenkiei.dll Dhnnep32.exe File created C:\Windows\SysWOW64\Keoakjca.dll Clkndpag.exe File created C:\Windows\SysWOW64\Becbkfdh.dll Colffknh.exe File created C:\Windows\SysWOW64\Hoiafcic.exe Hecmijim.exe File created C:\Windows\SysWOW64\Bchomn32.exe Bnkgeg32.exe File created C:\Windows\SysWOW64\Eeecjqkd.dll Kdffocib.exe File opened for modification C:\Windows\SysWOW64\Ojopad32.exe Ogaceh32.exe File created C:\Windows\SysWOW64\Cnicfe32.exe Chokikeb.exe File opened for modification C:\Windows\SysWOW64\Ndghmo32.exe Njacpf32.exe File created C:\Windows\SysWOW64\Olfdahne.dll Cjkjpgfi.exe File opened for modification C:\Windows\SysWOW64\Mckemg32.exe Mdhdajea.exe File created C:\Windows\SysWOW64\Lmqgnhmp.exe Kkbkamnl.exe File opened for modification C:\Windows\SysWOW64\Njcpee32.exe Ngedij32.exe File created C:\Windows\SysWOW64\Ifbbmf32.dll Anbkio32.exe File created C:\Windows\SysWOW64\Jihdea32.dll Edihepnm.exe File created C:\Windows\SysWOW64\Hobkfd32.exe Hmcojh32.exe File created C:\Windows\SysWOW64\Bmfpfmmm.dll Oneklm32.exe File created C:\Windows\SysWOW64\Hhqeiena.dll Beglgani.exe File opened for modification C:\Windows\SysWOW64\Cffdpghg.exe Cmnpgb32.exe File opened for modification C:\Windows\SysWOW64\Okjbpglo.exe Ogogoi32.exe File created C:\Windows\SysWOW64\Dnhqigge.dll Pcccfh32.exe File created C:\Windows\SysWOW64\Jglkll32.dll Ocgdji32.exe File created C:\Windows\SysWOW64\Ijnlbk32.dll Cecbmf32.exe File created C:\Windows\SysWOW64\Cnkfcl32.dll Gmjlcj32.exe File opened for modification C:\Windows\SysWOW64\Gbgdlq32.exe Gohhpe32.exe File created C:\Windows\SysWOW64\Glccbn32.dll Icgjmapi.exe File opened for modification C:\Windows\SysWOW64\Mkepnjng.exe Mdkhapfj.exe File created C:\Windows\SysWOW64\Hlmobp32.dll Nkjjij32.exe File opened for modification C:\Windows\SysWOW64\Ffimfqgm.exe Fckajehi.exe File created C:\Windows\SysWOW64\Ifjigbdo.dll Hofdacke.exe File created C:\Windows\SysWOW64\Ojgbfocc.exe Oflgep32.exe File created C:\Windows\SysWOW64\Blfiei32.dll Pncgmkmj.exe File created C:\Windows\SysWOW64\Kdffocib.exe Kagichjo.exe File opened for modification C:\Windows\SysWOW64\Paegjl32.exe Pbbgnpgl.exe File created C:\Windows\SysWOW64\Mpaifalo.exe Mncmjfmk.exe File created C:\Windows\SysWOW64\Ecoangbg.exe Eocenh32.exe File created C:\Windows\SysWOW64\Mmbfpp32.exe Melnob32.exe File opened for modification C:\Windows\SysWOW64\Mgkjhe32.exe Mlefklpj.exe File opened for modification C:\Windows\SysWOW64\Ibagcc32.exe Iiibkn32.exe File created C:\Windows\SysWOW64\Kmgdgjek.exe Kkihknfg.exe File created C:\Windows\SysWOW64\Jlajgl32.dll Cdiooblp.exe File opened for modification C:\Windows\SysWOW64\Hofdacke.exe Hfnphn32.exe File created C:\Windows\SysWOW64\Kbejge32.dll Bnkgeg32.exe File created C:\Windows\SysWOW64\Ldohebqh.exe Laalifad.exe File created C:\Windows\SysWOW64\Bldgdago.exe Baocghgi.exe File opened for modification C:\Windows\SysWOW64\Ocegdjij.exe Oqgkhnjf.exe File created C:\Windows\SysWOW64\Mjipjg32.dll Qbgqio32.exe File created C:\Windows\SysWOW64\Hjfhhm32.dll Bcoenmao.exe File created C:\Windows\SysWOW64\Habnjm32.exe Hcnnaikp.exe File created C:\Windows\SysWOW64\Ofdhdf32.dll Kkbkamnl.exe File opened for modification C:\Windows\SysWOW64\Kipabjil.exe Kbfiep32.exe File created C:\Windows\SysWOW64\Bpflfc32.dll Anpncp32.exe File created C:\Windows\SysWOW64\Cdfbibnb.exe Cecbmf32.exe File opened for modification C:\Windows\SysWOW64\Eoolbinc.exe Elppfmoo.exe File created C:\Windows\SysWOW64\Hbcbgk32.dll Eamhodmf.exe File created C:\Windows\SysWOW64\Acjclpcf.exe Ajanck32.exe File opened for modification C:\Windows\SysWOW64\Jiikak32.exe Jkfkfohj.exe File opened for modification C:\Windows\SysWOW64\Kinemkko.exe Kgphpo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11148 10880 WerFault.exe 534 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll" Pnlaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbbgnpgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mchhggno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkblkg32.dll" Ifllil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcllonma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbbhk32.dll" Kpeiioac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aepefb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdolhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imoneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldjhpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mglack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njcpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlmbpgdl.dll" Ehimanbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgdalf32.dll" Ehnglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfligghk.dll" Njciko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndhmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll" Bnmcjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll" Lijdhiaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojopad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll" Beglgani.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll" Chagok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldmlpbbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhbgqohi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckijjqka.dll" Lllcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll" Ndfqbhia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jifhaenk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpjcdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facagg32.dll" Bopgjmhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cafigg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecoangbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imfdff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjiol32.dll" Mibpda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfifebhe.dll" Pcojkhap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdfibe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjqjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifmafkkf.dll" Gcfqfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbckbepg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahoimd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll" Mjqjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnocof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hekcnknf.dll" Pjmlbbdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofnckp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olkhmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kibnhjgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgbnmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alabgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aldomc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eolpmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbhdmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgmcqggf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdkhapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hidipe32.dll" Okjbpglo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjbena32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkgqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkkojgao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll" Olfobjbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkpnlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll" Lcbiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnlaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehnglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkfpo32.dll" Kibgmdcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acjclpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daolnf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3976 wrote to memory of 5104 3976 91b3d17137193d1dc90d5143b71ef14b835213308fb8cc0ae3734c54e4f65e98.exe 87 PID 3976 wrote to memory of 5104 3976 91b3d17137193d1dc90d5143b71ef14b835213308fb8cc0ae3734c54e4f65e98.exe 87 PID 3976 wrote to memory of 5104 3976 91b3d17137193d1dc90d5143b71ef14b835213308fb8cc0ae3734c54e4f65e98.exe 87 PID 5104 wrote to memory of 3656 5104 Hcnnaikp.exe 88 PID 5104 wrote to memory of 3656 5104 Hcnnaikp.exe 88 PID 5104 wrote to memory of 3656 5104 Hcnnaikp.exe 88 PID 3656 wrote to memory of 4788 3656 Habnjm32.exe 89 PID 3656 wrote to memory of 4788 3656 Habnjm32.exe 89 PID 3656 wrote to memory of 4788 3656 Habnjm32.exe 89 PID 4788 wrote to memory of 2536 4788 Hbckbepg.exe 90 PID 4788 wrote to memory of 2536 4788 Hbckbepg.exe 90 PID 4788 wrote to memory of 2536 4788 Hbckbepg.exe 90 PID 2536 wrote to memory of 2808 2536 Hfofbd32.exe 91 PID 2536 wrote to memory of 2808 2536 Hfofbd32.exe 91 PID 2536 wrote to memory of 2808 2536 Hfofbd32.exe 91 PID 2808 wrote to memory of 440 2808 Himcoo32.exe 92 PID 2808 wrote to memory of 440 2808 Himcoo32.exe 92 PID 2808 wrote to memory of 440 2808 Himcoo32.exe 92 PID 440 wrote to memory of 2360 440 Hippdo32.exe 93 PID 440 wrote to memory of 2360 440 Hippdo32.exe 93 PID 440 wrote to memory of 2360 440 Hippdo32.exe 93 PID 2360 wrote to memory of 5060 2360 Hbhdmd32.exe 94 PID 2360 wrote to memory of 5060 2360 Hbhdmd32.exe 94 PID 2360 wrote to memory of 5060 2360 Hbhdmd32.exe 94 PID 5060 wrote to memory of 2904 5060 Hfcpncdk.exe 95 PID 5060 wrote to memory of 2904 5060 Hfcpncdk.exe 95 PID 5060 wrote to memory of 2904 5060 Hfcpncdk.exe 95 PID 2904 wrote to memory of 4324 2904 Haidklda.exe 96 PID 2904 wrote to memory of 4324 2904 Haidklda.exe 96 PID 2904 wrote to memory of 4324 2904 Haidklda.exe 96 PID 4324 wrote to memory of 2168 4324 Ijaida32.exe 97 PID 4324 wrote to memory of 2168 4324 Ijaida32.exe 97 PID 4324 wrote to memory of 2168 4324 Ijaida32.exe 97 PID 2168 wrote to memory of 2732 2168 Impepm32.exe 99 PID 2168 wrote to memory of 2732 2168 Impepm32.exe 99 PID 2168 wrote to memory of 2732 2168 Impepm32.exe 99 PID 2732 wrote to memory of 2292 2732 Ibmmhdhm.exe 100 PID 2732 wrote to memory of 2292 2732 Ibmmhdhm.exe 100 PID 2732 wrote to memory of 2292 2732 Ibmmhdhm.exe 100 PID 2292 wrote to memory of 3868 2292 Iannfk32.exe 101 PID 2292 wrote to memory of 3868 2292 Iannfk32.exe 101 PID 2292 wrote to memory of 3868 2292 Iannfk32.exe 101 PID 3868 wrote to memory of 3924 3868 Icljbg32.exe 103 PID 3868 wrote to memory of 3924 3868 Icljbg32.exe 103 PID 3868 wrote to memory of 3924 3868 Icljbg32.exe 103 PID 3924 wrote to memory of 3884 3924 Iiibkn32.exe 104 PID 3924 wrote to memory of 3884 3924 Iiibkn32.exe 104 PID 3924 wrote to memory of 3884 3924 Iiibkn32.exe 104 PID 3884 wrote to memory of 3280 3884 Ibagcc32.exe 105 PID 3884 wrote to memory of 3280 3884 Ibagcc32.exe 105 PID 3884 wrote to memory of 3280 3884 Ibagcc32.exe 105 PID 3280 wrote to memory of 4376 3280 Ijhodq32.exe 106 PID 3280 wrote to memory of 4376 3280 Ijhodq32.exe 106 PID 3280 wrote to memory of 4376 3280 Ijhodq32.exe 106 PID 4376 wrote to memory of 4316 4376 Iikopmkd.exe 107 PID 4376 wrote to memory of 4316 4376 Iikopmkd.exe 107 PID 4376 wrote to memory of 4316 4376 Iikopmkd.exe 107 PID 4316 wrote to memory of 4528 4316 Ibccic32.exe 108 PID 4316 wrote to memory of 4528 4316 Ibccic32.exe 108 PID 4316 wrote to memory of 4528 4316 Ibccic32.exe 108 PID 4528 wrote to memory of 2448 4528 Imihfl32.exe 109 PID 4528 wrote to memory of 2448 4528 Imihfl32.exe 109 PID 4528 wrote to memory of 2448 4528 Imihfl32.exe 109 PID 2448 wrote to memory of 1376 2448 Jpgdbg32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\91b3d17137193d1dc90d5143b71ef14b835213308fb8cc0ae3734c54e4f65e98.exe"C:\Users\Admin\AppData\Local\Temp\91b3d17137193d1dc90d5143b71ef14b835213308fb8cc0ae3734c54e4f65e98.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\Hcnnaikp.exeC:\Windows\system32\Hcnnaikp.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\Ijhodq32.exeC:\Windows\system32\Ijhodq32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Ibccic32.exeC:\Windows\system32\Ibccic32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Jdcpcf32.exeC:\Windows\system32\Jdcpcf32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Jagqlj32.exeC:\Windows\system32\Jagqlj32.exe24⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe25⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe26⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3104 -
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe28⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe29⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe30⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe31⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe33⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe34⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe36⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Kgphpo32.exeC:\Windows\system32\Kgphpo32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3680 -
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe39⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe40⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5008 -
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe42⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4352 -
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:3604 -
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe47⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe48⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4312 -
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe50⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe51⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe52⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe53⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:3908 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:4512 -
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4660 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4840 -
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4932 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe59⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe60⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe61⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe62⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe63⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe64⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4416 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe67⤵PID:2084
-
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe68⤵PID:1528
-
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe69⤵PID:4108
-
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe70⤵PID:980
-
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4708 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4036 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe73⤵PID:1704
-
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4936 -
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1304 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3692 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe77⤵PID:1212
-
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe78⤵
- Drops file in System32 directory
PID:5076 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3548 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe80⤵
- Modifies registry class
PID:4812 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe81⤵PID:3828
-
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe82⤵PID:4856
-
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe83⤵PID:2780
-
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe84⤵
- Drops file in System32 directory
PID:5156 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe85⤵PID:5200
-
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe86⤵PID:5232
-
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe87⤵PID:5288
-
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe88⤵PID:5324
-
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe89⤵PID:5364
-
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe90⤵PID:5404
-
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe91⤵
- Drops file in System32 directory
PID:5476 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe92⤵PID:5536
-
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe93⤵
- Drops file in System32 directory
PID:5580 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe94⤵
- Modifies registry class
PID:5628 -
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe95⤵PID:5664
-
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe96⤵PID:5724
-
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5768 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5808 -
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe99⤵PID:5860
-
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe100⤵PID:5904
-
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe101⤵PID:5944
-
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe102⤵PID:5984
-
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6020 -
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe104⤵
- Drops file in System32 directory
PID:6076 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe105⤵
- Modifies registry class
PID:6116 -
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe106⤵PID:1980
-
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5188 -
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe108⤵
- Drops file in System32 directory
PID:5276 -
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe109⤵PID:5264
-
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe110⤵
- Drops file in System32 directory
PID:5388 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5520 -
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe112⤵PID:3384
-
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe113⤵PID:5656
-
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe114⤵PID:5732
-
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe115⤵
- Drops file in System32 directory
PID:5792 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe116⤵PID:5832
-
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe117⤵PID:5932
-
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6004 -
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe119⤵PID:6060
-
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe120⤵PID:4612
-
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe121⤵PID:5180
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-