Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/05/2024, 22:52
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
783d099281c7808292adc6ff0b861987c2719b007cd0786733348d798f10321d.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
783d099281c7808292adc6ff0b861987c2719b007cd0786733348d798f10321d.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
783d099281c7808292adc6ff0b861987c2719b007cd0786733348d798f10321d.exe
-
Size
385KB
-
MD5
954f10b919d66b6ab21cc78283a2b773
-
SHA1
846ce96d20e54d4c4c26b6c76c17ab7c91c328e1
-
SHA256
783d099281c7808292adc6ff0b861987c2719b007cd0786733348d798f10321d
-
SHA512
204c525d3001bd612c58129416aaf9596a8135dfdee43dc1379b457b1576d7a980ff61e2bb807346636c62d7816c628385e32ea25bd531cc50f90610371f0983
-
SSDEEP
12288:i/y59SLWy5jy59SL3y59Ey59SLAy59SLZy5iy59SL:sy7oWypy7o3y7Ey7oAy7oZyUy7o
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikokan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pehngkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ickglm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pefhlaie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gikdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdmkhgho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lepncd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaefgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elnoopdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lokdnjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bogcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leenhhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbqmiinl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjola32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejfeng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjccdkki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oanfen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilghlc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflplnlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epagkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlglfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phganm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmenca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmdhcddh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkdaepb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqfpckhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcefno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdqejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Andqdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pahpfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmojenc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjeomld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eclmamod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdlfhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjkblhfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkjiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hihbijhn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbghfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcobaedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqbkfkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbeejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knenkbio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmhhehlb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnfamjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioambknl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhmeapmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jljbeali.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgpfbjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iejcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkegpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckmonl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfgmjqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkkgpc32.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
resource yara_rule behavioral2/files/0x0004000000022f62-7.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/4912-13-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023431-16.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023433-23.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023435-31.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023439-47.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002343b-54.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002343f-68.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023449-103.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002344d-117.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002346d-229.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002346b-222.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023469-215.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023467-208.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023465-201.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023463-194.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023461-187.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002345f-180.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002345d-173.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002345b-166.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023459-159.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023457-152.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023455-145.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023453-138.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023451-131.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002344f-124.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002344b-110.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023447-96.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023445-89.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023443-82.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023441-75.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002343d-61.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023437-40.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/212-21-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4980-514-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4008-513-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3988-512-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2968-511-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4192-506-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2504-623-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3036-622-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4304-621-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/5076-620-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/872-632-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1388-683-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4468-690-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3420-699-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/5000-712-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4996-723-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/5268-746-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/6048-761-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/5152-782-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/5316-793-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/5284-795-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023532-796.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/5468-801-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/5348-817-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/5632-822-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/5796-835-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2836-863-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/60-885-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/5684-902-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/5260-924-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1140-922-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress -
Executes dropped EXE 64 IoCs
pid Process 4912 Hkdbpe32.exe 212 Hckjacjg.exe 2168 Hfifmnij.exe 3320 Hihbijhn.exe 2296 Hmcojh32.exe 4192 Hkfoeega.exe 1940 Hcmgfbhd.exe 1808 Hbpgbo32.exe 3356 Hflcbngh.exe 3768 Heocnk32.exe 2968 Hijooifk.exe 3988 Hkikkeeo.exe 4008 Hodgkc32.exe 4980 Hcpclbfa.exe 628 Hfnphn32.exe 2404 Heapdjlp.exe 2668 Himldi32.exe 1696 Hmhhehlb.exe 4248 Hofdacke.exe 4136 Hcbpab32.exe 1512 Hfqlnm32.exe 3760 Hmjdjgjo.exe 2852 Hkmefd32.exe 5076 Hcdmga32.exe 4304 Hfcicmqp.exe 1916 Iefioj32.exe 3036 Immapg32.exe 2504 Ipknlb32.exe 3884 Icgjmapi.exe 3372 Ifefimom.exe 4072 Imoneg32.exe 4948 Ikbnacmd.exe 872 Ipnjab32.exe 1488 Icifbang.exe 1032 Ifgbnlmj.exe 4584 Iejcji32.exe 2980 Iifokh32.exe 4452 Imakkfdg.exe 4432 Ildkgc32.exe 4816 Ippggbck.exe 1168 Ibnccmbo.exe 4308 Ifjodl32.exe 4496 Iemppiab.exe 4820 Iihkpg32.exe 1664 Ilghlc32.exe 64 Ipbdmaah.exe 1268 Icnpmp32.exe 868 Ifllil32.exe 1732 Ieolehop.exe 2000 Iikhfg32.exe 4860 Imfdff32.exe 2796 Ilidbbgl.exe 1244 Icplcpgo.exe 228 Ibcmom32.exe 4504 Jfoiokfb.exe 896 Jeaikh32.exe 1388 Jimekgff.exe 5092 Jlkagbej.exe 4964 Jpgmha32.exe 3032 Jcbihpel.exe 4332 Jfaedkdp.exe 4468 Jedeph32.exe 2176 Jmknaell.exe 3896 Jlnnmb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bfcklp32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fdccbl32.exe Fmikeaap.exe File opened for modification C:\Windows\SysWOW64\Ahbjoe32.exe Aednci32.exe File opened for modification C:\Windows\SysWOW64\Kjgeedch.exe Kcmmhj32.exe File created C:\Windows\SysWOW64\Fkhpfbce.exe Process not Found File created C:\Windows\SysWOW64\Hplbickp.exe Hibjli32.exe File created C:\Windows\SysWOW64\Gpojkp32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fqeioiam.exe Process not Found File created C:\Windows\SysWOW64\Eqlfhjig.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kefkme32.exe Kfckahdj.exe File opened for modification C:\Windows\SysWOW64\Ojaelm32.exe Ogbipa32.exe File created C:\Windows\SysWOW64\Ackhdo32.dll Gkkgpc32.exe File created C:\Windows\SysWOW64\Nqbpojnp.exe Njhgbp32.exe File opened for modification C:\Windows\SysWOW64\Jfaedkdp.exe Jcbihpel.exe File opened for modification C:\Windows\SysWOW64\Maiccajf.exe Mnkggfkb.exe File opened for modification C:\Windows\SysWOW64\Ohhnbhok.exe Odmbaj32.exe File opened for modification C:\Windows\SysWOW64\Fpdcag32.exe Feoodn32.exe File opened for modification C:\Windows\SysWOW64\Piphgq32.exe Pahpfc32.exe File created C:\Windows\SysWOW64\Dpbdopck.exe Dmdhcddh.exe File created C:\Windows\SysWOW64\Nqoloc32.exe Process not Found File created C:\Windows\SysWOW64\Jcbdhp32.dll Ddakjkqi.exe File opened for modification C:\Windows\SysWOW64\Ackigjmh.exe Ajcdnd32.exe File created C:\Windows\SysWOW64\Jdbhkk32.exe Jjmcnbdm.exe File created C:\Windows\SysWOW64\Hnnpaa32.dll Pllgnl32.exe File opened for modification C:\Windows\SysWOW64\Kechmoil.exe Kpgodhkd.exe File created C:\Windows\SysWOW64\Eghkjdoa.exe Process not Found File created C:\Windows\SysWOW64\Halhfe32.exe Process not Found File created C:\Windows\SysWOW64\Flmlag32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mgehfkop.exe Megljppl.exe File opened for modification C:\Windows\SysWOW64\Ebdcld32.exe Enigke32.exe File created C:\Windows\SysWOW64\Dbkqqe32.dll Process not Found File created C:\Windows\SysWOW64\Nimmifgo.exe Process not Found File created C:\Windows\SysWOW64\Oendmdab.dll Jcllonma.exe File created C:\Windows\SysWOW64\Phedhmhi.exe Pefhlaie.exe File opened for modification C:\Windows\SysWOW64\Hgkkkcbc.exe Hdmoohbo.exe File created C:\Windows\SysWOW64\Cgifbhid.exe Process not Found File opened for modification C:\Windows\SysWOW64\Micoed32.exe Mhdckaeo.exe File opened for modification C:\Windows\SysWOW64\Mnmdme32.exe Mkohaj32.exe File created C:\Windows\SysWOW64\Cdpjlb32.exe Cnfaohbj.exe File created C:\Windows\SysWOW64\Ialjan32.dll Efeihb32.exe File created C:\Windows\SysWOW64\Ngckdnpn.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jpegkj32.exe Process not Found File created C:\Windows\SysWOW64\Ilidbbgl.exe Imfdff32.exe File opened for modification C:\Windows\SysWOW64\Hkckeo32.exe Hheoid32.exe File created C:\Windows\SysWOW64\Hgabkoee.exe Hdbfodfa.exe File opened for modification C:\Windows\SysWOW64\Pcmeke32.exe Pkenjh32.exe File opened for modification C:\Windows\SysWOW64\Hkfoeega.exe Hmcojh32.exe File created C:\Windows\SysWOW64\Hdnldd32.exe Hfklhhcl.exe File opened for modification C:\Windows\SysWOW64\Ocamjm32.exe Oenlqi32.exe File created C:\Windows\SysWOW64\Bafehe32.dll Mjdebfnd.exe File created C:\Windows\SysWOW64\Iolhkh32.exe Process not Found File created C:\Windows\SysWOW64\Hcdikecn.dll Ohjlgefb.exe File created C:\Windows\SysWOW64\Dfhjkabi.exe Cidjbmcp.exe File created C:\Windows\SysWOW64\Jgogbgei.exe Jqdoem32.exe File created C:\Windows\SysWOW64\Eiohdo32.dll Hlambk32.exe File created C:\Windows\SysWOW64\Gihpkd32.exe Process not Found File created C:\Windows\SysWOW64\Hhmkaf32.dll Mdckfk32.exe File created C:\Windows\SysWOW64\Eifnachf.dll Cnicfe32.exe File created C:\Windows\SysWOW64\Ckbaokim.dll Hipmfjee.exe File created C:\Windows\SysWOW64\Mjaabq32.exe Mokmdh32.exe File created C:\Windows\SysWOW64\Lekehdgp.exe Lpnlpnih.exe File opened for modification C:\Windows\SysWOW64\Hdlpneli.exe Hnagak32.exe File created C:\Windows\SysWOW64\Jbqaei32.dll Dpbdopck.exe File created C:\Windows\SysWOW64\Jjoiil32.exe Jgpmmp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 16180 11360 Process not Found 1382 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kipkhdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dflfac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifdonfka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjjahe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijegcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debbff32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbpgbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kelalp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdbmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apgnjp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Micoommd.dll" Cjgpfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmenca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkhnd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eonehbjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfningai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nndjndbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hplbickp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjgeopm.dll" Nqbpojnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkllnbjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnckpmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjdipffl.dll" Jbbfdfkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkgcea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmcain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgpfbjlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agjhgngj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfdodjhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djjebh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njfagf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhijijbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igchfiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pggdhe32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmmjgejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goedpofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igleoo32.dll" Caienjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhffdban.dll" Eplgeokq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmhhehlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodkhj32.dll" Eggmge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekooihip.dll" Kggcnoic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cibifp32.dll" Hcdmga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbhijepa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcimdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flakmgga.dll" Ibcmom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgeakekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipehcj32.dll" Dbqqkkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljhnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdjpll32.dll" Fdccbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ildkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqkill32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anmjcieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifllil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpjcdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klahfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngndaccj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgpfqchb.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efhlhh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4412 wrote to memory of 4912 4412 783d099281c7808292adc6ff0b861987c2719b007cd0786733348d798f10321d.exe 81 PID 4412 wrote to memory of 4912 4412 783d099281c7808292adc6ff0b861987c2719b007cd0786733348d798f10321d.exe 81 PID 4412 wrote to memory of 4912 4412 783d099281c7808292adc6ff0b861987c2719b007cd0786733348d798f10321d.exe 81 PID 4912 wrote to memory of 212 4912 Hkdbpe32.exe 82 PID 4912 wrote to memory of 212 4912 Hkdbpe32.exe 82 PID 4912 wrote to memory of 212 4912 Hkdbpe32.exe 82 PID 212 wrote to memory of 2168 212 Hckjacjg.exe 83 PID 212 wrote to memory of 2168 212 Hckjacjg.exe 83 PID 212 wrote to memory of 2168 212 Hckjacjg.exe 83 PID 2168 wrote to memory of 3320 2168 Hfifmnij.exe 84 PID 2168 wrote to memory of 3320 2168 Hfifmnij.exe 84 PID 2168 wrote to memory of 3320 2168 Hfifmnij.exe 84 PID 3320 wrote to memory of 2296 3320 Hihbijhn.exe 85 PID 3320 wrote to memory of 2296 3320 Hihbijhn.exe 85 PID 3320 wrote to memory of 2296 3320 Hihbijhn.exe 85 PID 2296 wrote to memory of 4192 2296 Hmcojh32.exe 86 PID 2296 wrote to memory of 4192 2296 Hmcojh32.exe 86 PID 2296 wrote to memory of 4192 2296 Hmcojh32.exe 86 PID 4192 wrote to memory of 1940 4192 Hkfoeega.exe 87 PID 4192 wrote to memory of 1940 4192 Hkfoeega.exe 87 PID 4192 wrote to memory of 1940 4192 Hkfoeega.exe 87 PID 1940 wrote to memory of 1808 1940 Hcmgfbhd.exe 88 PID 1940 wrote to memory of 1808 1940 Hcmgfbhd.exe 88 PID 1940 wrote to memory of 1808 1940 Hcmgfbhd.exe 88 PID 1808 wrote to memory of 3356 1808 Hbpgbo32.exe 89 PID 1808 wrote to memory of 3356 1808 Hbpgbo32.exe 89 PID 1808 wrote to memory of 3356 1808 Hbpgbo32.exe 89 PID 3356 wrote to memory of 3768 3356 Hflcbngh.exe 90 PID 3356 wrote to memory of 3768 3356 Hflcbngh.exe 90 PID 3356 wrote to memory of 3768 3356 Hflcbngh.exe 90 PID 3768 wrote to memory of 2968 3768 Heocnk32.exe 91 PID 3768 wrote to memory of 2968 3768 Heocnk32.exe 91 PID 3768 wrote to memory of 2968 3768 Heocnk32.exe 91 PID 2968 wrote to memory of 3988 2968 Hijooifk.exe 92 PID 2968 wrote to memory of 3988 2968 Hijooifk.exe 92 PID 2968 wrote to memory of 3988 2968 Hijooifk.exe 92 PID 3988 wrote to memory of 4008 3988 Hkikkeeo.exe 93 PID 3988 wrote to memory of 4008 3988 Hkikkeeo.exe 93 PID 3988 wrote to memory of 4008 3988 Hkikkeeo.exe 93 PID 4008 wrote to memory of 4980 4008 Hodgkc32.exe 94 PID 4008 wrote to memory of 4980 4008 Hodgkc32.exe 94 PID 4008 wrote to memory of 4980 4008 Hodgkc32.exe 94 PID 4980 wrote to memory of 628 4980 Hcpclbfa.exe 95 PID 4980 wrote to memory of 628 4980 Hcpclbfa.exe 95 PID 4980 wrote to memory of 628 4980 Hcpclbfa.exe 95 PID 628 wrote to memory of 2404 628 Hfnphn32.exe 96 PID 628 wrote to memory of 2404 628 Hfnphn32.exe 96 PID 628 wrote to memory of 2404 628 Hfnphn32.exe 96 PID 2404 wrote to memory of 2668 2404 Heapdjlp.exe 97 PID 2404 wrote to memory of 2668 2404 Heapdjlp.exe 97 PID 2404 wrote to memory of 2668 2404 Heapdjlp.exe 97 PID 2668 wrote to memory of 1696 2668 Himldi32.exe 98 PID 2668 wrote to memory of 1696 2668 Himldi32.exe 98 PID 2668 wrote to memory of 1696 2668 Himldi32.exe 98 PID 1696 wrote to memory of 4248 1696 Hmhhehlb.exe 99 PID 1696 wrote to memory of 4248 1696 Hmhhehlb.exe 99 PID 1696 wrote to memory of 4248 1696 Hmhhehlb.exe 99 PID 4248 wrote to memory of 4136 4248 Hofdacke.exe 100 PID 4248 wrote to memory of 4136 4248 Hofdacke.exe 100 PID 4248 wrote to memory of 4136 4248 Hofdacke.exe 100 PID 4136 wrote to memory of 1512 4136 Hcbpab32.exe 101 PID 4136 wrote to memory of 1512 4136 Hcbpab32.exe 101 PID 4136 wrote to memory of 1512 4136 Hcbpab32.exe 101 PID 1512 wrote to memory of 3760 1512 Hfqlnm32.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\783d099281c7808292adc6ff0b861987c2719b007cd0786733348d798f10321d.exe"C:\Users\Admin\AppData\Local\Temp\783d099281c7808292adc6ff0b861987c2719b007cd0786733348d798f10321d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Hfifmnij.exeC:\Windows\system32\Hfifmnij.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\Hmcojh32.exeC:\Windows\system32\Hmcojh32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\Hcmgfbhd.exeC:\Windows\system32\Hcmgfbhd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Hbpgbo32.exeC:\Windows\system32\Hbpgbo32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Heocnk32.exeC:\Windows\system32\Heocnk32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\Hijooifk.exeC:\Windows\system32\Hijooifk.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Hkikkeeo.exeC:\Windows\system32\Hkikkeeo.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Hfnphn32.exeC:\Windows\system32\Hfnphn32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\Heapdjlp.exeC:\Windows\system32\Heapdjlp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Himldi32.exeC:\Windows\system32\Himldi32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Hcbpab32.exeC:\Windows\system32\Hcbpab32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Hmjdjgjo.exeC:\Windows\system32\Hmjdjgjo.exe23⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Hkmefd32.exeC:\Windows\system32\Hkmefd32.exe24⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Hcdmga32.exeC:\Windows\system32\Hcdmga32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:5076 -
C:\Windows\SysWOW64\Hfcicmqp.exeC:\Windows\system32\Hfcicmqp.exe26⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Iefioj32.exeC:\Windows\system32\Iefioj32.exe27⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Immapg32.exeC:\Windows\system32\Immapg32.exe28⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Ipknlb32.exeC:\Windows\system32\Ipknlb32.exe29⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Icgjmapi.exeC:\Windows\system32\Icgjmapi.exe30⤵
- Executes dropped EXE
PID:3884 -
C:\Windows\SysWOW64\Ifefimom.exeC:\Windows\system32\Ifefimom.exe31⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe32⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Ikbnacmd.exeC:\Windows\system32\Ikbnacmd.exe33⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Ipnjab32.exeC:\Windows\system32\Ipnjab32.exe34⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Icifbang.exeC:\Windows\system32\Icifbang.exe35⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Ifgbnlmj.exeC:\Windows\system32\Ifgbnlmj.exe36⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Iejcji32.exeC:\Windows\system32\Iejcji32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Iifokh32.exeC:\Windows\system32\Iifokh32.exe38⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Imakkfdg.exeC:\Windows\system32\Imakkfdg.exe39⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Ildkgc32.exeC:\Windows\system32\Ildkgc32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:4432 -
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe41⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Ibnccmbo.exeC:\Windows\system32\Ibnccmbo.exe42⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Ifjodl32.exeC:\Windows\system32\Ifjodl32.exe43⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Iemppiab.exeC:\Windows\system32\Iemppiab.exe44⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Iihkpg32.exeC:\Windows\system32\Iihkpg32.exe45⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Ilghlc32.exeC:\Windows\system32\Ilghlc32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Ipbdmaah.exeC:\Windows\system32\Ipbdmaah.exe47⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Icnpmp32.exeC:\Windows\system32\Icnpmp32.exe48⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Ifllil32.exeC:\Windows\system32\Ifllil32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Ieolehop.exeC:\Windows\system32\Ieolehop.exe50⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Iikhfg32.exeC:\Windows\system32\Iikhfg32.exe51⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Imfdff32.exeC:\Windows\system32\Imfdff32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4860 -
C:\Windows\SysWOW64\Ilidbbgl.exeC:\Windows\system32\Ilidbbgl.exe53⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Icplcpgo.exeC:\Windows\system32\Icplcpgo.exe54⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:228 -
C:\Windows\SysWOW64\Jfoiokfb.exeC:\Windows\system32\Jfoiokfb.exe56⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Jeaikh32.exeC:\Windows\system32\Jeaikh32.exe57⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Jimekgff.exeC:\Windows\system32\Jimekgff.exe58⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Jlkagbej.exeC:\Windows\system32\Jlkagbej.exe59⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Jpgmha32.exeC:\Windows\system32\Jpgmha32.exe60⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Jcbihpel.exeC:\Windows\system32\Jcbihpel.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Jfaedkdp.exeC:\Windows\system32\Jfaedkdp.exe62⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Jedeph32.exeC:\Windows\system32\Jedeph32.exe63⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Jmknaell.exeC:\Windows\system32\Jmknaell.exe64⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Jlnnmb32.exeC:\Windows\system32\Jlnnmb32.exe65⤵
- Executes dropped EXE
PID:3896 -
C:\Windows\SysWOW64\Jcefno32.exeC:\Windows\system32\Jcefno32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1928 -
C:\Windows\SysWOW64\Jbhfjljd.exeC:\Windows\system32\Jbhfjljd.exe67⤵PID:2140
-
C:\Windows\SysWOW64\Jefbfgig.exeC:\Windows\system32\Jefbfgig.exe68⤵PID:3420
-
C:\Windows\SysWOW64\Jianff32.exeC:\Windows\system32\Jianff32.exe69⤵PID:4916
-
C:\Windows\SysWOW64\Jmmjgejj.exeC:\Windows\system32\Jmmjgejj.exe70⤵
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Jplfcpin.exeC:\Windows\system32\Jplfcpin.exe71⤵PID:3608
-
C:\Windows\SysWOW64\Jcgbco32.exeC:\Windows\system32\Jcgbco32.exe72⤵PID:4372
-
C:\Windows\SysWOW64\Jfeopj32.exeC:\Windows\system32\Jfeopj32.exe73⤵PID:2424
-
C:\Windows\SysWOW64\Jehokgge.exeC:\Windows\system32\Jehokgge.exe74⤵PID:2656
-
C:\Windows\SysWOW64\Jidklf32.exeC:\Windows\system32\Jidklf32.exe75⤵PID:2464
-
C:\Windows\SysWOW64\Jlbgha32.exeC:\Windows\system32\Jlbgha32.exe76⤵PID:3204
-
C:\Windows\SysWOW64\Jpnchp32.exeC:\Windows\system32\Jpnchp32.exe77⤵PID:1700
-
C:\Windows\SysWOW64\Jcioiood.exeC:\Windows\system32\Jcioiood.exe78⤵PID:1920
-
C:\Windows\SysWOW64\Jfhlejnh.exeC:\Windows\system32\Jfhlejnh.exe79⤵PID:5000
-
C:\Windows\SysWOW64\Jeklag32.exeC:\Windows\system32\Jeklag32.exe80⤵PID:1524
-
C:\Windows\SysWOW64\Jifhaenk.exeC:\Windows\system32\Jifhaenk.exe81⤵PID:680
-
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe82⤵PID:3636
-
C:\Windows\SysWOW64\Jpppnp32.exeC:\Windows\system32\Jpppnp32.exe83⤵PID:3084
-
C:\Windows\SysWOW64\Jcllonma.exeC:\Windows\system32\Jcllonma.exe84⤵
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Kboljk32.exeC:\Windows\system32\Kboljk32.exe85⤵PID:1992
-
C:\Windows\SysWOW64\Kfjhkjle.exeC:\Windows\system32\Kfjhkjle.exe86⤵PID:3340
-
C:\Windows\SysWOW64\Kiidgeki.exeC:\Windows\system32\Kiidgeki.exe87⤵PID:2884
-
C:\Windows\SysWOW64\Kmdqgd32.exeC:\Windows\system32\Kmdqgd32.exe88⤵PID:528
-
C:\Windows\SysWOW64\Kfmepi32.exeC:\Windows\system32\Kfmepi32.exe89⤵PID:384
-
C:\Windows\SysWOW64\Kdqejn32.exeC:\Windows\system32\Kdqejn32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2044 -
C:\Windows\SysWOW64\Kbceejpf.exeC:\Windows\system32\Kbceejpf.exe91⤵PID:3224
-
C:\Windows\SysWOW64\Kebbafoj.exeC:\Windows\system32\Kebbafoj.exe92⤵PID:4996
-
C:\Windows\SysWOW64\Kimnbd32.exeC:\Windows\system32\Kimnbd32.exe93⤵PID:4424
-
C:\Windows\SysWOW64\Kmijbcpl.exeC:\Windows\system32\Kmijbcpl.exe94⤵PID:1796
-
C:\Windows\SysWOW64\Kpgfooop.exeC:\Windows\system32\Kpgfooop.exe95⤵PID:4804
-
C:\Windows\SysWOW64\Kdcbom32.exeC:\Windows\system32\Kdcbom32.exe96⤵PID:4276
-
C:\Windows\SysWOW64\Kbfbkj32.exeC:\Windows\system32\Kbfbkj32.exe97⤵PID:4972
-
C:\Windows\SysWOW64\Kedoge32.exeC:\Windows\system32\Kedoge32.exe98⤵PID:5032
-
C:\Windows\SysWOW64\Kipkhdeq.exeC:\Windows\system32\Kipkhdeq.exe99⤵
- Modifies registry class
PID:3108 -
C:\Windows\SysWOW64\Klngdpdd.exeC:\Windows\system32\Klngdpdd.exe100⤵PID:5016
-
C:\Windows\SysWOW64\Kpjcdn32.exeC:\Windows\system32\Kpjcdn32.exe101⤵
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Kdeoemeg.exeC:\Windows\system32\Kdeoemeg.exe102⤵PID:2460
-
C:\Windows\SysWOW64\Kfckahdj.exeC:\Windows\system32\Kfckahdj.exe103⤵
- Drops file in System32 directory
PID:4532 -
C:\Windows\SysWOW64\Kefkme32.exeC:\Windows\system32\Kefkme32.exe104⤵PID:748
-
C:\Windows\SysWOW64\Kmncnb32.exeC:\Windows\system32\Kmncnb32.exe105⤵PID:5160
-
C:\Windows\SysWOW64\Klqcioba.exeC:\Windows\system32\Klqcioba.exe106⤵PID:5192
-
C:\Windows\SysWOW64\Kplpjn32.exeC:\Windows\system32\Kplpjn32.exe107⤵PID:5232
-
C:\Windows\SysWOW64\Lbjlfi32.exeC:\Windows\system32\Lbjlfi32.exe108⤵PID:5268
-
C:\Windows\SysWOW64\Liddbc32.exeC:\Windows\system32\Liddbc32.exe109⤵PID:5336
-
C:\Windows\SysWOW64\Lpnlpnih.exeC:\Windows\system32\Lpnlpnih.exe110⤵
- Drops file in System32 directory
PID:5388 -
C:\Windows\SysWOW64\Lekehdgp.exeC:\Windows\system32\Lekehdgp.exe111⤵PID:5420
-
C:\Windows\SysWOW64\Ligqhc32.exeC:\Windows\system32\Ligqhc32.exe112⤵PID:5460
-
C:\Windows\SysWOW64\Llemdo32.exeC:\Windows\system32\Llemdo32.exe113⤵PID:5492
-
C:\Windows\SysWOW64\Lpqiemge.exeC:\Windows\system32\Lpqiemge.exe114⤵PID:5532
-
C:\Windows\SysWOW64\Ldleel32.exeC:\Windows\system32\Ldleel32.exe115⤵PID:5564
-
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe116⤵PID:5608
-
C:\Windows\SysWOW64\Lepncd32.exeC:\Windows\system32\Lepncd32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5676 -
C:\Windows\SysWOW64\Mdckfk32.exeC:\Windows\system32\Mdckfk32.exe118⤵
- Drops file in System32 directory
PID:5724 -
C:\Windows\SysWOW64\Mchhggno.exeC:\Windows\system32\Mchhggno.exe119⤵PID:5788
-
C:\Windows\SysWOW64\Miemjaci.exeC:\Windows\system32\Miemjaci.exe120⤵PID:5856
-
C:\Windows\SysWOW64\Mpoefk32.exeC:\Windows\system32\Mpoefk32.exe121⤵PID:5912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-