Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/04/2024, 01:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ba0cd9077f7d9f5f1ec8d2e15f48ec9baaed5b521c0867b645f859e7dc309a2b.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
ba0cd9077f7d9f5f1ec8d2e15f48ec9baaed5b521c0867b645f859e7dc309a2b.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
ba0cd9077f7d9f5f1ec8d2e15f48ec9baaed5b521c0867b645f859e7dc309a2b.exe
-
Size
380KB
-
MD5
1c1b8c06f55692596ce3fecf741be223
-
SHA1
bc547919417eff2d035d2408da2a9e801cf6c9a6
-
SHA256
ba0cd9077f7d9f5f1ec8d2e15f48ec9baaed5b521c0867b645f859e7dc309a2b
-
SHA512
9f73d3c3cb96835e265e8892b4540a3a5db45cb8353d42032fe5febd026e73cfdc89806fb207dae9e12e5293b1d3dd7d9dfa2a57e6d3b39038338434407905b8
-
SSDEEP
6144:c6P3TQmXnqCN9Otopg5tTDUZNSN58VU5tTvnVn5tTDUZNSN58Vh:V3TQmX/Otoq5t6NSN6G5tbt5t6NSN6T
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnofejom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koocdnai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohqbqhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahokfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkmbgdfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnkbdlbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adeplhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hicodd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfaajlfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odjpkihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfgaiaci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmnhfjmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgodbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ladeqhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlgefh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egamfkdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfijnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekklaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgcgmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlhnbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcmhiojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ondajnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfbccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjdbnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckffgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddokpmfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filldb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeqbkkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efncicpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcplhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oomhcbjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlkpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aplpai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmgpkfab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldcamcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkaocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkfjhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fddmgjpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jklanp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfkpdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldcamcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plahag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gacpdbej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojkboo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnbacbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Banepo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeplkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmbgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mohbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpfcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqhhknjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmjak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oicpfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojficpfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbpjiphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gopkmhjk.exe -
Executes dropped EXE 64 IoCs
pid Process 1908 Ikekmq32.exe 2616 Ifkojiim.exe 2504 Ioccco32.exe 2524 Jeplkf32.exe 2404 Jinead32.exe 2804 Jgqemakf.exe 1504 Jklanp32.exe 2644 Jnkmjk32.exe 2320 Jgenhp32.exe 1604 Jnofejom.exe 1624 Jmbgpg32.exe 2316 Jghknp32.exe 1052 Kbalnnam.exe 2484 Kjhdokbo.exe 2368 Kmgpkfab.exe 336 Kpemgbqf.exe 1064 Kllmmc32.exe 1044 Knjiin32.exe 356 Kfaajlfp.exe 3040 Kakbjibo.exe 1508 Kibjkgca.exe 780 Klqfhbbe.exe 948 Koocdnai.exe 2844 Kanopipl.exe 2772 Lhggmchi.exe 1660 Lkfciogm.exe 2732 Lodlom32.exe 2680 Labhkh32.exe 2620 Ldqegd32.exe 2420 Lgoacojo.exe 632 Lkkmdn32.exe 2456 Lmiipi32.exe 2632 Ladeqhjd.exe 2128 Ldcamcih.exe 2292 Lkmjin32.exe 1628 Lipjejgp.exe 328 Llnfaffc.exe 2756 Ldenbcge.exe 596 Lchnnp32.exe 1136 Lgdjnofi.exe 1556 Lefkjkmc.exe 1824 Libgjj32.exe 1120 Llqcfe32.exe 1292 Lplogdmj.exe 1008 Mcjkcplm.exe 1984 Mgfgdn32.exe 572 Meigpkka.exe 2904 Mhgclfje.exe 1488 Mpolmdkg.exe 2492 Mcmhiojk.exe 2428 Maphdl32.exe 2452 Mekdekin.exe 2308 Migpeiag.exe 1144 Mlelaeqk.exe 1776 Mkhmma32.exe 1640 Mabejlob.exe 1492 Mhlmgf32.exe 1728 Mkjica32.exe 2120 Mnieom32.exe 1944 Mepnpj32.exe 1464 Mhnjle32.exe 1444 Mgajhbkg.exe 2132 Mohbip32.exe 2788 Mnkbdlbd.exe -
Loads dropped DLL 64 IoCs
pid Process 2236 ba0cd9077f7d9f5f1ec8d2e15f48ec9baaed5b521c0867b645f859e7dc309a2b.exe 2236 ba0cd9077f7d9f5f1ec8d2e15f48ec9baaed5b521c0867b645f859e7dc309a2b.exe 1908 Ikekmq32.exe 1908 Ikekmq32.exe 2616 Ifkojiim.exe 2616 Ifkojiim.exe 2504 Ioccco32.exe 2504 Ioccco32.exe 2524 Jeplkf32.exe 2524 Jeplkf32.exe 2404 Jinead32.exe 2404 Jinead32.exe 2804 Jgqemakf.exe 2804 Jgqemakf.exe 1504 Jklanp32.exe 1504 Jklanp32.exe 2644 Jnkmjk32.exe 2644 Jnkmjk32.exe 2320 Jgenhp32.exe 2320 Jgenhp32.exe 1604 Jnofejom.exe 1604 Jnofejom.exe 1624 Jmbgpg32.exe 1624 Jmbgpg32.exe 2316 Jghknp32.exe 2316 Jghknp32.exe 1052 Kbalnnam.exe 1052 Kbalnnam.exe 2484 Kjhdokbo.exe 2484 Kjhdokbo.exe 2368 Kmgpkfab.exe 2368 Kmgpkfab.exe 336 Kpemgbqf.exe 336 Kpemgbqf.exe 1064 Kllmmc32.exe 1064 Kllmmc32.exe 1044 Knjiin32.exe 1044 Knjiin32.exe 356 Kfaajlfp.exe 356 Kfaajlfp.exe 3040 Kakbjibo.exe 3040 Kakbjibo.exe 1508 Kibjkgca.exe 1508 Kibjkgca.exe 780 Klqfhbbe.exe 780 Klqfhbbe.exe 948 Koocdnai.exe 948 Koocdnai.exe 2844 Kanopipl.exe 2844 Kanopipl.exe 2772 Lhggmchi.exe 2772 Lhggmchi.exe 1660 Lkfciogm.exe 1660 Lkfciogm.exe 2732 Lodlom32.exe 2732 Lodlom32.exe 2680 Labhkh32.exe 2680 Labhkh32.exe 2620 Ldqegd32.exe 2620 Ldqegd32.exe 2420 Lgoacojo.exe 2420 Lgoacojo.exe 632 Lkkmdn32.exe 632 Lkkmdn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nqqdag32.exe Nleiqhcg.exe File created C:\Windows\SysWOW64\Ogmfbd32.exe Ocajbekl.exe File opened for modification C:\Windows\SysWOW64\Hlakpp32.exe Hnojdcfi.exe File created C:\Windows\SysWOW64\Oelmai32.exe Obnqem32.exe File opened for modification C:\Windows\SysWOW64\Baildokg.exe Bokphdld.exe File created C:\Windows\SysWOW64\Hpapln32.exe Hlfdkoin.exe File opened for modification C:\Windows\SysWOW64\Ohqbqhde.exe Ofbfdmeb.exe File created C:\Windows\SysWOW64\Ampqjm32.exe Ajbdna32.exe File created C:\Windows\SysWOW64\Comimg32.exe Clomqk32.exe File opened for modification C:\Windows\SysWOW64\Ffbicfoc.exe Fbgmbg32.exe File created C:\Windows\SysWOW64\Gkihhhnm.exe Glfhll32.exe File created C:\Windows\SysWOW64\Eqpofkjo.dll Ilknfn32.exe File created C:\Windows\SysWOW64\Lmkgjhfn.dll Pnbacbac.exe File created C:\Windows\SysWOW64\Cljcelan.exe Cngcjo32.exe File created C:\Windows\SysWOW64\Ipdljffa.dll Dflkdp32.exe File created C:\Windows\SysWOW64\Gangic32.exe Gopkmhjk.exe File created C:\Windows\SysWOW64\Gobgcg32.exe Gldkfl32.exe File created C:\Windows\SysWOW64\Ahcocb32.dll Glfhll32.exe File opened for modification C:\Windows\SysWOW64\Gkkemh32.exe Ggpimica.exe File created C:\Windows\SysWOW64\Jklanp32.exe Jgqemakf.exe File created C:\Windows\SysWOW64\Pijbfj32.exe Pbpjiphi.exe File opened for modification C:\Windows\SysWOW64\Nlbodgap.dll Cdlnkmha.exe File created C:\Windows\SysWOW64\Epafjqck.dll Eqonkmdh.exe File created C:\Windows\SysWOW64\Emhlfmgj.exe Eilpeooq.exe File created C:\Windows\SysWOW64\Hdhbam32.exe Hpmgqnfl.exe File opened for modification C:\Windows\SysWOW64\Lkkmdn32.exe Lgoacojo.exe File created C:\Windows\SysWOW64\Pcfcmd32.exe Paggai32.exe File opened for modification C:\Windows\SysWOW64\Fmcoja32.exe Fnpnndgp.exe File opened for modification C:\Windows\SysWOW64\Ffkcbgek.exe Fcmgfkeg.exe File opened for modification C:\Windows\SysWOW64\Fphafl32.exe Fmjejphb.exe File created C:\Windows\SysWOW64\Pfabenjd.dll Gphmeo32.exe File created C:\Windows\SysWOW64\Odjpkihg.exe Oomhcbjp.exe File opened for modification C:\Windows\SysWOW64\Pcfcmd32.exe Paggai32.exe File created C:\Windows\SysWOW64\Ifclcknc.dll Qljkhe32.exe File opened for modification C:\Windows\SysWOW64\Mnieom32.exe Mkjica32.exe File opened for modification C:\Windows\SysWOW64\Ogmfbd32.exe Ocajbekl.exe File created C:\Windows\SysWOW64\Cndbcc32.exe Cobbhfhg.exe File created C:\Windows\SysWOW64\Hepmggig.dll Hdhbam32.exe File created C:\Windows\SysWOW64\Hpkjko32.exe Hmlnoc32.exe File opened for modification C:\Windows\SysWOW64\Mhgclfje.exe Meigpkka.exe File created C:\Windows\SysWOW64\Ofpfnqjp.exe Ogmfbd32.exe File opened for modification C:\Windows\SysWOW64\Pjmodopf.exe Pfbccp32.exe File opened for modification C:\Windows\SysWOW64\Pbiciana.exe Pcfcmd32.exe File opened for modification C:\Windows\SysWOW64\Dnneja32.exe Dfgmhd32.exe File created C:\Windows\SysWOW64\Lghegkoc.dll Fnpnndgp.exe File created C:\Windows\SysWOW64\Kdanej32.dll Fcmgfkeg.exe File created C:\Windows\SysWOW64\Jmmjdk32.dll Gmjaic32.exe File created C:\Windows\SysWOW64\Nlblkhei.exe Njdpomfe.exe File created C:\Windows\SysWOW64\Neeeodef.dll Odgcfijj.exe File created C:\Windows\SysWOW64\Obnqem32.exe Ojficpfn.exe File created C:\Windows\SysWOW64\Chemfl32.exe Cjbmjplb.exe File created C:\Windows\SysWOW64\Dkhcmgnl.exe Dgmglh32.exe File opened for modification C:\Windows\SysWOW64\Gbnccfpb.exe Gobgcg32.exe File created C:\Windows\SysWOW64\Iebpge32.dll Gdopkn32.exe File created C:\Windows\SysWOW64\Hkkalk32.exe Hhmepp32.exe File created C:\Windows\SysWOW64\Kfaajlfp.exe Knjiin32.exe File created C:\Windows\SysWOW64\Libgjj32.exe Lefkjkmc.exe File created C:\Windows\SysWOW64\Ogfpbeim.exe Oicpfh32.exe File created C:\Windows\SysWOW64\Ccfhhffh.exe Coklgg32.exe File created C:\Windows\SysWOW64\Hhjhkq32.exe Hellne32.exe File opened for modification C:\Windows\SysWOW64\Ekklaj32.exe Emhlfmgj.exe File created C:\Windows\SysWOW64\Iagjfjkn.dll Lefkjkmc.exe File created C:\Windows\SysWOW64\Ofdcjm32.exe Obigjnkf.exe File created C:\Windows\SysWOW64\Paejki32.exe Ongnonkb.exe -
Program crash 1 IoCs
pid pid_target Process 4872 4848 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iknnbklc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odgcfijj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piblek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fioija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll" Gldkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll" Hpocfncj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kibjkgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldcamcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkiklhim.dll" Magnek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppoqge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lplogdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idphiplp.dll" Bhcdaibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll" Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnaob32.dll" Ioijbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqhhknjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doobajme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eflgccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll" Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlgefh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oelmai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abmibdlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikeogmlj.dll" Bhfagipa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} ba0cd9077f7d9f5f1ec8d2e15f48ec9baaed5b521c0867b645f859e7dc309a2b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkfciogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fglhobmg.dll" Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgodbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clphjpmh.dll" Fpfdalii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkpnhgge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnkmjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opljoqmk.dll" Kbalnnam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqjepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfekgp32.dll" Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghfbqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdakgibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll" Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipghqomc.dll" Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkojpojq.dll" Ecpgmhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkkemh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndgggf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckblig32.dll" Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll" Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjhpbe32.dll" Lkkmdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phjelg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihomanac.dll" Balijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddflckmp.dll" Bgknheej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Migpeiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aplpai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cobbhfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ennaieib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioccco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbilenko.dll" Jghknp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfgfm32.dll" Kanopipl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppamme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncancbha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkebie32.dll" Bdhhqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebagmn32.dll" Dfgmhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gejcjbah.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2236 wrote to memory of 1908 2236 ba0cd9077f7d9f5f1ec8d2e15f48ec9baaed5b521c0867b645f859e7dc309a2b.exe 28 PID 2236 wrote to memory of 1908 2236 ba0cd9077f7d9f5f1ec8d2e15f48ec9baaed5b521c0867b645f859e7dc309a2b.exe 28 PID 2236 wrote to memory of 1908 2236 ba0cd9077f7d9f5f1ec8d2e15f48ec9baaed5b521c0867b645f859e7dc309a2b.exe 28 PID 2236 wrote to memory of 1908 2236 ba0cd9077f7d9f5f1ec8d2e15f48ec9baaed5b521c0867b645f859e7dc309a2b.exe 28 PID 1908 wrote to memory of 2616 1908 Ikekmq32.exe 29 PID 1908 wrote to memory of 2616 1908 Ikekmq32.exe 29 PID 1908 wrote to memory of 2616 1908 Ikekmq32.exe 29 PID 1908 wrote to memory of 2616 1908 Ikekmq32.exe 29 PID 2616 wrote to memory of 2504 2616 Ifkojiim.exe 30 PID 2616 wrote to memory of 2504 2616 Ifkojiim.exe 30 PID 2616 wrote to memory of 2504 2616 Ifkojiim.exe 30 PID 2616 wrote to memory of 2504 2616 Ifkojiim.exe 30 PID 2504 wrote to memory of 2524 2504 Ioccco32.exe 31 PID 2504 wrote to memory of 2524 2504 Ioccco32.exe 31 PID 2504 wrote to memory of 2524 2504 Ioccco32.exe 31 PID 2504 wrote to memory of 2524 2504 Ioccco32.exe 31 PID 2524 wrote to memory of 2404 2524 Jeplkf32.exe 32 PID 2524 wrote to memory of 2404 2524 Jeplkf32.exe 32 PID 2524 wrote to memory of 2404 2524 Jeplkf32.exe 32 PID 2524 wrote to memory of 2404 2524 Jeplkf32.exe 32 PID 2404 wrote to memory of 2804 2404 Jinead32.exe 33 PID 2404 wrote to memory of 2804 2404 Jinead32.exe 33 PID 2404 wrote to memory of 2804 2404 Jinead32.exe 33 PID 2404 wrote to memory of 2804 2404 Jinead32.exe 33 PID 2804 wrote to memory of 1504 2804 Jgqemakf.exe 34 PID 2804 wrote to memory of 1504 2804 Jgqemakf.exe 34 PID 2804 wrote to memory of 1504 2804 Jgqemakf.exe 34 PID 2804 wrote to memory of 1504 2804 Jgqemakf.exe 34 PID 1504 wrote to memory of 2644 1504 Jklanp32.exe 35 PID 1504 wrote to memory of 2644 1504 Jklanp32.exe 35 PID 1504 wrote to memory of 2644 1504 Jklanp32.exe 35 PID 1504 wrote to memory of 2644 1504 Jklanp32.exe 35 PID 2644 wrote to memory of 2320 2644 Jnkmjk32.exe 36 PID 2644 wrote to memory of 2320 2644 Jnkmjk32.exe 36 PID 2644 wrote to memory of 2320 2644 Jnkmjk32.exe 36 PID 2644 wrote to memory of 2320 2644 Jnkmjk32.exe 36 PID 2320 wrote to memory of 1604 2320 Jgenhp32.exe 37 PID 2320 wrote to memory of 1604 2320 Jgenhp32.exe 37 PID 2320 wrote to memory of 1604 2320 Jgenhp32.exe 37 PID 2320 wrote to memory of 1604 2320 Jgenhp32.exe 37 PID 1604 wrote to memory of 1624 1604 Jnofejom.exe 38 PID 1604 wrote to memory of 1624 1604 Jnofejom.exe 38 PID 1604 wrote to memory of 1624 1604 Jnofejom.exe 38 PID 1604 wrote to memory of 1624 1604 Jnofejom.exe 38 PID 1624 wrote to memory of 2316 1624 Jmbgpg32.exe 39 PID 1624 wrote to memory of 2316 1624 Jmbgpg32.exe 39 PID 1624 wrote to memory of 2316 1624 Jmbgpg32.exe 39 PID 1624 wrote to memory of 2316 1624 Jmbgpg32.exe 39 PID 2316 wrote to memory of 1052 2316 Jghknp32.exe 40 PID 2316 wrote to memory of 1052 2316 Jghknp32.exe 40 PID 2316 wrote to memory of 1052 2316 Jghknp32.exe 40 PID 2316 wrote to memory of 1052 2316 Jghknp32.exe 40 PID 1052 wrote to memory of 2484 1052 Kbalnnam.exe 41 PID 1052 wrote to memory of 2484 1052 Kbalnnam.exe 41 PID 1052 wrote to memory of 2484 1052 Kbalnnam.exe 41 PID 1052 wrote to memory of 2484 1052 Kbalnnam.exe 41 PID 2484 wrote to memory of 2368 2484 Kjhdokbo.exe 42 PID 2484 wrote to memory of 2368 2484 Kjhdokbo.exe 42 PID 2484 wrote to memory of 2368 2484 Kjhdokbo.exe 42 PID 2484 wrote to memory of 2368 2484 Kjhdokbo.exe 42 PID 2368 wrote to memory of 336 2368 Kmgpkfab.exe 43 PID 2368 wrote to memory of 336 2368 Kmgpkfab.exe 43 PID 2368 wrote to memory of 336 2368 Kmgpkfab.exe 43 PID 2368 wrote to memory of 336 2368 Kmgpkfab.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba0cd9077f7d9f5f1ec8d2e15f48ec9baaed5b521c0867b645f859e7dc309a2b.exe"C:\Users\Admin\AppData\Local\Temp\ba0cd9077f7d9f5f1ec8d2e15f48ec9baaed5b521c0867b645f859e7dc309a2b.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Ikekmq32.exeC:\Windows\system32\Ikekmq32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Ioccco32.exeC:\Windows\system32\Ioccco32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Jeplkf32.exeC:\Windows\system32\Jeplkf32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Jinead32.exeC:\Windows\system32\Jinead32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Jklanp32.exeC:\Windows\system32\Jklanp32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Jnkmjk32.exeC:\Windows\system32\Jnkmjk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Jnofejom.exeC:\Windows\system32\Jnofejom.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Jghknp32.exeC:\Windows\system32\Jghknp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:336 -
C:\Windows\SysWOW64\Kllmmc32.exeC:\Windows\system32\Kllmmc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1064 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1044 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:356 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:780 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:632 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe33⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe36⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe37⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe38⤵
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe39⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe40⤵
- Executes dropped EXE
PID:596 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe41⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe43⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe44⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe46⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe47⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:572 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe49⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe50⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe52⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe53⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe55⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe56⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe57⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe58⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe60⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe61⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe62⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe63⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe66⤵
- Modifies registry class
PID:1060 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe67⤵PID:928
-
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe68⤵PID:2516
-
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2720 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe70⤵PID:2568
-
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe71⤵PID:2092
-
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe72⤵
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe73⤵PID:916
-
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2944 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe75⤵
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe76⤵PID:1040
-
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe77⤵PID:2692
-
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe78⤵PID:1160
-
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1532 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe80⤵PID:2284
-
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe81⤵
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe82⤵PID:1560
-
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe83⤵PID:804
-
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe84⤵PID:2748
-
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe85⤵PID:2896
-
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe86⤵PID:932
-
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe88⤵PID:2068
-
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe89⤵
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe90⤵PID:2964
-
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe91⤵PID:1196
-
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe92⤵PID:1612
-
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1684 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe94⤵PID:2684
-
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe95⤵PID:2924
-
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe96⤵
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2832 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe98⤵PID:1344
-
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe99⤵PID:1300
-
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe100⤵PID:1924
-
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe101⤵
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe102⤵PID:2592
-
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe105⤵PID:2372
-
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:472 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1260 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe108⤵PID:2124
-
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe110⤵
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe111⤵
- Modifies registry class
PID:292 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe112⤵PID:2536
-
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe113⤵PID:2972
-
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe115⤵PID:1232
-
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe116⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe117⤵
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe118⤵PID:1896
-
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:480 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe120⤵
- Drops file in System32 directory
PID:1252 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe121⤵PID:2500
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-