Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19/05/2024, 19:32
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
215efea3ffe339185ae6a4c72fd5c9d93c97f3ee73e3b69338194ceefbceaeef.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
215efea3ffe339185ae6a4c72fd5c9d93c97f3ee73e3b69338194ceefbceaeef.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
215efea3ffe339185ae6a4c72fd5c9d93c97f3ee73e3b69338194ceefbceaeef.exe
-
Size
344KB
-
MD5
1d706c2cac33894ca2892aace944d254
-
SHA1
ee8f7ecf82dadd5500ad695d946c40fe464dd453
-
SHA256
215efea3ffe339185ae6a4c72fd5c9d93c97f3ee73e3b69338194ceefbceaeef
-
SHA512
4324b8f9c1758117f29b0b8b0edfb4014e35b81f080afdf00d7809510804b156fcff805f49bda6fe1db3b160babdd45af63eb50fd503ff9686d68354978582cb
-
SSDEEP
6144:DD7n4WRoXQqCpX2/mnbzvdLaD6OkPgl6bmIjlQFn:fLPopCpXImbzQD6OkPgl6bmIjKn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldleel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngmgne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndcdmikd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojllan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bchomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdmpcdfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibcmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jidklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lllcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chjaol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgjlelk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flnlhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkkojgao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmdina32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjlpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofeilobp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffkjlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmkfhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iblfnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klgqcqkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldanqkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdehlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfkedibe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojhiqefo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hofdacke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcpclbfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjokdipf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chghdqbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffddka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipnjab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lllcen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmgjgcgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfknkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odgqdlnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcckif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcagkdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Himldi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipbdmaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lekehdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqdoboli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecmeig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oponmilc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgllfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bldgdago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dllfkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahkobekf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beeflhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdolhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edkdkplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcddpdpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hihbijhn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgjfkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alabgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opakbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjjppmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjoankoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bapiabak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kimnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Menjdbgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clpgpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pclgkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibqpimpl.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/files/0x0008000000022f51-6.dat UPX behavioral2/files/0x00080000000233f7-14.dat UPX behavioral2/files/0x00070000000233fd-23.dat UPX behavioral2/files/0x0007000000023400-31.dat UPX behavioral2/files/0x0007000000023402-38.dat UPX behavioral2/files/0x0007000000023404-46.dat UPX behavioral2/files/0x0007000000023406-54.dat UPX behavioral2/files/0x0007000000023408-62.dat UPX behavioral2/files/0x000700000002340a-70.dat UPX behavioral2/files/0x000700000002340c-78.dat UPX behavioral2/files/0x000700000002340e-86.dat UPX behavioral2/files/0x0007000000023410-89.dat UPX behavioral2/files/0x0007000000023412-103.dat UPX behavioral2/files/0x00090000000233ef-110.dat UPX behavioral2/files/0x0007000000023415-118.dat UPX behavioral2/files/0x0007000000023417-126.dat UPX behavioral2/files/0x0007000000023419-134.dat UPX behavioral2/files/0x000700000002341c-142.dat UPX behavioral2/files/0x000700000002341e-150.dat UPX behavioral2/files/0x0007000000023420-159.dat UPX behavioral2/files/0x0007000000023422-168.dat UPX behavioral2/files/0x0007000000023424-174.dat UPX behavioral2/files/0x0007000000023426-182.dat UPX behavioral2/files/0x0007000000023428-191.dat UPX behavioral2/files/0x000700000002342a-193.dat UPX behavioral2/files/0x000700000002342c-206.dat UPX behavioral2/files/0x000700000002342e-214.dat UPX behavioral2/files/0x0007000000023430-222.dat UPX behavioral2/files/0x0007000000023432-230.dat UPX behavioral2/files/0x0007000000023434-238.dat UPX behavioral2/files/0x0007000000023436-246.dat UPX behavioral2/files/0x0007000000023438-254.dat UPX behavioral2/files/0x000700000002343c-262.dat UPX behavioral2/files/0x0007000000023456-341.dat UPX behavioral2/files/0x0007000000023482-479.dat UPX behavioral2/files/0x0007000000023499-546.dat UPX behavioral2/files/0x00070000000234bb-662.dat UPX behavioral2/files/0x00070000000234c3-689.dat UPX behavioral2/files/0x00070000000234d1-738.dat UPX behavioral2/files/0x00070000000234dd-778.dat UPX behavioral2/files/0x00070000000234ed-831.dat UPX behavioral2/files/0x00070000000234f1-844.dat UPX behavioral2/files/0x00070000000234f7-865.dat UPX behavioral2/files/0x0007000000023508-919.dat UPX behavioral2/files/0x0007000000023514-959.dat UPX behavioral2/files/0x0007000000023520-1002.dat UPX behavioral2/files/0x0008000000023389-1029.dat UPX behavioral2/files/0x0007000000023534-1116.dat UPX behavioral2/files/0x0007000000023553-1219.dat UPX behavioral2/files/0x0007000000023559-1239.dat UPX behavioral2/files/0x0007000000023577-1341.dat UPX behavioral2/files/0x000700000002357e-1361.dat UPX behavioral2/files/0x0007000000023584-1381.dat UPX behavioral2/files/0x000700000002358b-1409.dat UPX behavioral2/files/0x000700000002359a-1450.dat UPX behavioral2/files/0x00070000000235bd-1583.dat UPX behavioral2/files/0x00070000000235d1-1652.dat UPX behavioral2/files/0x00070000000235e7-1732.dat UPX behavioral2/files/0x00070000000235f1-1769.dat UPX behavioral2/files/0x00070000000235fd-1812.dat UPX behavioral2/files/0x000700000002361b-1923.dat UPX behavioral2/files/0x0007000000023621-1946.dat UPX behavioral2/files/0x0007000000023637-2023.dat UPX behavioral2/files/0x000700000002363d-2042.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 4520 Mdiklqhm.exe 1316 Mdkhapfj.exe 4648 Mcnhmm32.exe 3936 Mglack32.exe 2280 Mpdelajl.exe 2480 Njljefql.exe 3996 Nklfoi32.exe 5052 Nnjbke32.exe 5044 Nddkgonp.exe 4524 Nbhkac32.exe 4032 Ngedij32.exe 3184 Ndidbn32.exe 4512 Nnaikd32.exe 228 Ndkahnhh.exe 4844 Ojhiqefo.exe 4148 Okhfjh32.exe 464 Oqdoboli.exe 3656 Okjbpglo.exe 768 Obdkma32.exe 1632 Ogaceh32.exe 2696 Oqihnn32.exe 4940 Ocgdji32.exe 2308 Onmhgb32.exe 2844 Odgqdlnj.exe 2312 Pghieg32.exe 1916 Pqpnombl.exe 1476 Pgjfkg32.exe 1064 Pbpjhp32.exe 4144 Pjkombfj.exe 2636 Pkjlge32.exe 2332 Qecppkdm.exe 3800 Qjpiha32.exe 2040 Qnkdhpjn.exe 4048 Qajadlja.exe 3968 Acjjfggb.exe 404 Alabgd32.exe 4280 Anpncp32.exe 3344 Aanjpk32.exe 2144 Ahhblemi.exe 4860 Aldomc32.exe 4792 Abngjnmo.exe 3976 Aaqgek32.exe 3900 Ahkobekf.exe 484 Andgoobc.exe 2052 Aacckjaf.exe 3420 Adapgfqj.exe 1184 Angddopp.exe 1336 Aealah32.exe 4912 Alkdnboj.exe 2484 Abemjmgg.exe 528 Bahmfj32.exe 4964 Bdfibe32.exe 2132 Bhaebcen.exe 1516 Bnlnon32.exe 4496 Bajjli32.exe 2608 Beeflhdh.exe 3132 Blpnib32.exe 2776 Bnnjen32.exe 3604 Balfaiil.exe 3108 Bdkcmdhp.exe 3632 Blbknaib.exe 4164 Bopgjmhe.exe 4808 Baocghgi.exe 3744 Bdmpcdfm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kpgfooop.exe Kimnbd32.exe File created C:\Windows\SysWOW64\Obdkma32.exe Okjbpglo.exe File opened for modification C:\Windows\SysWOW64\Fkalchij.exe Flnlhk32.exe File opened for modification C:\Windows\SysWOW64\Imdgqfbd.exe Iemppiab.exe File opened for modification C:\Windows\SysWOW64\Jfcbjk32.exe Jmknaell.exe File created C:\Windows\SysWOW64\Ojllan32.exe Ognpebpj.exe File opened for modification C:\Windows\SysWOW64\Mdiklqhm.exe 215efea3ffe339185ae6a4c72fd5c9d93c97f3ee73e3b69338194ceefbceaeef.exe File opened for modification C:\Windows\SysWOW64\Cajcbgml.exe Colffknh.exe File created C:\Windows\SysWOW64\Ecoangbg.exe Ecmeig32.exe File opened for modification C:\Windows\SysWOW64\Lgmngglp.exe Ldoaklml.exe File created C:\Windows\SysWOW64\Bapiabak.exe Bnbmefbg.exe File created C:\Windows\SysWOW64\Nnjbke32.exe Nklfoi32.exe File created C:\Windows\SysWOW64\Kmalco32.dll Nklfoi32.exe File opened for modification C:\Windows\SysWOW64\Angddopp.exe Adapgfqj.exe File opened for modification C:\Windows\SysWOW64\Ckedalaj.exe Chghdqbf.exe File opened for modification C:\Windows\SysWOW64\Jmhale32.exe Ibcmom32.exe File created C:\Windows\SysWOW64\Knfoif32.dll Oflgep32.exe File created C:\Windows\SysWOW64\Jmmmebhb.dll Anogiicl.exe File created C:\Windows\SysWOW64\Ikpaldog.exe Iiaephpc.exe File opened for modification C:\Windows\SysWOW64\Aeniabfd.exe Afmhck32.exe File created C:\Windows\SysWOW64\Kplcdidf.dll Eolpmi32.exe File created C:\Windows\SysWOW64\Gkkojgao.exe Gdqgmmjb.exe File opened for modification C:\Windows\SysWOW64\Nnlhfn32.exe Njqmepik.exe File created C:\Windows\SysWOW64\Npjebj32.exe Nnlhfn32.exe File created C:\Windows\SysWOW64\Qfbgbeai.dll Odapnf32.exe File created C:\Windows\SysWOW64\Qecppkdm.exe Pkjlge32.exe File opened for modification C:\Windows\SysWOW64\Bbnpqk32.exe Bldgdago.exe File created C:\Windows\SysWOW64\Jbglkbhg.dll Flnlhk32.exe File created C:\Windows\SysWOW64\Goaojagc.dll Nnjlpo32.exe File created C:\Windows\SysWOW64\Oponmilc.exe Nnqbanmo.exe File created C:\Windows\SysWOW64\Ojoign32.exe Ogpmjb32.exe File created C:\Windows\SysWOW64\Ekphijkm.dll Pclgkb32.exe File created C:\Windows\SysWOW64\Pkjlge32.exe Pjkombfj.exe File opened for modification C:\Windows\SysWOW64\Imfdff32.exe Iikhfg32.exe File opened for modification C:\Windows\SysWOW64\Ndokbi32.exe Mlhbal32.exe File opened for modification C:\Windows\SysWOW64\Nklfoi32.exe Njljefql.exe File opened for modification C:\Windows\SysWOW64\Beihma32.exe Bmbplc32.exe File created C:\Windows\SysWOW64\Anogiicl.exe Anmjcieo.exe File opened for modification C:\Windows\SysWOW64\Cbqlfkmi.exe Bdolhc32.exe File opened for modification C:\Windows\SysWOW64\Hkfoeega.exe Hihbijhn.exe File opened for modification C:\Windows\SysWOW64\Hmjdjgjo.exe Hecmijim.exe File opened for modification C:\Windows\SysWOW64\Ipnjab32.exe Imoneg32.exe File created C:\Windows\SysWOW64\Iblfnn32.exe Ipnjab32.exe File created C:\Windows\SysWOW64\Icpnnd32.dll Kdqejn32.exe File created C:\Windows\SysWOW64\Pkfcej32.dll Lgokmgjm.exe File created C:\Windows\SysWOW64\Cajlhqjp.exe Ceckcp32.exe File created C:\Windows\SysWOW64\Dddhpjof.exe Dkkcge32.exe File created C:\Windows\SysWOW64\Dnqmalhn.dll Ckedalaj.exe File created C:\Windows\SysWOW64\Ehljfnpn.exe Eabbjc32.exe File created C:\Windows\SysWOW64\Kmipecpd.dll Fllpbldb.exe File created C:\Windows\SysWOW64\Fchddejl.exe Fkalchij.exe File created C:\Windows\SysWOW64\Gkhbdg32.exe Ffkjlp32.exe File created C:\Windows\SysWOW64\Hodgkc32.exe Hmfkoh32.exe File created C:\Windows\SysWOW64\Pqpnombl.exe Pghieg32.exe File created C:\Windows\SysWOW64\Imhkcaln.dll Hbnjmp32.exe File created C:\Windows\SysWOW64\Mgagbf32.exe Mdckfk32.exe File created C:\Windows\SysWOW64\Flfelggh.dll Mckemg32.exe File created C:\Windows\SysWOW64\Odqjbebh.dll Hkfoeega.exe File created C:\Windows\SysWOW64\Anmjcieo.exe Qjoankoi.exe File created C:\Windows\SysWOW64\Gidbim32.dll Djgjlelk.exe File created C:\Windows\SysWOW64\Bmbplc32.exe Bjddphlq.exe File created C:\Windows\SysWOW64\Delnin32.exe Dmefhako.exe File created C:\Windows\SysWOW64\Lpkman32.dll Pqpnombl.exe File opened for modification C:\Windows\SysWOW64\Ehedfo32.exe Eolpmi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9584 9496 WerFault.exe 429 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdiklqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqpnombl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eimmfkfe.dll" Qecppkdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncnkogdb.dll" Bnnjen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifmafkkf.dll" Gicinj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojaelm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbeqmoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Delnin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bldgdago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ippggbck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lffhfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll" Onhhamgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogpmjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfaigm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beglgani.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikhen32.dll" Gdqgmmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oncofm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngedij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkkojgao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfcicmqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifefimom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll" Pfhfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqihnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbedgde.dll" Jfcbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klgqcqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdehlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmijnn32.dll" Migjoaaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afjlnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odgqdlnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epogol32.dll" Pjkombfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdkcmdhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiefcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll" Oneklm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndidbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcckif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnchkk32.dll" Iemppiab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iemppiab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll" Cmgjgcgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll" Cmiflbel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdcdbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbnjmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmkadgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll" Anogiicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjokdipf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjkombfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aealah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmfkoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkjmlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcckif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblabf.dll" Hmfkoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dllfkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbbdholl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Megkhf32.dll" Blpnib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfgjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjqkei32.dll" Ipnjab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmehcnhg.dll" Iblfnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldoaklml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceckcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofnckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbinq32.dll" Kpjcdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjagjhnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iehfdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmoahijl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddmhja32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2960 wrote to memory of 4520 2960 215efea3ffe339185ae6a4c72fd5c9d93c97f3ee73e3b69338194ceefbceaeef.exe 82 PID 2960 wrote to memory of 4520 2960 215efea3ffe339185ae6a4c72fd5c9d93c97f3ee73e3b69338194ceefbceaeef.exe 82 PID 2960 wrote to memory of 4520 2960 215efea3ffe339185ae6a4c72fd5c9d93c97f3ee73e3b69338194ceefbceaeef.exe 82 PID 4520 wrote to memory of 1316 4520 Mdiklqhm.exe 83 PID 4520 wrote to memory of 1316 4520 Mdiklqhm.exe 83 PID 4520 wrote to memory of 1316 4520 Mdiklqhm.exe 83 PID 1316 wrote to memory of 4648 1316 Mdkhapfj.exe 84 PID 1316 wrote to memory of 4648 1316 Mdkhapfj.exe 84 PID 1316 wrote to memory of 4648 1316 Mdkhapfj.exe 84 PID 4648 wrote to memory of 3936 4648 Mcnhmm32.exe 85 PID 4648 wrote to memory of 3936 4648 Mcnhmm32.exe 85 PID 4648 wrote to memory of 3936 4648 Mcnhmm32.exe 85 PID 3936 wrote to memory of 2280 3936 Mglack32.exe 86 PID 3936 wrote to memory of 2280 3936 Mglack32.exe 86 PID 3936 wrote to memory of 2280 3936 Mglack32.exe 86 PID 2280 wrote to memory of 2480 2280 Mpdelajl.exe 87 PID 2280 wrote to memory of 2480 2280 Mpdelajl.exe 87 PID 2280 wrote to memory of 2480 2280 Mpdelajl.exe 87 PID 2480 wrote to memory of 3996 2480 Njljefql.exe 89 PID 2480 wrote to memory of 3996 2480 Njljefql.exe 89 PID 2480 wrote to memory of 3996 2480 Njljefql.exe 89 PID 3996 wrote to memory of 5052 3996 Nklfoi32.exe 91 PID 3996 wrote to memory of 5052 3996 Nklfoi32.exe 91 PID 3996 wrote to memory of 5052 3996 Nklfoi32.exe 91 PID 5052 wrote to memory of 5044 5052 Nnjbke32.exe 92 PID 5052 wrote to memory of 5044 5052 Nnjbke32.exe 92 PID 5052 wrote to memory of 5044 5052 Nnjbke32.exe 92 PID 5044 wrote to memory of 4524 5044 Nddkgonp.exe 93 PID 5044 wrote to memory of 4524 5044 Nddkgonp.exe 93 PID 5044 wrote to memory of 4524 5044 Nddkgonp.exe 93 PID 4524 wrote to memory of 4032 4524 Nbhkac32.exe 94 PID 4524 wrote to memory of 4032 4524 Nbhkac32.exe 94 PID 4524 wrote to memory of 4032 4524 Nbhkac32.exe 94 PID 4032 wrote to memory of 3184 4032 Ngedij32.exe 95 PID 4032 wrote to memory of 3184 4032 Ngedij32.exe 95 PID 4032 wrote to memory of 3184 4032 Ngedij32.exe 95 PID 3184 wrote to memory of 4512 3184 Ndidbn32.exe 97 PID 3184 wrote to memory of 4512 3184 Ndidbn32.exe 97 PID 3184 wrote to memory of 4512 3184 Ndidbn32.exe 97 PID 4512 wrote to memory of 228 4512 Nnaikd32.exe 98 PID 4512 wrote to memory of 228 4512 Nnaikd32.exe 98 PID 4512 wrote to memory of 228 4512 Nnaikd32.exe 98 PID 228 wrote to memory of 4844 228 Ndkahnhh.exe 99 PID 228 wrote to memory of 4844 228 Ndkahnhh.exe 99 PID 228 wrote to memory of 4844 228 Ndkahnhh.exe 99 PID 4844 wrote to memory of 4148 4844 Ojhiqefo.exe 100 PID 4844 wrote to memory of 4148 4844 Ojhiqefo.exe 100 PID 4844 wrote to memory of 4148 4844 Ojhiqefo.exe 100 PID 4148 wrote to memory of 464 4148 Okhfjh32.exe 101 PID 4148 wrote to memory of 464 4148 Okhfjh32.exe 101 PID 4148 wrote to memory of 464 4148 Okhfjh32.exe 101 PID 464 wrote to memory of 3656 464 Oqdoboli.exe 102 PID 464 wrote to memory of 3656 464 Oqdoboli.exe 102 PID 464 wrote to memory of 3656 464 Oqdoboli.exe 102 PID 3656 wrote to memory of 768 3656 Okjbpglo.exe 103 PID 3656 wrote to memory of 768 3656 Okjbpglo.exe 103 PID 3656 wrote to memory of 768 3656 Okjbpglo.exe 103 PID 768 wrote to memory of 1632 768 Obdkma32.exe 104 PID 768 wrote to memory of 1632 768 Obdkma32.exe 104 PID 768 wrote to memory of 1632 768 Obdkma32.exe 104 PID 1632 wrote to memory of 2696 1632 Ogaceh32.exe 105 PID 1632 wrote to memory of 2696 1632 Ogaceh32.exe 105 PID 1632 wrote to memory of 2696 1632 Ogaceh32.exe 105 PID 2696 wrote to memory of 4940 2696 Oqihnn32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\215efea3ffe339185ae6a4c72fd5c9d93c97f3ee73e3b69338194ceefbceaeef.exe"C:\Users\Admin\AppData\Local\Temp\215efea3ffe339185ae6a4c72fd5c9d93c97f3ee73e3b69338194ceefbceaeef.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe23⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe24⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe29⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4144 -
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe33⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe34⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe35⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe36⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe38⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe39⤵
- Executes dropped EXE
PID:3344 -
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe40⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe41⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe42⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe43⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe45⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe46⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3420 -
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe48⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe50⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe51⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe52⤵
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe53⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe54⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe55⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe56⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:3132 -
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe60⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:3108 -
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe62⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe63⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe64⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3848 -
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe67⤵PID:744
-
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4560 -
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe69⤵PID:4456
-
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe70⤵PID:3676
-
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe71⤵PID:3852
-
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe72⤵PID:4176
-
C:\Windows\SysWOW64\Cddecc32.exeC:\Windows\system32\Cddecc32.exe73⤵PID:2680
-
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe74⤵PID:4312
-
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe75⤵PID:1092
-
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe76⤵
- Drops file in System32 directory
PID:4932 -
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe77⤵PID:1344
-
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2964 -
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe79⤵PID:3148
-
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe80⤵PID:3236
-
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3836 -
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe82⤵
- Drops file in System32 directory
PID:5184 -
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe83⤵
- Modifies registry class
PID:5256 -
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe84⤵PID:5296
-
C:\Windows\SysWOW64\Dboigi32.exeC:\Windows\system32\Dboigi32.exe85⤵PID:5348
-
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe86⤵PID:5380
-
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe87⤵PID:5436
-
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe88⤵
- Modifies registry class
PID:5484 -
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe89⤵PID:5540
-
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe90⤵PID:5584
-
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe91⤵PID:5628
-
C:\Windows\SysWOW64\Dllfkn32.exeC:\Windows\system32\Dllfkn32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5676 -
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe93⤵PID:5720
-
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe94⤵PID:5764
-
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe95⤵
- Drops file in System32 directory
PID:5804 -
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe96⤵PID:5848
-
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe97⤵PID:5892
-
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5936 -
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5980 -
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe100⤵PID:6024
-
C:\Windows\SysWOW64\Eabbjc32.exeC:\Windows\system32\Eabbjc32.exe101⤵
- Drops file in System32 directory
PID:6068 -
C:\Windows\SysWOW64\Ehljfnpn.exeC:\Windows\system32\Ehljfnpn.exe102⤵PID:6108
-
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe103⤵PID:5176
-
C:\Windows\SysWOW64\Ecandfpd.exeC:\Windows\system32\Ecandfpd.exe104⤵PID:5252
-
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe105⤵PID:5344
-
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe106⤵PID:5428
-
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe107⤵PID:5516
-
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5576 -
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe109⤵
- Drops file in System32 directory
PID:5652 -
C:\Windows\SysWOW64\Fojlngce.exeC:\Windows\system32\Fojlngce.exe110⤵PID:5716
-
C:\Windows\SysWOW64\Ffddka32.exeC:\Windows\system32\Ffddka32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5784 -
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5864 -
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe113⤵
- Drops file in System32 directory
PID:5932 -
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe114⤵PID:5992
-
C:\Windows\SysWOW64\Ffgqqaip.exeC:\Windows\system32\Ffgqqaip.exe115⤵PID:6076
-
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe116⤵PID:6140
-
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe117⤵PID:5308
-
C:\Windows\SysWOW64\Fbnafb32.exeC:\Windows\system32\Fbnafb32.exe118⤵PID:5388
-
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe119⤵PID:5580
-
C:\Windows\SysWOW64\Fcmnpe32.exeC:\Windows\system32\Fcmnpe32.exe120⤵PID:5648
-
C:\Windows\SysWOW64\Ffkjlp32.exeC:\Windows\system32\Ffkjlp32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-