Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
12/05/2024, 18:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
01c01f110fa585f8e3ee03d4b4b862cf6685baa563f212d18cda860314b61551.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
01c01f110fa585f8e3ee03d4b4b862cf6685baa563f212d18cda860314b61551.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
01c01f110fa585f8e3ee03d4b4b862cf6685baa563f212d18cda860314b61551.exe
-
Size
320KB
-
MD5
050e71615646b6c853333d6b672a88a1
-
SHA1
5897267e301e16b8eba4e94dbe32fb1422ed7639
-
SHA256
01c01f110fa585f8e3ee03d4b4b862cf6685baa563f212d18cda860314b61551
-
SHA512
7003dac02b8cadda1c501bbec12e9d5253ac88819bbd69ab1b4880b34ab019002d7a92b6813686cdaf67f13cc4ef68d8ffbc048e89e04c32b5aa96d67b9f50dc
-
SSDEEP
6144:cf53zyLD5M8LBQbPXuapoaCPXbo92ynnZlVrtv35CPXbo92ynn8sbeWDSpaH8n:gzyrLBsuqFHRFbeE8n
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmafennb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkijmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caknol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijbfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkpbgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gonnhhln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdbhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncgdbmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bifgdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mohbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebpkce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lemaif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkmjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cldooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meccii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkgbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afkbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qeqbkkej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oopnlacm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgljfbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pigeqkai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eijcpoac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gddifnbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lollckbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Penfelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfdjhndl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeempocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiellh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piehkkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llnofpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncjqhmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndlim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldenbcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inljnfkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiondcpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcadac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aigaon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnemdecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdikkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djnpnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pipopl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadloj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dggcffhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obnqem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Henidd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odobjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbfjdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kahojc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbcnhjnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceclqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egjpkffe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Effcma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alenki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghabf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnccfpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adhlaggp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddifnbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjqhmkm.exe -
Executes dropped EXE 64 IoCs
pid Process 2128 Jeplkf32.exe 2540 Jbdlejmn.exe 2628 Jnkmjk32.exe 2184 Jgcabqic.exe 2456 Jakfkfpc.exe 2164 Jfhocmnk.exe 2764 Jpqclb32.exe 2800 Jjfgjk32.exe 1620 Kbalnnam.exe 2320 Kikdkh32.exe 2424 Kfoedl32.exe 1336 Kmimafop.exe 1216 Kedaeh32.exe 2036 Kbhbom32.exe 2220 Klqfhbbe.exe 2868 Kbkodl32.exe 1732 Llccmb32.exe 1224 Lmdpejfq.exe 1472 Lhjdbcef.exe 3008 Lmgmjjdn.exe 864 Limmokib.exe 2984 Ladeqhjd.exe 2204 Lkmjin32.exe 1108 Lmkfei32.exe 884 Ldenbcge.exe 1744 Lefkjkmc.exe 3040 Llqcfe32.exe 1944 Mgfgdn32.exe 2596 Mlcple32.exe 2464 Mcmhiojk.exe 2436 Mlelaeqk.exe 2940 Mkhmma32.exe 2752 Mdqafgnf.exe 2796 Mlgigdoh.exe 1460 Mepnpj32.exe 1888 Mhnjle32.exe 2972 Mohbip32.exe 844 Mdejaf32.exe 2112 Njbcim32.exe 2040 Naikkk32.exe 2524 Ndgggf32.exe 2852 Nnplpl32.exe 944 Nlblkhei.exe 1112 Ndjdlffl.exe 1476 Nghphaeo.exe 320 Nnbhek32.exe 1980 Nqqdag32.exe 1928 Ncoamb32.exe 1604 Ngkmnacm.exe 2160 Nfmmin32.exe 472 Nlgefh32.exe 1644 Ncancbha.exe 2584 Nfpjomgd.exe 2444 Nmjblg32.exe 2500 Nkmbgdfl.exe 2948 Nbfjdn32.exe 548 Ofbfdmeb.exe 2916 Ohqbqhde.exe 1600 Omloag32.exe 2392 Onmkio32.exe 1240 Odgcfijj.exe 2696 Ogfpbeim.exe 1972 Okalbc32.exe 1968 Oqndkj32.exe -
Loads dropped DLL 64 IoCs
pid Process 2980 01c01f110fa585f8e3ee03d4b4b862cf6685baa563f212d18cda860314b61551.exe 2980 01c01f110fa585f8e3ee03d4b4b862cf6685baa563f212d18cda860314b61551.exe 2128 Jeplkf32.exe 2128 Jeplkf32.exe 2540 Jbdlejmn.exe 2540 Jbdlejmn.exe 2628 Jnkmjk32.exe 2628 Jnkmjk32.exe 2184 Jgcabqic.exe 2184 Jgcabqic.exe 2456 Jakfkfpc.exe 2456 Jakfkfpc.exe 2164 Jfhocmnk.exe 2164 Jfhocmnk.exe 2764 Jpqclb32.exe 2764 Jpqclb32.exe 2800 Jjfgjk32.exe 2800 Jjfgjk32.exe 1620 Kbalnnam.exe 1620 Kbalnnam.exe 2320 Kikdkh32.exe 2320 Kikdkh32.exe 2424 Kfoedl32.exe 2424 Kfoedl32.exe 1336 Kmimafop.exe 1336 Kmimafop.exe 1216 Kedaeh32.exe 1216 Kedaeh32.exe 2036 Kbhbom32.exe 2036 Kbhbom32.exe 2220 Klqfhbbe.exe 2220 Klqfhbbe.exe 2868 Kbkodl32.exe 2868 Kbkodl32.exe 1732 Llccmb32.exe 1732 Llccmb32.exe 1224 Lmdpejfq.exe 1224 Lmdpejfq.exe 1472 Lhjdbcef.exe 1472 Lhjdbcef.exe 3008 Lmgmjjdn.exe 3008 Lmgmjjdn.exe 864 Limmokib.exe 864 Limmokib.exe 2984 Ladeqhjd.exe 2984 Ladeqhjd.exe 2204 Lkmjin32.exe 2204 Lkmjin32.exe 1108 Lmkfei32.exe 1108 Lmkfei32.exe 884 Ldenbcge.exe 884 Ldenbcge.exe 1744 Lefkjkmc.exe 1744 Lefkjkmc.exe 3040 Llqcfe32.exe 3040 Llqcfe32.exe 1944 Mgfgdn32.exe 1944 Mgfgdn32.exe 2596 Mlcple32.exe 2596 Mlcple32.exe 2464 Mcmhiojk.exe 2464 Mcmhiojk.exe 2436 Mlelaeqk.exe 2436 Mlelaeqk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nopodm32.dll Fmhheqje.exe File created C:\Windows\SysWOW64\Jkdpanhg.exe Jgidao32.exe File created C:\Windows\SysWOW64\Jddnncch.dll Meccii32.exe File opened for modification C:\Windows\SysWOW64\Gpknlk32.exe Fmlapp32.exe File created C:\Windows\SysWOW64\Nialog32.exe Najdnj32.exe File opened for modification C:\Windows\SysWOW64\Nceclqan.exe Nacgdhlp.exe File created C:\Windows\SysWOW64\Adnopfoj.exe Aaobdjof.exe File created C:\Windows\SysWOW64\Fmlapp32.exe Feeiob32.exe File opened for modification C:\Windows\SysWOW64\Hpmgqnfl.exe Hlakpp32.exe File opened for modification C:\Windows\SysWOW64\Bblogakg.exe Bpnbkeld.exe File created C:\Windows\SysWOW64\Ckoilb32.exe Cddaphkn.exe File created C:\Windows\SysWOW64\Fbbkkjih.dll Meagci32.exe File opened for modification C:\Windows\SysWOW64\Piphee32.exe Pqhpdhcc.exe File opened for modification C:\Windows\SysWOW64\Kfoedl32.exe Kikdkh32.exe File created C:\Windows\SysWOW64\Mkhmma32.exe Mlelaeqk.exe File created C:\Windows\SysWOW64\Ljdjcj32.dll Jnemdecl.exe File created C:\Windows\SysWOW64\Knjbnh32.exe Kgpjanje.exe File opened for modification C:\Windows\SysWOW64\Lefdpe32.exe Lmolnh32.exe File created C:\Windows\SysWOW64\Pclfkc32.exe Pamiog32.exe File opened for modification C:\Windows\SysWOW64\Papfegmk.exe Pnajilng.exe File created C:\Windows\SysWOW64\Cllpkl32.exe Cfbhnaho.exe File opened for modification C:\Windows\SysWOW64\Ccfhhffh.exe Cllpkl32.exe File opened for modification C:\Windows\SysWOW64\Hgilchkf.exe Hcnpbi32.exe File opened for modification C:\Windows\SysWOW64\Mohbip32.exe Mhnjle32.exe File created C:\Windows\SysWOW64\Gfoihbdp.dll Fmlapp32.exe File created C:\Windows\SysWOW64\Flmpfjke.dll Kcfkfo32.exe File created C:\Windows\SysWOW64\Kdkpbk32.dll Mamddf32.exe File opened for modification C:\Windows\SysWOW64\Aidnohbk.exe Aamfnkai.exe File opened for modification C:\Windows\SysWOW64\Njbcim32.exe Mdejaf32.exe File created C:\Windows\SysWOW64\Bhcdaibd.exe Beehencq.exe File opened for modification C:\Windows\SysWOW64\Mamddf32.exe Monhhk32.exe File created C:\Windows\SysWOW64\Mpigfa32.exe Mhbped32.exe File opened for modification C:\Windows\SysWOW64\Pimkpfeh.exe Obcccl32.exe File created C:\Windows\SysWOW64\Ngkmnacm.exe Ncoamb32.exe File created C:\Windows\SysWOW64\Lbidmekh.dll Eiomkn32.exe File opened for modification C:\Windows\SysWOW64\Fdoclk32.exe Faagpp32.exe File opened for modification C:\Windows\SysWOW64\Odgcfijj.exe Onmkio32.exe File created C:\Windows\SysWOW64\Oeeonk32.dll Cpeofk32.exe File created C:\Windows\SysWOW64\Chhjkl32.exe Cdlnkmha.exe File created C:\Windows\SysWOW64\Mlibjc32.exe Mmfbogcn.exe File created C:\Windows\SysWOW64\Ebjglbml.exe Eplkpgnh.exe File created C:\Windows\SysWOW64\Mlgigdoh.exe Mdqafgnf.exe File created C:\Windows\SysWOW64\Hpdcdhpk.dll Bingpmnl.exe File created C:\Windows\SysWOW64\Gldkfl32.exe Ghhofmql.exe File opened for modification C:\Windows\SysWOW64\Loeebl32.exe Llfifq32.exe File created C:\Windows\SysWOW64\Djihnh32.dll Pflomnkb.exe File opened for modification C:\Windows\SysWOW64\Caknol32.exe Cjdfmo32.exe File created C:\Windows\SysWOW64\Ccngld32.exe Cdlgpgef.exe File opened for modification C:\Windows\SysWOW64\Ejobhppq.exe Ecejkf32.exe File created C:\Windows\SysWOW64\Jpqclb32.exe Jfhocmnk.exe File opened for modification C:\Windows\SysWOW64\Ppoqge32.exe Piehkkcl.exe File opened for modification C:\Windows\SysWOW64\Jokcgmee.exe Jkpgfn32.exe File created C:\Windows\SysWOW64\Mcbjgn32.exe Mlibjc32.exe File created C:\Windows\SysWOW64\Oklkmnbp.exe Nceclqan.exe File created C:\Windows\SysWOW64\Ladeqhjd.exe Limmokib.exe File created C:\Windows\SysWOW64\Njgpdbgm.dll Nfmmin32.exe File created C:\Windows\SysWOW64\Fabnbook.dll Alenki32.exe File created C:\Windows\SysWOW64\Lflmci32.exe Loeebl32.exe File created C:\Windows\SysWOW64\Imgcddkm.dll Oiellh32.exe File created C:\Windows\SysWOW64\Djefobmk.exe Dgfjbgmh.exe File created C:\Windows\SysWOW64\Lanfmb32.dll Eecqjpee.exe File created C:\Windows\SysWOW64\Egdilkbf.exe Eeempocb.exe File created C:\Windows\SysWOW64\Negbaime.dll Mlcple32.exe File created C:\Windows\SysWOW64\Nfpjomgd.exe Ncancbha.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5420 5408 WerFault.exe 563 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jakfkfpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlkdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncdbcl32.dll" Aoepcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahch32.dll" Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbgbni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cclkfdnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcenlceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odbhmo32.dll" Ebpkce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogeigofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dookgcij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecejkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchafg32.dll" Dhnmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqqh32.dll" Jbdlejmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjknnbed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llkbap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcbllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klealkpf.dll" Lmdpejfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkgaje32.dll" Nkmbgdfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocgpappk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Behnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqncakcq.dll" Lpdbloof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feeiob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdqafgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkabadei.dll" Ekklaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alnqqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iajcde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjp32.dll" Kmaled32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohfeog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmoipopd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlfdkoin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afcenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bplpldoa.dll" Bdgafdfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcmhiojk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebgacddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnekf32.dll" Jejhecaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ladeqhjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmlgonbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chemfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geofbffe.dll" Kahojc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpmlkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgcabqic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocindg32.dll" Nceclqan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiondcpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhklfnh.dll" Llnofpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpdcoomf.dll" Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llccmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cckace32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcpdmj32.dll" Inljnfkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkijmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Filldb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naikkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Begeknan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nblnkb32.dll" Oclilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlcbpdk.dll" Qfokbnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcgeaj32.dll" Pmnhfjmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjfccn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paejki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcbjgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmddhkao.dll" Bebkpn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2128 2980 01c01f110fa585f8e3ee03d4b4b862cf6685baa563f212d18cda860314b61551.exe 28 PID 2980 wrote to memory of 2128 2980 01c01f110fa585f8e3ee03d4b4b862cf6685baa563f212d18cda860314b61551.exe 28 PID 2980 wrote to memory of 2128 2980 01c01f110fa585f8e3ee03d4b4b862cf6685baa563f212d18cda860314b61551.exe 28 PID 2980 wrote to memory of 2128 2980 01c01f110fa585f8e3ee03d4b4b862cf6685baa563f212d18cda860314b61551.exe 28 PID 2128 wrote to memory of 2540 2128 Jeplkf32.exe 29 PID 2128 wrote to memory of 2540 2128 Jeplkf32.exe 29 PID 2128 wrote to memory of 2540 2128 Jeplkf32.exe 29 PID 2128 wrote to memory of 2540 2128 Jeplkf32.exe 29 PID 2540 wrote to memory of 2628 2540 Jbdlejmn.exe 30 PID 2540 wrote to memory of 2628 2540 Jbdlejmn.exe 30 PID 2540 wrote to memory of 2628 2540 Jbdlejmn.exe 30 PID 2540 wrote to memory of 2628 2540 Jbdlejmn.exe 30 PID 2628 wrote to memory of 2184 2628 Jnkmjk32.exe 31 PID 2628 wrote to memory of 2184 2628 Jnkmjk32.exe 31 PID 2628 wrote to memory of 2184 2628 Jnkmjk32.exe 31 PID 2628 wrote to memory of 2184 2628 Jnkmjk32.exe 31 PID 2184 wrote to memory of 2456 2184 Jgcabqic.exe 32 PID 2184 wrote to memory of 2456 2184 Jgcabqic.exe 32 PID 2184 wrote to memory of 2456 2184 Jgcabqic.exe 32 PID 2184 wrote to memory of 2456 2184 Jgcabqic.exe 32 PID 2456 wrote to memory of 2164 2456 Jakfkfpc.exe 33 PID 2456 wrote to memory of 2164 2456 Jakfkfpc.exe 33 PID 2456 wrote to memory of 2164 2456 Jakfkfpc.exe 33 PID 2456 wrote to memory of 2164 2456 Jakfkfpc.exe 33 PID 2164 wrote to memory of 2764 2164 Jfhocmnk.exe 34 PID 2164 wrote to memory of 2764 2164 Jfhocmnk.exe 34 PID 2164 wrote to memory of 2764 2164 Jfhocmnk.exe 34 PID 2164 wrote to memory of 2764 2164 Jfhocmnk.exe 34 PID 2764 wrote to memory of 2800 2764 Jpqclb32.exe 35 PID 2764 wrote to memory of 2800 2764 Jpqclb32.exe 35 PID 2764 wrote to memory of 2800 2764 Jpqclb32.exe 35 PID 2764 wrote to memory of 2800 2764 Jpqclb32.exe 35 PID 2800 wrote to memory of 1620 2800 Jjfgjk32.exe 36 PID 2800 wrote to memory of 1620 2800 Jjfgjk32.exe 36 PID 2800 wrote to memory of 1620 2800 Jjfgjk32.exe 36 PID 2800 wrote to memory of 1620 2800 Jjfgjk32.exe 36 PID 1620 wrote to memory of 2320 1620 Kbalnnam.exe 37 PID 1620 wrote to memory of 2320 1620 Kbalnnam.exe 37 PID 1620 wrote to memory of 2320 1620 Kbalnnam.exe 37 PID 1620 wrote to memory of 2320 1620 Kbalnnam.exe 37 PID 2320 wrote to memory of 2424 2320 Kikdkh32.exe 38 PID 2320 wrote to memory of 2424 2320 Kikdkh32.exe 38 PID 2320 wrote to memory of 2424 2320 Kikdkh32.exe 38 PID 2320 wrote to memory of 2424 2320 Kikdkh32.exe 38 PID 2424 wrote to memory of 1336 2424 Kfoedl32.exe 39 PID 2424 wrote to memory of 1336 2424 Kfoedl32.exe 39 PID 2424 wrote to memory of 1336 2424 Kfoedl32.exe 39 PID 2424 wrote to memory of 1336 2424 Kfoedl32.exe 39 PID 1336 wrote to memory of 1216 1336 Kmimafop.exe 40 PID 1336 wrote to memory of 1216 1336 Kmimafop.exe 40 PID 1336 wrote to memory of 1216 1336 Kmimafop.exe 40 PID 1336 wrote to memory of 1216 1336 Kmimafop.exe 40 PID 1216 wrote to memory of 2036 1216 Kedaeh32.exe 41 PID 1216 wrote to memory of 2036 1216 Kedaeh32.exe 41 PID 1216 wrote to memory of 2036 1216 Kedaeh32.exe 41 PID 1216 wrote to memory of 2036 1216 Kedaeh32.exe 41 PID 2036 wrote to memory of 2220 2036 Kbhbom32.exe 42 PID 2036 wrote to memory of 2220 2036 Kbhbom32.exe 42 PID 2036 wrote to memory of 2220 2036 Kbhbom32.exe 42 PID 2036 wrote to memory of 2220 2036 Kbhbom32.exe 42 PID 2220 wrote to memory of 2868 2220 Klqfhbbe.exe 43 PID 2220 wrote to memory of 2868 2220 Klqfhbbe.exe 43 PID 2220 wrote to memory of 2868 2220 Klqfhbbe.exe 43 PID 2220 wrote to memory of 2868 2220 Klqfhbbe.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\01c01f110fa585f8e3ee03d4b4b862cf6685baa563f212d18cda860314b61551.exe"C:\Users\Admin\AppData\Local\Temp\01c01f110fa585f8e3ee03d4b4b862cf6685baa563f212d18cda860314b61551.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Jeplkf32.exeC:\Windows\system32\Jeplkf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Jnkmjk32.exeC:\Windows\system32\Jnkmjk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Jgcabqic.exeC:\Windows\system32\Jgcabqic.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Jakfkfpc.exeC:\Windows\system32\Jakfkfpc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Jfhocmnk.exeC:\Windows\system32\Jfhocmnk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Jjfgjk32.exeC:\Windows\system32\Jjfgjk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1224 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1472 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:864 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1108 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe33⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe35⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe36⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:844 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe40⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe42⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe43⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe44⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe45⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe46⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe47⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe48⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe50⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe52⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe54⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe55⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe58⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe59⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe60⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe62⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe63⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe64⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe65⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe67⤵PID:2268
-
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:500 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe69⤵PID:328
-
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe70⤵PID:3000
-
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe71⤵PID:1788
-
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe72⤵PID:2328
-
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe73⤵PID:2732
-
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe74⤵PID:2492
-
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe75⤵PID:3036
-
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe76⤵PID:2768
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe77⤵
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe78⤵PID:1136
-
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe79⤵PID:2496
-
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1256 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe81⤵PID:2416
-
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe82⤵PID:588
-
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe83⤵PID:1988
-
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe84⤵PID:1048
-
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe85⤵
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe86⤵PID:344
-
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe87⤵PID:1444
-
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe89⤵PID:2716
-
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe90⤵PID:2440
-
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe91⤵PID:2996
-
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1616 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe93⤵PID:1768
-
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe94⤵PID:1532
-
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1244 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1696 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe97⤵PID:756
-
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe98⤵
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2084 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe100⤵PID:2284
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe101⤵PID:2196
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe102⤵
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe103⤵PID:1716
-
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe104⤵PID:2712
-
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe105⤵PID:2484
-
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe106⤵PID:2700
-
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe107⤵PID:2776
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1576 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe109⤵PID:1464
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe110⤵PID:2044
-
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe111⤵PID:336
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2828 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1228 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe114⤵PID:2052
-
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1544 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe116⤵PID:2568
-
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe117⤵PID:1764
-
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe118⤵PID:796
-
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe119⤵PID:1940
-
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe120⤵PID:1252
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe121⤵PID:1420
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-