Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
15/03/2024, 17:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
009e9a2a4b8de78c15225bb614cb131b1ced645ce512712d0e6a00d786a3c4b1.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
009e9a2a4b8de78c15225bb614cb131b1ced645ce512712d0e6a00d786a3c4b1.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
009e9a2a4b8de78c15225bb614cb131b1ced645ce512712d0e6a00d786a3c4b1.exe
-
Size
303KB
-
MD5
147f34cda32f4a464022a3ea08654e5a
-
SHA1
a7a6f17b8f862569ff11e45fe98dc56a836934fc
-
SHA256
009e9a2a4b8de78c15225bb614cb131b1ced645ce512712d0e6a00d786a3c4b1
-
SHA512
2396d14ea2efd02e517f37cef94e64c699bf6a015a9bde817d29df26d6364f5826277da068858afc6460dee6774a609a2a94b4151f97731310a1b7f5537139ef
-
SSDEEP
6144:EuL71pfeI5CPXbo92ynnZlVrtv35CPXbo92ynn8sbeWDSpaH8m34:JLhptFHRFbeE8mo
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cciemedf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcknbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejbfhfaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gobgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlakpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhjpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdcnlglc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccfhhffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccfhhffh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgdmmgpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gangic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaemjbcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfmmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Penfelgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ambmpmln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjpqdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kebepion.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oomhcbjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cckace32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodonf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldcamcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mochnppo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojieip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apcfahio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnbkddem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fddmgjpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggpimica.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbfjdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjpkihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mabejlob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfflopdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifkojiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mochnppo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhlqhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apajlhka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahjpbad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcjkcplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmnhfjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojkboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppamme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpjbad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgcgmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmjaic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgobhcac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfflopdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqhhknjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgdjnofi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfkpdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enihne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfmdnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qaefjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajbdna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkodhe32.exe -
Executes dropped EXE 64 IoCs
pid Process 1600 Ichico32.exe 2024 Ijaapifk.exe 2592 Ifhbdj32.exe 2588 Iclcnnji.exe 2752 Ifkojiim.exe 2492 Ikggbpgd.exe 2612 Jilhldfn.exe 1176 Jkjdhpea.exe 2544 Jinead32.exe 2704 Jbfijjkl.exe 2340 Jcgfbb32.exe 2864 Jjanolhg.exe 1716 Jgenhp32.exe 2272 Jmbgpg32.exe 1800 Jghknp32.exe 596 Kappfeln.exe 2300 Kbalnnam.exe 1808 Kmgpkfab.exe 1188 Kljqgc32.exe 2420 Kbcicmpj.exe 1516 Kebepion.exe 1924 Kllmmc32.exe 1428 Knjiin32.exe 912 Kipnfged.exe 2380 Klnjbbdh.exe 1928 Komfnnck.exe 2220 Kakbjibo.exe 3068 Kibjkgca.exe 2888 Klqfhbbe.exe 2732 Lkfciogm.exe 2756 Lmdpejfq.exe 2760 Lhjdbcef.exe 2516 Lfmdnp32.exe 2476 Lodlom32.exe 3048 Lhlqhb32.exe 2688 Lkkmdn32.exe 2848 Limmokib.exe 2788 Ladeqhjd.exe 1240 Ldcamcih.exe 1608 Lbfahp32.exe 3012 Lipjejgp.exe 860 Lmkfei32.exe 268 Lpjbad32.exe 768 Lchnnp32.exe 2540 Lgdjnofi.exe 1388 Libgjj32.exe 2068 Llqcfe32.exe 1528 Loooca32.exe 1788 Mcjkcplm.exe 2428 Meigpkka.exe 1908 Midcpj32.exe 1952 Mpolmdkg.exe 2376 Maphdl32.exe 2892 Mhjpaf32.exe 2572 Mhjpaf32.exe 2940 Mkhmma32.exe 2628 Mochnppo.exe 2784 Mabejlob.exe 1744 Mhlmgf32.exe 2500 Mkjica32.exe 2996 Mnieom32.exe 2460 Mepnpj32.exe 1748 Mdcnlglc.exe 2772 Mgajhbkg.exe -
Loads dropped DLL 64 IoCs
pid Process 2360 009e9a2a4b8de78c15225bb614cb131b1ced645ce512712d0e6a00d786a3c4b1.exe 2360 009e9a2a4b8de78c15225bb614cb131b1ced645ce512712d0e6a00d786a3c4b1.exe 1600 Ichico32.exe 1600 Ichico32.exe 2024 Ijaapifk.exe 2024 Ijaapifk.exe 2592 Ifhbdj32.exe 2592 Ifhbdj32.exe 2588 Iclcnnji.exe 2588 Iclcnnji.exe 2752 Ifkojiim.exe 2752 Ifkojiim.exe 2492 Ikggbpgd.exe 2492 Ikggbpgd.exe 2612 Jilhldfn.exe 2612 Jilhldfn.exe 1176 Jkjdhpea.exe 1176 Jkjdhpea.exe 2544 Jinead32.exe 2544 Jinead32.exe 2704 Jbfijjkl.exe 2704 Jbfijjkl.exe 2340 Jcgfbb32.exe 2340 Jcgfbb32.exe 2864 Jjanolhg.exe 2864 Jjanolhg.exe 1716 Jgenhp32.exe 1716 Jgenhp32.exe 2272 Jmbgpg32.exe 2272 Jmbgpg32.exe 1800 Jghknp32.exe 1800 Jghknp32.exe 596 Kappfeln.exe 596 Kappfeln.exe 2300 Kbalnnam.exe 2300 Kbalnnam.exe 1808 Kmgpkfab.exe 1808 Kmgpkfab.exe 1188 Kljqgc32.exe 1188 Kljqgc32.exe 2420 Kbcicmpj.exe 2420 Kbcicmpj.exe 1516 Kebepion.exe 1516 Kebepion.exe 1924 Kllmmc32.exe 1924 Kllmmc32.exe 1428 Knjiin32.exe 1428 Knjiin32.exe 912 Kipnfged.exe 912 Kipnfged.exe 2380 Klnjbbdh.exe 2380 Klnjbbdh.exe 1928 Komfnnck.exe 1928 Komfnnck.exe 2220 Kakbjibo.exe 2220 Kakbjibo.exe 3068 Kibjkgca.exe 3068 Kibjkgca.exe 2888 Klqfhbbe.exe 2888 Klqfhbbe.exe 2732 Lkfciogm.exe 2732 Lkfciogm.exe 2756 Lmdpejfq.exe 2756 Lmdpejfq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Benfcheg.dll Mcjkcplm.exe File created C:\Windows\SysWOW64\Cmmhnnlm.dll Ofpfnqjp.exe File created C:\Windows\SysWOW64\Pbiciana.exe Ppjglfon.exe File opened for modification C:\Windows\SysWOW64\Ckignd32.exe Cgmkmecg.exe File created C:\Windows\SysWOW64\Qonlfkdd.dll Peiljl32.exe File created C:\Windows\SysWOW64\Bbdocc32.exe Ahokfj32.exe File created C:\Windows\SysWOW64\Cgbdhd32.exe Ccfhhffh.exe File created C:\Windows\SysWOW64\Hcplhi32.exe Hpapln32.exe File opened for modification C:\Windows\SysWOW64\Nfpjomgd.exe Nbdnoo32.exe File opened for modification C:\Windows\SysWOW64\Okchhc32.exe Oiellh32.exe File created C:\Windows\SysWOW64\Bbflib32.exe Bkodhe32.exe File created C:\Windows\SysWOW64\Mcbndm32.dll Dhjgal32.exe File opened for modification C:\Windows\SysWOW64\Hlhaqogk.exe Hjjddchg.exe File created C:\Windows\SysWOW64\Kljqgc32.exe Kmgpkfab.exe File created C:\Windows\SysWOW64\Iecimppi.dll Epfhbign.exe File created C:\Windows\SysWOW64\Hnempl32.dll Geolea32.exe File opened for modification C:\Windows\SysWOW64\Kibjkgca.exe Kakbjibo.exe File opened for modification C:\Windows\SysWOW64\Mhjpaf32.exe Maphdl32.exe File created C:\Windows\SysWOW64\Oeeonk32.dll Cdakgibq.exe File opened for modification C:\Windows\SysWOW64\Hogmmjfo.exe Hlhaqogk.exe File created C:\Windows\SysWOW64\Jjanolhg.exe Jcgfbb32.exe File opened for modification C:\Windows\SysWOW64\Kakbjibo.exe Komfnnck.exe File created C:\Windows\SysWOW64\Ebbgid32.exe Epdkli32.exe File created C:\Windows\SysWOW64\Bfekgp32.dll Fddmgjpo.exe File created C:\Windows\SysWOW64\Hmhfjo32.dll Ghfbqn32.exe File opened for modification C:\Windows\SysWOW64\Gdopkn32.exe Gaqcoc32.exe File created C:\Windows\SysWOW64\Hahjpbad.exe Hgbebiao.exe File created C:\Windows\SysWOW64\Baildokg.exe Bbflib32.exe File opened for modification C:\Windows\SysWOW64\Fddmgjpo.exe Flmefm32.exe File opened for modification C:\Windows\SysWOW64\Ldcamcih.exe Ladeqhjd.exe File created C:\Windows\SysWOW64\Inbndkhn.dll Meigpkka.exe File created C:\Windows\SysWOW64\Pafagk32.dll Doobajme.exe File opened for modification C:\Windows\SysWOW64\Cdakgibq.exe Cpeofk32.exe File opened for modification C:\Windows\SysWOW64\Kappfeln.exe Jghknp32.exe File created C:\Windows\SysWOW64\Iiiaeiac.dll Lodlom32.exe File created C:\Windows\SysWOW64\Ebbjqa32.dll Penfelgm.exe File opened for modification C:\Windows\SysWOW64\Dcknbh32.exe Doobajme.exe File created C:\Windows\SysWOW64\Chcphm32.dll Emhlfmgj.exe File created C:\Windows\SysWOW64\Njgpdbgm.dll Njiijlbp.exe File created C:\Windows\SysWOW64\Memeaofm.dll Dgmglh32.exe File opened for modification C:\Windows\SysWOW64\Ogjimd32.exe Ocomlemo.exe File created C:\Windows\SysWOW64\Cdjgej32.dll Piehkkcl.exe File opened for modification C:\Windows\SysWOW64\Ajphib32.exe Adeplhib.exe File created C:\Windows\SysWOW64\Iieobopl.dll Jmbgpg32.exe File created C:\Windows\SysWOW64\Kedlancd.dll Ohqbqhde.exe File opened for modification C:\Windows\SysWOW64\Obkdonic.exe Oomhcbjp.exe File created C:\Windows\SysWOW64\Qhmbagfa.exe Pijbfj32.exe File opened for modification C:\Windows\SysWOW64\Baqbenep.exe Bhhnli32.exe File opened for modification C:\Windows\SysWOW64\Ddcdkl32.exe Dqhhknjp.exe File created C:\Windows\SysWOW64\Jamfqeie.dll Epdkli32.exe File created C:\Windows\SysWOW64\Hlakpp32.exe Hicodd32.exe File opened for modification C:\Windows\SysWOW64\Mkhmma32.exe Mhjpaf32.exe File created C:\Windows\SysWOW64\Ckggkg32.dll Qnigda32.exe File opened for modification C:\Windows\SysWOW64\Hdfflm32.exe Hpkjko32.exe File created C:\Windows\SysWOW64\Hghmjpap.dll Gbijhg32.exe File opened for modification C:\Windows\SysWOW64\Hjjddchg.exe Hcplhi32.exe File created C:\Windows\SysWOW64\Jflhaaje.dll Mochnppo.exe File opened for modification C:\Windows\SysWOW64\Alenki32.exe Ambmpmln.exe File opened for modification C:\Windows\SysWOW64\Fmjejphb.exe Fioija32.exe File created C:\Windows\SysWOW64\Lkfciogm.exe Klqfhbbe.exe File created C:\Windows\SysWOW64\Hlkljlhn.dll Lkfciogm.exe File created C:\Windows\SysWOW64\Pjholl32.dll Nocemcbj.exe File created C:\Windows\SysWOW64\Odjpkihg.exe Obkdonic.exe File opened for modification C:\Windows\SysWOW64\Bbflib32.exe Bkodhe32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4228 4204 WerFault.exe 339 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Machcjcf.dll" Jgenhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peiljl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emcbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll" Gobgcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmgpkfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dialipcb.dll" Pjpkjond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piehkkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnfjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnigda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghmjpap.dll" Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njbcim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ealffeej.dll" Pfiidobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klidkobf.dll" Dkmmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmcfdad.dll" Dfijnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcjhfahg.dll" Ichico32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgeadcbc.dll" Amndem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgmglh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqjepm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfijnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgohm32.dll" Ealnephf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoiafh32.dll" Kljqgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doffod32.dll" Oenifh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pccfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdoqc32.dll" Pjmodopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qonlfkdd.dll" Peiljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmjhbal.dll" Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klqfhbbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeonk32.dll" Cdakgibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hahjpbad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 009e9a2a4b8de78c15225bb614cb131b1ced645ce512712d0e6a00d786a3c4b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkmmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqpnhgek.dll" Oelmai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdhhqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkjjld32.dll" Qhmbagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpafkknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaeldika.dll" Fjgoce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpmjak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlcgeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pijbfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflhaaje.dll" Mochnppo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ailkjmpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Balijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bihebmne.dll" Ifhbdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikggbpgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkjica32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djpmccqq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meigpkka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjmodopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlhnbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll" Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfeoofge.dll" Emcbkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eilpeooq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifkojiim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbfijjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpge32.dll" Gdopkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kappfeln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadlib32.dll" Obigjnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhmbagfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qaefjm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2360 wrote to memory of 1600 2360 009e9a2a4b8de78c15225bb614cb131b1ced645ce512712d0e6a00d786a3c4b1.exe 28 PID 2360 wrote to memory of 1600 2360 009e9a2a4b8de78c15225bb614cb131b1ced645ce512712d0e6a00d786a3c4b1.exe 28 PID 2360 wrote to memory of 1600 2360 009e9a2a4b8de78c15225bb614cb131b1ced645ce512712d0e6a00d786a3c4b1.exe 28 PID 2360 wrote to memory of 1600 2360 009e9a2a4b8de78c15225bb614cb131b1ced645ce512712d0e6a00d786a3c4b1.exe 28 PID 1600 wrote to memory of 2024 1600 Ichico32.exe 29 PID 1600 wrote to memory of 2024 1600 Ichico32.exe 29 PID 1600 wrote to memory of 2024 1600 Ichico32.exe 29 PID 1600 wrote to memory of 2024 1600 Ichico32.exe 29 PID 2024 wrote to memory of 2592 2024 Ijaapifk.exe 30 PID 2024 wrote to memory of 2592 2024 Ijaapifk.exe 30 PID 2024 wrote to memory of 2592 2024 Ijaapifk.exe 30 PID 2024 wrote to memory of 2592 2024 Ijaapifk.exe 30 PID 2592 wrote to memory of 2588 2592 Ifhbdj32.exe 31 PID 2592 wrote to memory of 2588 2592 Ifhbdj32.exe 31 PID 2592 wrote to memory of 2588 2592 Ifhbdj32.exe 31 PID 2592 wrote to memory of 2588 2592 Ifhbdj32.exe 31 PID 2588 wrote to memory of 2752 2588 Iclcnnji.exe 32 PID 2588 wrote to memory of 2752 2588 Iclcnnji.exe 32 PID 2588 wrote to memory of 2752 2588 Iclcnnji.exe 32 PID 2588 wrote to memory of 2752 2588 Iclcnnji.exe 32 PID 2752 wrote to memory of 2492 2752 Ifkojiim.exe 33 PID 2752 wrote to memory of 2492 2752 Ifkojiim.exe 33 PID 2752 wrote to memory of 2492 2752 Ifkojiim.exe 33 PID 2752 wrote to memory of 2492 2752 Ifkojiim.exe 33 PID 2492 wrote to memory of 2612 2492 Ikggbpgd.exe 34 PID 2492 wrote to memory of 2612 2492 Ikggbpgd.exe 34 PID 2492 wrote to memory of 2612 2492 Ikggbpgd.exe 34 PID 2492 wrote to memory of 2612 2492 Ikggbpgd.exe 34 PID 2612 wrote to memory of 1176 2612 Jilhldfn.exe 35 PID 2612 wrote to memory of 1176 2612 Jilhldfn.exe 35 PID 2612 wrote to memory of 1176 2612 Jilhldfn.exe 35 PID 2612 wrote to memory of 1176 2612 Jilhldfn.exe 35 PID 1176 wrote to memory of 2544 1176 Jkjdhpea.exe 36 PID 1176 wrote to memory of 2544 1176 Jkjdhpea.exe 36 PID 1176 wrote to memory of 2544 1176 Jkjdhpea.exe 36 PID 1176 wrote to memory of 2544 1176 Jkjdhpea.exe 36 PID 2544 wrote to memory of 2704 2544 Jinead32.exe 37 PID 2544 wrote to memory of 2704 2544 Jinead32.exe 37 PID 2544 wrote to memory of 2704 2544 Jinead32.exe 37 PID 2544 wrote to memory of 2704 2544 Jinead32.exe 37 PID 2704 wrote to memory of 2340 2704 Jbfijjkl.exe 38 PID 2704 wrote to memory of 2340 2704 Jbfijjkl.exe 38 PID 2704 wrote to memory of 2340 2704 Jbfijjkl.exe 38 PID 2704 wrote to memory of 2340 2704 Jbfijjkl.exe 38 PID 2340 wrote to memory of 2864 2340 Jcgfbb32.exe 39 PID 2340 wrote to memory of 2864 2340 Jcgfbb32.exe 39 PID 2340 wrote to memory of 2864 2340 Jcgfbb32.exe 39 PID 2340 wrote to memory of 2864 2340 Jcgfbb32.exe 39 PID 2864 wrote to memory of 1716 2864 Jjanolhg.exe 40 PID 2864 wrote to memory of 1716 2864 Jjanolhg.exe 40 PID 2864 wrote to memory of 1716 2864 Jjanolhg.exe 40 PID 2864 wrote to memory of 1716 2864 Jjanolhg.exe 40 PID 1716 wrote to memory of 2272 1716 Jgenhp32.exe 41 PID 1716 wrote to memory of 2272 1716 Jgenhp32.exe 41 PID 1716 wrote to memory of 2272 1716 Jgenhp32.exe 41 PID 1716 wrote to memory of 2272 1716 Jgenhp32.exe 41 PID 2272 wrote to memory of 1800 2272 Jmbgpg32.exe 42 PID 2272 wrote to memory of 1800 2272 Jmbgpg32.exe 42 PID 2272 wrote to memory of 1800 2272 Jmbgpg32.exe 42 PID 2272 wrote to memory of 1800 2272 Jmbgpg32.exe 42 PID 1800 wrote to memory of 596 1800 Jghknp32.exe 43 PID 1800 wrote to memory of 596 1800 Jghknp32.exe 43 PID 1800 wrote to memory of 596 1800 Jghknp32.exe 43 PID 1800 wrote to memory of 596 1800 Jghknp32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\009e9a2a4b8de78c15225bb614cb131b1ced645ce512712d0e6a00d786a3c4b1.exe"C:\Users\Admin\AppData\Local\Temp\009e9a2a4b8de78c15225bb614cb131b1ced645ce512712d0e6a00d786a3c4b1.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Ichico32.exeC:\Windows\system32\Ichico32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Ijaapifk.exeC:\Windows\system32\Ijaapifk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Ifhbdj32.exeC:\Windows\system32\Ifhbdj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Iclcnnji.exeC:\Windows\system32\Iclcnnji.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Ikggbpgd.exeC:\Windows\system32\Ikggbpgd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Jkjdhpea.exeC:\Windows\system32\Jkjdhpea.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Jinead32.exeC:\Windows\system32\Jinead32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Jbfijjkl.exeC:\Windows\system32\Jbfijjkl.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Jcgfbb32.exeC:\Windows\system32\Jcgfbb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Jjanolhg.exeC:\Windows\system32\Jjanolhg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Jghknp32.exeC:\Windows\system32\Jghknp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:596 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Kllmmc32.exeC:\Windows\system32\Kllmmc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1428 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:912 -
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe33⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe37⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe38⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe41⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe42⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe43⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe45⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe47⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe48⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe49⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe52⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe53⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe55⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe57⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe60⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe62⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe63⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe65⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe66⤵PID:1232
-
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe67⤵PID:960
-
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe68⤵PID:2976
-
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe69⤵PID:1248
-
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2240 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe71⤵
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe72⤵PID:1652
-
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe73⤵PID:1076
-
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe74⤵PID:1496
-
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe75⤵PID:276
-
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe76⤵PID:328
-
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe77⤵PID:1896
-
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe78⤵PID:2104
-
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2100 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe80⤵PID:1580
-
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe81⤵PID:2536
-
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe82⤵
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1680 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe84⤵
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe85⤵PID:2472
-
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe86⤵PID:2728
-
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe87⤵PID:2992
-
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe88⤵
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe89⤵PID:2876
-
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe90⤵PID:2668
-
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe91⤵PID:1468
-
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1612 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe93⤵PID:1712
-
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe94⤵
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe95⤵PID:2060
-
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe96⤵PID:680
-
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe97⤵
- Modifies registry class
PID:576 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe98⤵PID:1092
-
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe99⤵PID:1948
-
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe100⤵PID:1448
-
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe102⤵
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2640 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe104⤵
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe105⤵PID:2556
-
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe106⤵PID:2604
-
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe107⤵PID:2852
-
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe108⤵
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe109⤵
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe110⤵PID:1572
-
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1644 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe112⤵PID:2284
-
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe113⤵
- Modifies registry class
PID:1196 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe114⤵PID:452
-
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe115⤵
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1312 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe117⤵PID:1544
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe118⤵PID:2244
-
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe119⤵
- Modifies registry class
PID:1264 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1592 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe121⤵
- Modifies registry class
PID:2636
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-