Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
08/05/2024, 22:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
571b04c9dc972a75bcb1249b49959a29479243ad6c48b8676103c9062691bf62.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
571b04c9dc972a75bcb1249b49959a29479243ad6c48b8676103c9062691bf62.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
571b04c9dc972a75bcb1249b49959a29479243ad6c48b8676103c9062691bf62.exe
-
Size
59KB
-
MD5
c8fec8c06f257d4cd44d52de8ec153e8
-
SHA1
16cb7a08c0bed725b8d889d3ff7632aba352a60f
-
SHA256
571b04c9dc972a75bcb1249b49959a29479243ad6c48b8676103c9062691bf62
-
SHA512
0c47261e49dd71e56e13dd408b0a935163b818d80f7b90882cc0581bb94de537e222a99d43dd13cdf9a1465e4dffa8ef3f4a42e96c344692c719c232e5298674
-
SSDEEP
1536:NReGBPUbr539IB8ZaQQQQQQu3ZuoSnya12LeO:j5U2QQQQQQu3rw4eO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqcnfjli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epdkli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifmlpigj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbbfopeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfinoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdakgibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghhofmql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdbhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgfgdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmnhfjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bommnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnefdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djnpnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghfbqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jagmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jegble32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfmhol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koocdnai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjlgiqbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gangic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gieojq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpqclb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgajhbkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnkbdlbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nofabc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obigjnkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldqegd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libgjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcfcmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgaqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enkece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffkcbgek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkhmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njgldmdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okchhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bingpmnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgilchkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiikfehq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbcicmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnieom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmkio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbdocc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epdkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npnhlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oenifh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qecoqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghabf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emcbkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfeddafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajbdna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhahlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjilieka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkfjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffpmnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gobgcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keikqhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmlkpjpj.exe -
Executes dropped EXE 64 IoCs
pid Process 2744 Iiikfehq.exe 2624 Ioccco32.exe 2432 Infdolgh.exe 2640 Ibapoj32.exe 2712 Ifmlpigj.exe 2860 Jeplkf32.exe 1844 Jgnhga32.exe 2664 Jkjdhpea.exe 2756 Joepio32.exe 2000 Jbdlejmn.exe 1676 Jagmpg32.exe 2120 Jinead32.exe 620 Jklanp32.exe 632 Jjoailji.exe 2084 Jbfijjkl.exe 2228 Jaiiff32.exe 588 Jcgfbb32.exe 1720 Jgcabqic.exe 1128 Jjanolhg.exe 1980 Jnmjok32.exe 1580 Jmpjkggj.exe 1208 Jakfkfpc.exe 1900 Jegble32.exe 2964 Jgenhp32.exe 2920 Jnofejom.exe 2928 Jpqclb32.exe 2568 Jclomamd.exe 2524 Jfkkimlh.exe 2148 Jmdcfg32.exe 2780 Kappfeln.exe 2660 Kpcpbb32.exe 1956 Kfmhol32.exe 2028 Kjhdokbo.exe 2476 Kmgpkfab.exe 3048 Kpemgbqf.exe 328 Kbcicmpj.exe 3024 Kebepion.exe 2340 Kphimanc.exe 948 Knjiin32.exe 2788 Kfaajlfp.exe 2392 Kedaeh32.exe 2160 Kpjfba32.exe 2932 Kakbjibo.exe 816 Kegnkh32.exe 676 Kjcgco32.exe 2520 Koocdnai.exe 2840 Kbkodl32.exe 1700 Kanopipl.exe 1728 Kdlkld32.exe 2456 Llccmb32.exe 1588 Lkfciogm.exe 2616 Lekhfgfc.exe 1532 Lhjdbcef.exe 2032 Lfmdnp32.exe 2544 Lkhpnnej.exe 752 Lmgmjjdn.exe 1944 Lpeifeca.exe 2236 Ldqegd32.exe 1872 Lgoacojo.exe 352 Limmokib.exe 2244 Limmokib.exe 2288 Lmiipi32.exe 2436 Ladeqhjd.exe 2368 Lpgele32.exe -
Loads dropped DLL 64 IoCs
pid Process 3056 571b04c9dc972a75bcb1249b49959a29479243ad6c48b8676103c9062691bf62.exe 3056 571b04c9dc972a75bcb1249b49959a29479243ad6c48b8676103c9062691bf62.exe 2744 Iiikfehq.exe 2744 Iiikfehq.exe 2624 Ioccco32.exe 2624 Ioccco32.exe 2432 Infdolgh.exe 2432 Infdolgh.exe 2640 Ibapoj32.exe 2640 Ibapoj32.exe 2712 Ifmlpigj.exe 2712 Ifmlpigj.exe 2860 Jeplkf32.exe 2860 Jeplkf32.exe 1844 Jgnhga32.exe 1844 Jgnhga32.exe 2664 Jkjdhpea.exe 2664 Jkjdhpea.exe 2756 Joepio32.exe 2756 Joepio32.exe 2000 Jbdlejmn.exe 2000 Jbdlejmn.exe 1676 Jagmpg32.exe 1676 Jagmpg32.exe 2120 Jinead32.exe 2120 Jinead32.exe 620 Jklanp32.exe 620 Jklanp32.exe 632 Jjoailji.exe 632 Jjoailji.exe 2084 Jbfijjkl.exe 2084 Jbfijjkl.exe 2228 Jaiiff32.exe 2228 Jaiiff32.exe 588 Jcgfbb32.exe 588 Jcgfbb32.exe 1720 Jgcabqic.exe 1720 Jgcabqic.exe 1128 Jjanolhg.exe 1128 Jjanolhg.exe 1980 Jnmjok32.exe 1980 Jnmjok32.exe 1580 Jmpjkggj.exe 1580 Jmpjkggj.exe 1208 Jakfkfpc.exe 1208 Jakfkfpc.exe 1900 Jegble32.exe 1900 Jegble32.exe 2964 Jgenhp32.exe 2964 Jgenhp32.exe 2920 Jnofejom.exe 2920 Jnofejom.exe 2928 Jpqclb32.exe 2928 Jpqclb32.exe 2568 Jclomamd.exe 2568 Jclomamd.exe 2524 Jfkkimlh.exe 2524 Jfkkimlh.exe 2148 Jmdcfg32.exe 2148 Jmdcfg32.exe 2780 Kappfeln.exe 2780 Kappfeln.exe 2660 Kpcpbb32.exe 2660 Kpcpbb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oghlgdgk.exe Odjpkihg.exe File created C:\Windows\SysWOW64\Hgbebiao.exe Ghoegl32.exe File created C:\Windows\SysWOW64\Plcdgfbo.exe Pmqdkj32.exe File opened for modification C:\Windows\SysWOW64\Pijbfj32.exe Penfelgm.exe File opened for modification C:\Windows\SysWOW64\Cciemedf.exe Comimg32.exe File opened for modification C:\Windows\SysWOW64\Gicbeald.exe Gegfdb32.exe File created C:\Windows\SysWOW64\Oqcnfjli.exe Omgaek32.exe File created C:\Windows\SysWOW64\Aofqfokm.dll Alhjai32.exe File opened for modification C:\Windows\SysWOW64\Nkaocp32.exe Ngfcca32.exe File created C:\Windows\SysWOW64\Kifjcn32.dll Ffbicfoc.exe File opened for modification C:\Windows\SysWOW64\Llccmb32.exe Kdlkld32.exe File created C:\Windows\SysWOW64\Igoopg32.dll Lfmdnp32.exe File opened for modification C:\Windows\SysWOW64\Qbbfopeg.exe Qnfjna32.exe File created C:\Windows\SysWOW64\Fglhobmg.dll Dbbkja32.exe File opened for modification C:\Windows\SysWOW64\Gbkgnfbd.exe Gopkmhjk.exe File opened for modification C:\Windows\SysWOW64\Jfkkimlh.exe Jclomamd.exe File created C:\Windows\SysWOW64\Loooca32.exe Lplogdmj.exe File opened for modification C:\Windows\SysWOW64\Migpeiag.exe Mekdekin.exe File created C:\Windows\SysWOW64\Pfbccp32.exe Pgobhcac.exe File created C:\Windows\SysWOW64\Moalhq32.exe Mpolmdkg.exe File created C:\Windows\SysWOW64\Nbdppp32.dll Oqcnfjli.exe File opened for modification C:\Windows\SysWOW64\Bpcbqk32.exe Baqbenep.exe File opened for modification C:\Windows\SysWOW64\Lgoacojo.exe Ldqegd32.exe File created C:\Windows\SysWOW64\Fcmgmp32.dll Nfmmin32.exe File created C:\Windows\SysWOW64\Kpikfj32.dll Afdlhchf.exe File created C:\Windows\SysWOW64\Nlbodgap.dll Cfinoq32.exe File created C:\Windows\SysWOW64\Mjghmm32.dll Jgnhga32.exe File opened for modification C:\Windows\SysWOW64\Lmgmjjdn.exe Lkhpnnej.exe File opened for modification C:\Windows\SysWOW64\Onmkio32.exe Oojknblb.exe File opened for modification C:\Windows\SysWOW64\Dflkdp32.exe Dbpodagk.exe File created C:\Windows\SysWOW64\Ebpkce32.exe Ecmkghcl.exe File created C:\Windows\SysWOW64\Eqpofkjo.dll Ilknfn32.exe File opened for modification C:\Windows\SysWOW64\Jnmjok32.exe Jjanolhg.exe File created C:\Windows\SysWOW64\Lmnbkinf.exe Libgjj32.exe File created C:\Windows\SysWOW64\Mnkbdlbd.exe Mohbip32.exe File opened for modification C:\Windows\SysWOW64\Cibgai32.dll Aoffmd32.exe File created C:\Windows\SysWOW64\Djbiicon.exe Dfgmhd32.exe File opened for modification C:\Windows\SysWOW64\Jnofejom.exe Jgenhp32.exe File created C:\Windows\SysWOW64\Oqndkj32.exe Oomhcbjp.exe File created C:\Windows\SysWOW64\Imgcddkm.dll Oghlgdgk.exe File created C:\Windows\SysWOW64\Bkaqmeah.exe Bkaqmeah.exe File created C:\Windows\SysWOW64\Hbbhkqaj.dll Bkdmcdoe.exe File created C:\Windows\SysWOW64\Deokcq32.dll Bpafkknm.exe File created C:\Windows\SysWOW64\Hjmmggff.dll Jgcabqic.exe File created C:\Windows\SysWOW64\Hnbjle32.dll Nhnfkigh.exe File opened for modification C:\Windows\SysWOW64\Cbkeib32.exe Cciemedf.exe File created C:\Windows\SysWOW64\Cfeoofge.dll Emcbkn32.exe File created C:\Windows\SysWOW64\Mhqfbebj.exe Mdejaf32.exe File opened for modification C:\Windows\SysWOW64\Obigjnkf.exe Onmkio32.exe File opened for modification C:\Windows\SysWOW64\Amndem32.exe Ankdiqih.exe File created C:\Windows\SysWOW64\Ddcdkl32.exe Dqhhknjp.exe File created C:\Windows\SysWOW64\Inljnfkg.exe Ioijbj32.exe File created C:\Windows\SysWOW64\Henidd32.exe Hellne32.exe File opened for modification C:\Windows\SysWOW64\Nfmmin32.exe Ngkmnacm.exe File created C:\Windows\SysWOW64\Njdfjjia.dll Ocomlemo.exe File created C:\Windows\SysWOW64\Ocajbekl.exe Oenifh32.exe File created C:\Windows\SysWOW64\Ckignd32.exe Cgmkmecg.exe File created C:\Windows\SysWOW64\Anapbp32.dll Dqhhknjp.exe File opened for modification C:\Windows\SysWOW64\Qjknnbed.exe Qlhnbf32.exe File created C:\Windows\SysWOW64\Iegecigk.dll Bhfagipa.exe File created C:\Windows\SysWOW64\Maomqp32.dll Cfgaiaci.exe File opened for modification C:\Windows\SysWOW64\Fnpnndgp.exe Fjdbnf32.exe File created C:\Windows\SysWOW64\Hhmepp32.exe Hjjddchg.exe File created C:\Windows\SysWOW64\Njkfpl32.exe Nfpjomgd.exe -
Program crash 1 IoCs
pid pid_target Process 7012 6984 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjcgco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfbll32.dll" Ladeqhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfeblka.dll" Mhgclfje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqlckoi.dll" Ccfhhffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihoafpmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll" Ggpimica.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaeiieeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minjlg32.dll" Joepio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leajegob.dll" Banepo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnippoha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cphlljge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epdkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcknbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqcnfjli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qeqbkkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cibgai32.dll" Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deokcq32.dll" Bpafkknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmdcfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmnbkinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neeeodef.dll" Odgcfijj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahchbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gafpmhio.dll" Kegnkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhlmgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Penfelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jajfmcbo.dll" Infdolgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnofejom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgobhcac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebagmn32.dll" Djbiicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbjlbfp.dll" Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clphjpmh.dll" Fdapak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njdpomfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpojo32.dll" Paggai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjbmjplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odgcfijj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjilieka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofpfnqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmqdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oockje32.dll" Chemfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbnbobin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffbicfoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloeodfi.dll" Ffpmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfkkimlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlpafgnp.dll" Mcodno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkhqdcam.dll" Ofbfdmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhjfhhen.dll" Onmkio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbfpbmji.dll" Aoffmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcfok32.dll" Dbehoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfiidobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blmdlhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aifone32.dll" Aljgfioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdooi32.dll" Fbdqmghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqpdnop.dll" Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lganiohl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlpafgnp.dll" Mkhmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qinopgfb.dll" Baqbenep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnbpqb32.dll" Baildokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcfdgiid.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3056 wrote to memory of 2744 3056 571b04c9dc972a75bcb1249b49959a29479243ad6c48b8676103c9062691bf62.exe 28 PID 3056 wrote to memory of 2744 3056 571b04c9dc972a75bcb1249b49959a29479243ad6c48b8676103c9062691bf62.exe 28 PID 3056 wrote to memory of 2744 3056 571b04c9dc972a75bcb1249b49959a29479243ad6c48b8676103c9062691bf62.exe 28 PID 3056 wrote to memory of 2744 3056 571b04c9dc972a75bcb1249b49959a29479243ad6c48b8676103c9062691bf62.exe 28 PID 2744 wrote to memory of 2624 2744 Iiikfehq.exe 29 PID 2744 wrote to memory of 2624 2744 Iiikfehq.exe 29 PID 2744 wrote to memory of 2624 2744 Iiikfehq.exe 29 PID 2744 wrote to memory of 2624 2744 Iiikfehq.exe 29 PID 2624 wrote to memory of 2432 2624 Ioccco32.exe 30 PID 2624 wrote to memory of 2432 2624 Ioccco32.exe 30 PID 2624 wrote to memory of 2432 2624 Ioccco32.exe 30 PID 2624 wrote to memory of 2432 2624 Ioccco32.exe 30 PID 2432 wrote to memory of 2640 2432 Infdolgh.exe 31 PID 2432 wrote to memory of 2640 2432 Infdolgh.exe 31 PID 2432 wrote to memory of 2640 2432 Infdolgh.exe 31 PID 2432 wrote to memory of 2640 2432 Infdolgh.exe 31 PID 2640 wrote to memory of 2712 2640 Ibapoj32.exe 32 PID 2640 wrote to memory of 2712 2640 Ibapoj32.exe 32 PID 2640 wrote to memory of 2712 2640 Ibapoj32.exe 32 PID 2640 wrote to memory of 2712 2640 Ibapoj32.exe 32 PID 2712 wrote to memory of 2860 2712 Ifmlpigj.exe 33 PID 2712 wrote to memory of 2860 2712 Ifmlpigj.exe 33 PID 2712 wrote to memory of 2860 2712 Ifmlpigj.exe 33 PID 2712 wrote to memory of 2860 2712 Ifmlpigj.exe 33 PID 2860 wrote to memory of 1844 2860 Jeplkf32.exe 34 PID 2860 wrote to memory of 1844 2860 Jeplkf32.exe 34 PID 2860 wrote to memory of 1844 2860 Jeplkf32.exe 34 PID 2860 wrote to memory of 1844 2860 Jeplkf32.exe 34 PID 1844 wrote to memory of 2664 1844 Jgnhga32.exe 35 PID 1844 wrote to memory of 2664 1844 Jgnhga32.exe 35 PID 1844 wrote to memory of 2664 1844 Jgnhga32.exe 35 PID 1844 wrote to memory of 2664 1844 Jgnhga32.exe 35 PID 2664 wrote to memory of 2756 2664 Jkjdhpea.exe 36 PID 2664 wrote to memory of 2756 2664 Jkjdhpea.exe 36 PID 2664 wrote to memory of 2756 2664 Jkjdhpea.exe 36 PID 2664 wrote to memory of 2756 2664 Jkjdhpea.exe 36 PID 2756 wrote to memory of 2000 2756 Joepio32.exe 37 PID 2756 wrote to memory of 2000 2756 Joepio32.exe 37 PID 2756 wrote to memory of 2000 2756 Joepio32.exe 37 PID 2756 wrote to memory of 2000 2756 Joepio32.exe 37 PID 2000 wrote to memory of 1676 2000 Jbdlejmn.exe 38 PID 2000 wrote to memory of 1676 2000 Jbdlejmn.exe 38 PID 2000 wrote to memory of 1676 2000 Jbdlejmn.exe 38 PID 2000 wrote to memory of 1676 2000 Jbdlejmn.exe 38 PID 1676 wrote to memory of 2120 1676 Jagmpg32.exe 39 PID 1676 wrote to memory of 2120 1676 Jagmpg32.exe 39 PID 1676 wrote to memory of 2120 1676 Jagmpg32.exe 39 PID 1676 wrote to memory of 2120 1676 Jagmpg32.exe 39 PID 2120 wrote to memory of 620 2120 Jinead32.exe 40 PID 2120 wrote to memory of 620 2120 Jinead32.exe 40 PID 2120 wrote to memory of 620 2120 Jinead32.exe 40 PID 2120 wrote to memory of 620 2120 Jinead32.exe 40 PID 620 wrote to memory of 632 620 Jklanp32.exe 41 PID 620 wrote to memory of 632 620 Jklanp32.exe 41 PID 620 wrote to memory of 632 620 Jklanp32.exe 41 PID 620 wrote to memory of 632 620 Jklanp32.exe 41 PID 632 wrote to memory of 2084 632 Jjoailji.exe 42 PID 632 wrote to memory of 2084 632 Jjoailji.exe 42 PID 632 wrote to memory of 2084 632 Jjoailji.exe 42 PID 632 wrote to memory of 2084 632 Jjoailji.exe 42 PID 2084 wrote to memory of 2228 2084 Jbfijjkl.exe 43 PID 2084 wrote to memory of 2228 2084 Jbfijjkl.exe 43 PID 2084 wrote to memory of 2228 2084 Jbfijjkl.exe 43 PID 2084 wrote to memory of 2228 2084 Jbfijjkl.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\571b04c9dc972a75bcb1249b49959a29479243ad6c48b8676103c9062691bf62.exe"C:\Users\Admin\AppData\Local\Temp\571b04c9dc972a75bcb1249b49959a29479243ad6c48b8676103c9062691bf62.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Iiikfehq.exeC:\Windows\system32\Iiikfehq.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Ioccco32.exeC:\Windows\system32\Ioccco32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Infdolgh.exeC:\Windows\system32\Infdolgh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Ibapoj32.exeC:\Windows\system32\Ibapoj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Ifmlpigj.exeC:\Windows\system32\Ifmlpigj.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Jeplkf32.exeC:\Windows\system32\Jeplkf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Jgnhga32.exeC:\Windows\system32\Jgnhga32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Jkjdhpea.exeC:\Windows\system32\Jkjdhpea.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Joepio32.exeC:\Windows\system32\Joepio32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Jagmpg32.exeC:\Windows\system32\Jagmpg32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Jinead32.exeC:\Windows\system32\Jinead32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Jklanp32.exeC:\Windows\system32\Jklanp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Jjoailji.exeC:\Windows\system32\Jjoailji.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Jbfijjkl.exeC:\Windows\system32\Jbfijjkl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Jcgfbb32.exeC:\Windows\system32\Jcgfbb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:588 -
C:\Windows\SysWOW64\Jgcabqic.exeC:\Windows\system32\Jgcabqic.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Jjanolhg.exeC:\Windows\system32\Jjanolhg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1128 -
C:\Windows\SysWOW64\Jnmjok32.exeC:\Windows\system32\Jnmjok32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Jmpjkggj.exeC:\Windows\system32\Jmpjkggj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Jakfkfpc.exeC:\Windows\system32\Jakfkfpc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1208 -
C:\Windows\SysWOW64\Jegble32.exeC:\Windows\system32\Jegble32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1900 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Jnofejom.exeC:\Windows\system32\Jnofejom.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Kpcpbb32.exeC:\Windows\system32\Kpcpbb32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe34⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe35⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe36⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe38⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe39⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe40⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe41⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe42⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe43⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe44⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:816 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe48⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe49⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1524 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe52⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe53⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe54⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe55⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe58⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe59⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe61⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe62⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe63⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe64⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe66⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe67⤵PID:1684
-
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe68⤵
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe69⤵PID:1792
-
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe70⤵PID:904
-
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe71⤵PID:2204
-
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe72⤵PID:2536
-
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe73⤵PID:1632
-
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe74⤵PID:2940
-
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe75⤵PID:2588
-
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe76⤵PID:2680
-
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe78⤵
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe79⤵PID:2356
-
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe80⤵
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe81⤵PID:564
-
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1460 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe83⤵PID:1132
-
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe84⤵PID:1848
-
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe85⤵
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe86⤵
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe87⤵PID:2580
-
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe88⤵PID:2716
-
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe89⤵PID:1412
-
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe90⤵
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe91⤵PID:2688
-
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe92⤵PID:1968
-
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe93⤵PID:912
-
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe95⤵
- Modifies registry class
PID:1464 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe96⤵PID:1908
-
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe97⤵PID:324
-
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe98⤵PID:1288
-
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe99⤵
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe100⤵PID:2936
-
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe101⤵PID:2924
-
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe102⤵PID:2868
-
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1560 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe104⤵PID:1708
-
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe105⤵PID:2268
-
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe106⤵PID:1444
-
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe107⤵PID:2684
-
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe108⤵PID:2284
-
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:280 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe110⤵PID:2132
-
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe111⤵
- Drops file in System32 directory
PID:1312 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1712 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe113⤵PID:1772
-
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe114⤵PID:796
-
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe115⤵
- Drops file in System32 directory
PID:1856 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe116⤵PID:2492
-
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe117⤵PID:2428
-
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe118⤵PID:1868
-
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe119⤵PID:2100
-
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe120⤵PID:1200
-
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe121⤵PID:1652
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-