Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
01/05/2024, 01:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a4129875f78563fa9fc6a129601a6e816659ac7f554e022dc36fd803b613eb97.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
a4129875f78563fa9fc6a129601a6e816659ac7f554e022dc36fd803b613eb97.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
a4129875f78563fa9fc6a129601a6e816659ac7f554e022dc36fd803b613eb97.exe
-
Size
272KB
-
MD5
3c481227e5e5a3f6fd5d823e87700a6f
-
SHA1
21424e46860bd3655237dceecc379eae442824e2
-
SHA256
a4129875f78563fa9fc6a129601a6e816659ac7f554e022dc36fd803b613eb97
-
SHA512
363628a1a495895477a2dd0bf4b0f1c839dc1591797f7749b7ec627658d9a8ac051b464167444a03334b0ed2dec499748289300627b21ad571035c8d4a731e8a
-
SSDEEP
6144:qJuj4F53XgulByvZ6Mxv5Rar3O6B9fZSLhZmzbByvZ6Mxv5R:mJF5AgByvNv54B9f01ZmHByvNv5
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiakjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iqljlb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhmbagfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clcflkic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkgkbipp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glfhll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnbhek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emcbkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppoqge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdccfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eajaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkgkbipp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obigjnkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbflib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faokjpfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgjclbdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebmgcohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnemdecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhkbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgobhcac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgbdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Epieghdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nacgdhlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqqapjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgfjbgmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkihhhnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igihbknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbnemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpdbloof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnkicn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkmnacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abmibdlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onjgiiad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leajdfnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mijfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nialog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egoife32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdlkld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njiijlbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkfjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gogangdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Logbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dcenlceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkaocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egafleqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqcnfjli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apomfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgkafo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpmlkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echfaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkhpnnej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkhmma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nghphaeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aipddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bekkcljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdlkld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaefjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjljhjkl.exe -
Executes dropped EXE 64 IoCs
pid Process 2964 Iffeoj32.exe 2624 Iqljlb32.exe 2428 Ifhbdj32.exe 2776 Ikekmq32.exe 2476 Iiikfehq.exe 2936 Infdolgh.exe 2408 Jgnhga32.exe 2648 Jnhqdkde.exe 1496 Jgqemakf.exe 2312 Jnkmjk32.exe 1324 Jkonco32.exe 1156 Jegble32.exe 2024 Jfhocmnk.exe 1912 Jclomamd.exe 2772 Jmdcfg32.exe 692 Kbalnnam.exe 584 Kljqgc32.exe 1116 Kcahhq32.exe 3004 Kebepion.exe 1672 Kllmmc32.exe 2292 Kbfeimng.exe 1320 Kipnfged.exe 2844 Klnjbbdh.exe 1144 Kbhbom32.exe 1820 Kegnkh32.exe 2524 Khekgc32.exe 2548 Kbkodl32.exe 2696 Kdlkld32.exe 2456 Lkfciogm.exe 2168 Lekhfgfc.exe 2492 Lkhpnnej.exe 2668 Lodlom32.exe 2716 Ldqegd32.exe 1044 Lkkmdn32.exe 1568 Ladeqhjd.exe 2384 Lbfahp32.exe 1256 Lmkfei32.exe 2044 Lpjbad32.exe 2256 Lefkjkmc.exe 2932 Libgjj32.exe 580 Mcjkcplm.exe 536 Meigpkka.exe 860 Midcpj32.exe 240 Moalhq32.exe 992 Maphdl32.exe 1604 Migpeiag.exe 2848 Mhjpaf32.exe 2092 Mkhmma32.exe 1904 Mabejlob.exe 2980 Mdqafgnf.exe 2620 Mhlmgf32.exe 2580 Mkjica32.exe 2592 Mofecpnl.exe 352 Madapkmp.exe 2052 Mdcnlglc.exe 2732 Mgajhbkg.exe 1576 Mohbip32.exe 340 Mnkbdlbd.exe 1380 Mpjoqhah.exe 2180 Mhqfbebj.exe 2084 Mgcgmb32.exe 1924 Njbcim32.exe 484 Nnnojlpa.exe 1720 Naikkk32.exe -
Loads dropped DLL 64 IoCs
pid Process 2916 a4129875f78563fa9fc6a129601a6e816659ac7f554e022dc36fd803b613eb97.exe 2916 a4129875f78563fa9fc6a129601a6e816659ac7f554e022dc36fd803b613eb97.exe 2964 Iffeoj32.exe 2964 Iffeoj32.exe 2624 Iqljlb32.exe 2624 Iqljlb32.exe 2428 Ifhbdj32.exe 2428 Ifhbdj32.exe 2776 Ikekmq32.exe 2776 Ikekmq32.exe 2476 Iiikfehq.exe 2476 Iiikfehq.exe 2936 Infdolgh.exe 2936 Infdolgh.exe 2408 Jgnhga32.exe 2408 Jgnhga32.exe 2648 Jnhqdkde.exe 2648 Jnhqdkde.exe 1496 Jgqemakf.exe 1496 Jgqemakf.exe 2312 Jnkmjk32.exe 2312 Jnkmjk32.exe 1324 Jkonco32.exe 1324 Jkonco32.exe 1156 Jegble32.exe 1156 Jegble32.exe 2024 Jfhocmnk.exe 2024 Jfhocmnk.exe 1912 Jclomamd.exe 1912 Jclomamd.exe 2772 Jmdcfg32.exe 2772 Jmdcfg32.exe 692 Kbalnnam.exe 692 Kbalnnam.exe 584 Kljqgc32.exe 584 Kljqgc32.exe 1116 Kcahhq32.exe 1116 Kcahhq32.exe 3004 Kebepion.exe 3004 Kebepion.exe 1672 Kllmmc32.exe 1672 Kllmmc32.exe 2292 Kbfeimng.exe 2292 Kbfeimng.exe 1320 Kipnfged.exe 1320 Kipnfged.exe 2844 Klnjbbdh.exe 2844 Klnjbbdh.exe 1144 Kbhbom32.exe 1144 Kbhbom32.exe 1820 Kegnkh32.exe 1820 Kegnkh32.exe 2524 Khekgc32.exe 2524 Khekgc32.exe 2548 Kbkodl32.exe 2548 Kbkodl32.exe 2696 Kdlkld32.exe 2696 Kdlkld32.exe 2456 Lkfciogm.exe 2456 Lkfciogm.exe 2168 Lekhfgfc.exe 2168 Lekhfgfc.exe 2492 Lkhpnnej.exe 2492 Lkhpnnej.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lpdbloof.exe Leonofpp.exe File opened for modification C:\Windows\SysWOW64\Cafecmlj.exe Cnkicn32.exe File created C:\Windows\SysWOW64\Ooahdmkl.dll Bnefdp32.exe File created C:\Windows\SysWOW64\Comimg32.exe Chcqpmep.exe File created C:\Windows\SysWOW64\Flojhn32.dll Cdbdjhmp.exe File created C:\Windows\SysWOW64\Qbbfopeg.exe Qjknnbed.exe File created C:\Windows\SysWOW64\Chhjkl32.exe Cfinoq32.exe File created C:\Windows\SysWOW64\Addnil32.dll Ghfbqn32.exe File created C:\Windows\SysWOW64\Kcdnao32.exe Keanebkb.exe File created C:\Windows\SysWOW64\Dlkaflan.dll Dfoqmo32.exe File created C:\Windows\SysWOW64\Ahoanjcc.dll Emnndlod.exe File created C:\Windows\SysWOW64\Ompoljfn.dll Onbddoog.exe File created C:\Windows\SysWOW64\Elgpfqll.dll Qaefjm32.exe File created C:\Windows\SysWOW64\Lhcecp32.dll Apomfh32.exe File created C:\Windows\SysWOW64\Ioijbj32.exe Iknnbklc.exe File opened for modification C:\Windows\SysWOW64\Jjojofgn.exe Jfcnngnd.exe File created C:\Windows\SysWOW64\Ipboik32.dll Kbfeimng.exe File created C:\Windows\SysWOW64\Fmnhkk32.dll Pmlkpjpj.exe File created C:\Windows\SysWOW64\Feeiob32.exe Fbgmbg32.exe File created C:\Windows\SysWOW64\Icmlam32.exe Iqopea32.exe File created C:\Windows\SysWOW64\Goipbehm.dll Ifnechbj.exe File created C:\Windows\SysWOW64\Djihnh32.dll Pgioaa32.exe File opened for modification C:\Windows\SysWOW64\Dogefd32.exe Dpeekh32.exe File created C:\Windows\SysWOW64\Cnhnca32.dll Kegnkh32.exe File created C:\Windows\SysWOW64\Ghfbqn32.exe Gicbeald.exe File created C:\Windows\SysWOW64\Cjpqdp32.exe Cgbdhd32.exe File opened for modification C:\Windows\SysWOW64\Fmekoalh.exe Fjgoce32.exe File created C:\Windows\SysWOW64\Jnhqdkde.exe Jgnhga32.exe File created C:\Windows\SysWOW64\Paggai32.exe Pmlkpjpj.exe File opened for modification C:\Windows\SysWOW64\Iaeiieeb.exe Icbimi32.exe File opened for modification C:\Windows\SysWOW64\Hjacko32.dll Kaklpcoc.exe File opened for modification C:\Windows\SysWOW64\Chbjffad.exe Cahail32.exe File opened for modification C:\Windows\SysWOW64\Emhlfmgj.exe Eeqdep32.exe File created C:\Windows\SysWOW64\Kmaled32.exe Kifpdelo.exe File opened for modification C:\Windows\SysWOW64\Comimg32.exe Chcqpmep.exe File opened for modification C:\Windows\SysWOW64\Cjbmjplb.exe Cfgaiaci.exe File created C:\Windows\SysWOW64\Lbeknj32.exe Leajdfnm.exe File created C:\Windows\SysWOW64\Chbjffad.exe Chbjffad.exe File opened for modification C:\Windows\SysWOW64\Emieil32.exe Ejkima32.exe File opened for modification C:\Windows\SysWOW64\Jegble32.exe Jkonco32.exe File created C:\Windows\SysWOW64\Ggnncj32.dll Kbkodl32.exe File created C:\Windows\SysWOW64\Lefkjkmc.exe Lpjbad32.exe File opened for modification C:\Windows\SysWOW64\Dmoipopd.exe Djpmccqq.exe File opened for modification C:\Windows\SysWOW64\Iggkllpe.exe Ihdkao32.exe File opened for modification C:\Windows\SysWOW64\Cfmepigc.dll Kafbec32.exe File opened for modification C:\Windows\SysWOW64\Lbeknj32.exe Leajdfnm.exe File created C:\Windows\SysWOW64\Kbhbom32.exe Klnjbbdh.exe File opened for modification C:\Windows\SysWOW64\Khekgc32.exe Kegnkh32.exe File created C:\Windows\SysWOW64\Gghcajge.dll Mhlmgf32.exe File opened for modification C:\Windows\SysWOW64\Ilknfn32.exe Ihoafpmp.exe File created C:\Windows\SysWOW64\Cdlgpgef.exe Cldooj32.exe File opened for modification C:\Windows\SysWOW64\Nfkpdn32.exe Nghphaeo.exe File opened for modification C:\Windows\SysWOW64\Filldb32.exe Ffnphf32.exe File created C:\Windows\SysWOW64\Nobdlg32.dll Ddeaalpg.exe File opened for modification C:\Windows\SysWOW64\Hpocfncj.exe Hlcgeo32.exe File created C:\Windows\SysWOW64\Nnfbei32.dll Ddgjdk32.exe File opened for modification C:\Windows\SysWOW64\Nlblkhei.exe Nnplpl32.exe File opened for modification C:\Windows\SysWOW64\Apomfh32.exe Ampqjm32.exe File opened for modification C:\Windows\SysWOW64\Aplpai32.exe Amndem32.exe File created C:\Windows\SysWOW64\Qbgpffch.dll Cdlgpgef.exe File opened for modification C:\Windows\SysWOW64\Aipddi32.exe Qlkdkd32.exe File created C:\Windows\SysWOW64\Alhjai32.exe Amejeljk.exe File created C:\Windows\SysWOW64\Iaeiieeb.exe Icbimi32.exe File created C:\Windows\SysWOW64\Jbnhng32.exe Jnclnihj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6360 6328 WerFault.exe 642 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chbjffad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Glfhll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Joplbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdnfbe32.dll" Kgnnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckdjbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ldqegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhcecp32.dll" Apomfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmafennb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Elmigj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cafecmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Blmdlhmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll" Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mijfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll" Flabbihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mkeimlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Onbddoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljenlcfa.dll" Emcbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdoclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Imfqjbli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcfidhng.dll" Dcadac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hlcgeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpfkqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pkpagq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dlkepi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgqemakf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjhlioai.dll" Bidjnkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgjcijfp.dll" Cahail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcbom32.dll" Nofabc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dcfdgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgcampld.dll" Eeqdep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpbnlj32.dll" Jgidao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Maoajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aipddi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpkjko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhgmapfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdlblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dgodbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addnil32.dll" Ghfbqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aibajhdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lefkjkmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkgaje32.dll" Nkmbgdfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqlcpbbm.dll" Lbnemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ogblbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ejkima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhnaid32.dll" Qjknnbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obneof32.dll" Nkaocp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfimidmd.dll" Kfgdhjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpkof32.dll" Pedleg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geofbffe.dll" Kpkofpgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpidpbna.dll" Lkhpnnej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nofabc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obkdonic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll" Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmnmk32.dll" Jfcnngnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mofecpnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kaklpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqlcpbbm.dll" Lpphap32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2916 wrote to memory of 2964 2916 a4129875f78563fa9fc6a129601a6e816659ac7f554e022dc36fd803b613eb97.exe 28 PID 2916 wrote to memory of 2964 2916 a4129875f78563fa9fc6a129601a6e816659ac7f554e022dc36fd803b613eb97.exe 28 PID 2916 wrote to memory of 2964 2916 a4129875f78563fa9fc6a129601a6e816659ac7f554e022dc36fd803b613eb97.exe 28 PID 2916 wrote to memory of 2964 2916 a4129875f78563fa9fc6a129601a6e816659ac7f554e022dc36fd803b613eb97.exe 28 PID 2964 wrote to memory of 2624 2964 Iffeoj32.exe 29 PID 2964 wrote to memory of 2624 2964 Iffeoj32.exe 29 PID 2964 wrote to memory of 2624 2964 Iffeoj32.exe 29 PID 2964 wrote to memory of 2624 2964 Iffeoj32.exe 29 PID 2624 wrote to memory of 2428 2624 Iqljlb32.exe 30 PID 2624 wrote to memory of 2428 2624 Iqljlb32.exe 30 PID 2624 wrote to memory of 2428 2624 Iqljlb32.exe 30 PID 2624 wrote to memory of 2428 2624 Iqljlb32.exe 30 PID 2428 wrote to memory of 2776 2428 Ifhbdj32.exe 31 PID 2428 wrote to memory of 2776 2428 Ifhbdj32.exe 31 PID 2428 wrote to memory of 2776 2428 Ifhbdj32.exe 31 PID 2428 wrote to memory of 2776 2428 Ifhbdj32.exe 31 PID 2776 wrote to memory of 2476 2776 Ikekmq32.exe 32 PID 2776 wrote to memory of 2476 2776 Ikekmq32.exe 32 PID 2776 wrote to memory of 2476 2776 Ikekmq32.exe 32 PID 2776 wrote to memory of 2476 2776 Ikekmq32.exe 32 PID 2476 wrote to memory of 2936 2476 Iiikfehq.exe 33 PID 2476 wrote to memory of 2936 2476 Iiikfehq.exe 33 PID 2476 wrote to memory of 2936 2476 Iiikfehq.exe 33 PID 2476 wrote to memory of 2936 2476 Iiikfehq.exe 33 PID 2936 wrote to memory of 2408 2936 Infdolgh.exe 34 PID 2936 wrote to memory of 2408 2936 Infdolgh.exe 34 PID 2936 wrote to memory of 2408 2936 Infdolgh.exe 34 PID 2936 wrote to memory of 2408 2936 Infdolgh.exe 34 PID 2408 wrote to memory of 2648 2408 Jgnhga32.exe 35 PID 2408 wrote to memory of 2648 2408 Jgnhga32.exe 35 PID 2408 wrote to memory of 2648 2408 Jgnhga32.exe 35 PID 2408 wrote to memory of 2648 2408 Jgnhga32.exe 35 PID 2648 wrote to memory of 1496 2648 Jnhqdkde.exe 36 PID 2648 wrote to memory of 1496 2648 Jnhqdkde.exe 36 PID 2648 wrote to memory of 1496 2648 Jnhqdkde.exe 36 PID 2648 wrote to memory of 1496 2648 Jnhqdkde.exe 36 PID 1496 wrote to memory of 2312 1496 Jgqemakf.exe 37 PID 1496 wrote to memory of 2312 1496 Jgqemakf.exe 37 PID 1496 wrote to memory of 2312 1496 Jgqemakf.exe 37 PID 1496 wrote to memory of 2312 1496 Jgqemakf.exe 37 PID 2312 wrote to memory of 1324 2312 Jnkmjk32.exe 38 PID 2312 wrote to memory of 1324 2312 Jnkmjk32.exe 38 PID 2312 wrote to memory of 1324 2312 Jnkmjk32.exe 38 PID 2312 wrote to memory of 1324 2312 Jnkmjk32.exe 38 PID 1324 wrote to memory of 1156 1324 Jkonco32.exe 39 PID 1324 wrote to memory of 1156 1324 Jkonco32.exe 39 PID 1324 wrote to memory of 1156 1324 Jkonco32.exe 39 PID 1324 wrote to memory of 1156 1324 Jkonco32.exe 39 PID 1156 wrote to memory of 2024 1156 Jegble32.exe 40 PID 1156 wrote to memory of 2024 1156 Jegble32.exe 40 PID 1156 wrote to memory of 2024 1156 Jegble32.exe 40 PID 1156 wrote to memory of 2024 1156 Jegble32.exe 40 PID 2024 wrote to memory of 1912 2024 Jfhocmnk.exe 41 PID 2024 wrote to memory of 1912 2024 Jfhocmnk.exe 41 PID 2024 wrote to memory of 1912 2024 Jfhocmnk.exe 41 PID 2024 wrote to memory of 1912 2024 Jfhocmnk.exe 41 PID 1912 wrote to memory of 2772 1912 Jclomamd.exe 42 PID 1912 wrote to memory of 2772 1912 Jclomamd.exe 42 PID 1912 wrote to memory of 2772 1912 Jclomamd.exe 42 PID 1912 wrote to memory of 2772 1912 Jclomamd.exe 42 PID 2772 wrote to memory of 692 2772 Jmdcfg32.exe 43 PID 2772 wrote to memory of 692 2772 Jmdcfg32.exe 43 PID 2772 wrote to memory of 692 2772 Jmdcfg32.exe 43 PID 2772 wrote to memory of 692 2772 Jmdcfg32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4129875f78563fa9fc6a129601a6e816659ac7f554e022dc36fd803b613eb97.exe"C:\Users\Admin\AppData\Local\Temp\a4129875f78563fa9fc6a129601a6e816659ac7f554e022dc36fd803b613eb97.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Iffeoj32.exeC:\Windows\system32\Iffeoj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Iqljlb32.exeC:\Windows\system32\Iqljlb32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Ifhbdj32.exeC:\Windows\system32\Ifhbdj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Ikekmq32.exeC:\Windows\system32\Ikekmq32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Iiikfehq.exeC:\Windows\system32\Iiikfehq.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Infdolgh.exeC:\Windows\system32\Infdolgh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Jgnhga32.exeC:\Windows\system32\Jgnhga32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Jnhqdkde.exeC:\Windows\system32\Jnhqdkde.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Jnkmjk32.exeC:\Windows\system32\Jnkmjk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Jkonco32.exeC:\Windows\system32\Jkonco32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Jegble32.exeC:\Windows\system32\Jegble32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Jfhocmnk.exeC:\Windows\system32\Jfhocmnk.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:692 -
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:584 -
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1116 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Kllmmc32.exeC:\Windows\system32\Kllmmc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1320 -
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1144 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe33⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe35⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe36⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe37⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe38⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe41⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe42⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe43⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe44⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe45⤵
- Executes dropped EXE
PID:240 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe46⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe47⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe48⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe50⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe51⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe53⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe55⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe56⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe57⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe58⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe59⤵
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe60⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe61⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe62⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe63⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe64⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe65⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe66⤵PID:1992
-
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe67⤵PID:3040
-
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe69⤵
- Drops file in System32 directory
PID:960 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe70⤵PID:2012
-
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe71⤵PID:2008
-
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe72⤵PID:2920
-
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe74⤵PID:2056
-
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2708 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe76⤵PID:2868
-
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe77⤵PID:2304
-
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe78⤵PID:1240
-
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2224 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1940 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe81⤵PID:1972
-
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe82⤵PID:924
-
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe83⤵
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe84⤵PID:1704
-
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe85⤵PID:2172
-
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe86⤵
- Modifies registry class
PID:652 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe87⤵PID:2484
-
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe88⤵PID:2116
-
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe89⤵PID:1244
-
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:876 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe91⤵PID:852
-
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe92⤵PID:776
-
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe93⤵PID:2216
-
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe94⤵
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe95⤵PID:1688
-
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe96⤵PID:280
-
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe97⤵PID:1060
-
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2688 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe100⤵PID:2496
-
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe101⤵PID:2780
-
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2892 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe103⤵PID:2124
-
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe104⤵PID:2068
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe105⤵PID:3068
-
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2364 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe107⤵
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe108⤵PID:1680
-
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe109⤵PID:328
-
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe110⤵PID:1712
-
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe111⤵PID:2432
-
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe112⤵PID:2896
-
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe113⤵PID:2728
-
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe114⤵PID:2760
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe115⤵PID:1176
-
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2488 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe117⤵PID:624
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe118⤵PID:1080
-
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe119⤵PID:716
-
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe120⤵PID:3024
-
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe121⤵PID:1648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-