Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
17/05/2024, 14:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a7e474cfb60267984e49a00941f64fc3.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
a7e474cfb60267984e49a00941f64fc3.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
a7e474cfb60267984e49a00941f64fc3.exe
-
Size
207KB
-
MD5
a7e474cfb60267984e49a00941f64fc3
-
SHA1
d31690dcd090648bc18dbbaa3fa7c369114bb12a
-
SHA256
bba17d843843e9b66cdc58623a79e343629abf332cb12c99f1c36af1f73efbe3
-
SHA512
a205ef42a9b9618ea4f691d41506294ccb9144c2a6511c3f3434309fc177bf7583bee3c5dc82eace1d3dc8963fabcfa8aaa36e34f1a586d9505612fdb119313f
-
SSDEEP
3072:EV92GlloWhAnnn62qjWmtL2VjoSdoxx4KcWmjRrzyAyAtWgoJSWYVo2ASOvojoS:YoWhAnnnY5tyVjj+VPj92d62ASOwj
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jonplmcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlbeqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bldcpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofbfdmeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idmhkpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lojomkdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqmmpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oghlgdgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppoqge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkfjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgeefbhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alegac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoepcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcaomf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccfhhffh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpfdalii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifcbodli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfbkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjdfmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phjelg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjbmjplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebinic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiondcpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pklhlael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egoife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iknnbklc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkijmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbcpbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhhocjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqideepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Papfegmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpnbkeld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkgmgmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcdnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgplkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fidoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjmodopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhooggdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahchbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffnphf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omloag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Claifkkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enihne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbnccfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kaklpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mamddf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aepojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmmfkafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojcecjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdbdjhmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emnndlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llfifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhnmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jonplmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngnbgplj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qimhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbhnhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gogangdc.exe -
Executes dropped EXE 64 IoCs
pid Process 1724 Nbdnoo32.exe 2556 Nmjblg32.exe 2568 Nbfjdn32.exe 2664 Ofbfdmeb.exe 2672 Omloag32.exe 2488 Oojknblb.exe 1568 Onmkio32.exe 2308 Odgcfijj.exe 1456 Okalbc32.exe 2180 Onphoo32.exe 1520 Oqndkj32.exe 1876 Oghlgdgk.exe 1440 Okchhc32.exe 1652 Ocomlemo.exe 1184 Ogjimd32.exe 2056 Omgaek32.exe 1416 Oqcnfjli.exe 2484 Ogmfbd32.exe 2312 Pminkk32.exe 452 Pccfge32.exe 2924 Pjmodopf.exe 1296 Pmlkpjpj.exe 1988 Ppjglfon.exe 572 Pfdpip32.exe 2868 Pjpkjond.exe 1508 Ppmdbe32.exe 3016 Peiljl32.exe 2544 Pmqdkj32.exe 2580 Ppoqge32.exe 2444 Pfiidobe.exe 1680 Phjelg32.exe 1352 Ppamme32.exe 2344 Pbpjiphi.exe 280 Pabjem32.exe 2688 Qhmbagfa.exe 896 Qbbfopeg.exe 2712 Qeqbkkej.exe 1264 Qhooggdn.exe 324 Qjmkcbcb.exe 1596 Adeplhib.exe 356 Aajpelhl.exe 2932 Ahchbf32.exe 332 Ampqjm32.exe 960 Adjigg32.exe 2960 Ambmpmln.exe 2512 Alenki32.exe 796 Admemg32.exe 2908 Afkbib32.exe 2992 Aiinen32.exe 1360 Amejeljk.exe 2472 Apcfahio.exe 1076 Afmonbqk.exe 2928 Aepojo32.exe 916 Ahokfj32.exe 2420 Bpfcgg32.exe 2084 Bbdocc32.exe 888 Bebkpn32.exe 1028 Bingpmnl.exe 776 Blmdlhmp.exe 2844 Bbflib32.exe 2832 Beehencq.exe 1748 Bloqah32.exe 1292 Bommnc32.exe 2768 Begeknan.exe -
Loads dropped DLL 64 IoCs
pid Process 2068 a7e474cfb60267984e49a00941f64fc3.exe 2068 a7e474cfb60267984e49a00941f64fc3.exe 1724 Nbdnoo32.exe 1724 Nbdnoo32.exe 2556 Nmjblg32.exe 2556 Nmjblg32.exe 2568 Nbfjdn32.exe 2568 Nbfjdn32.exe 2664 Ofbfdmeb.exe 2664 Ofbfdmeb.exe 2672 Omloag32.exe 2672 Omloag32.exe 2488 Oojknblb.exe 2488 Oojknblb.exe 1568 Onmkio32.exe 1568 Onmkio32.exe 2308 Odgcfijj.exe 2308 Odgcfijj.exe 1456 Okalbc32.exe 1456 Okalbc32.exe 2180 Onphoo32.exe 2180 Onphoo32.exe 1520 Oqndkj32.exe 1520 Oqndkj32.exe 1876 Oghlgdgk.exe 1876 Oghlgdgk.exe 1440 Okchhc32.exe 1440 Okchhc32.exe 1652 Ocomlemo.exe 1652 Ocomlemo.exe 1184 Ogjimd32.exe 1184 Ogjimd32.exe 2056 Omgaek32.exe 2056 Omgaek32.exe 1416 Oqcnfjli.exe 1416 Oqcnfjli.exe 2484 Ogmfbd32.exe 2484 Ogmfbd32.exe 2312 Pminkk32.exe 2312 Pminkk32.exe 452 Pccfge32.exe 452 Pccfge32.exe 2924 Pjmodopf.exe 2924 Pjmodopf.exe 1296 Pmlkpjpj.exe 1296 Pmlkpjpj.exe 1988 Ppjglfon.exe 1988 Ppjglfon.exe 572 Pfdpip32.exe 572 Pfdpip32.exe 2868 Pjpkjond.exe 2868 Pjpkjond.exe 1508 Ppmdbe32.exe 1508 Ppmdbe32.exe 3016 Peiljl32.exe 3016 Peiljl32.exe 2544 Pmqdkj32.exe 2544 Pmqdkj32.exe 2580 Ppoqge32.exe 2580 Ppoqge32.exe 2444 Pfiidobe.exe 2444 Pfiidobe.exe 1680 Phjelg32.exe 1680 Phjelg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Anccmo32.exe Alegac32.exe File opened for modification C:\Windows\SysWOW64\Dqjepm32.exe Dmoipopd.exe File created C:\Windows\SysWOW64\Jqfffqpm.exe Jmjjea32.exe File created C:\Windows\SysWOW64\Omdneebf.exe Ohibdf32.exe File created C:\Windows\SysWOW64\Kiebec32.dll Oikojfgk.exe File created C:\Windows\SysWOW64\Dpbnlj32.dll Jgidao32.exe File created C:\Windows\SysWOW64\Nhiffc32.exe Naoniipe.exe File created C:\Windows\SysWOW64\Pflomnkb.exe Pgioaa32.exe File opened for modification C:\Windows\SysWOW64\Ahlgfdeq.exe Aemkjiem.exe File created C:\Windows\SysWOW64\Jaegglem.dll Dfmdho32.exe File created C:\Windows\SysWOW64\Qlidlf32.dll Flmefm32.exe File created C:\Windows\SysWOW64\Gicbeald.exe Gfefiemq.exe File created C:\Windows\SysWOW64\Hiekid32.exe Hggomh32.exe File opened for modification C:\Windows\SysWOW64\Iokfhi32.exe Ikpjgkjq.exe File created C:\Windows\SysWOW64\Eqpgol32.exe Ebmgcohn.exe File created C:\Windows\SysWOW64\Fhffaj32.exe Ealnephf.exe File created C:\Windows\SysWOW64\Bgmefakc.dll Onhgbmfb.exe File created C:\Windows\SysWOW64\Lfmnmlid.dll Ckoilb32.exe File created C:\Windows\SysWOW64\Ebmgcohn.exe Enakbp32.exe File created C:\Windows\SysWOW64\Hbgodfkh.dll Noqamn32.exe File created C:\Windows\SysWOW64\Qimhoi32.exe Qjjgclai.exe File opened for modification C:\Windows\SysWOW64\Bmpfojmp.exe Bfenbpec.exe File created C:\Windows\SysWOW64\Jhnaid32.dll Qhmbagfa.exe File created C:\Windows\SysWOW64\Hecjkifm.dll Djpmccqq.exe File opened for modification C:\Windows\SysWOW64\Ioijbj32.exe Iknnbklc.exe File created C:\Windows\SysWOW64\Feocmm32.dll Jmmfkafa.exe File opened for modification C:\Windows\SysWOW64\Aipddi32.exe Qedhdjnh.exe File created C:\Windows\SysWOW64\Dbdijd32.dll Qeqbkkej.exe File created C:\Windows\SysWOW64\Aiabof32.dll Bcaomf32.exe File created C:\Windows\SysWOW64\Oecbjjic.dll Globlmmj.exe File created C:\Windows\SysWOW64\Jejinjob.dll Pjadmnic.exe File opened for modification C:\Windows\SysWOW64\Emeopn32.exe Eijcpoac.exe File opened for modification C:\Windows\SysWOW64\Gmgdddmq.exe Gkihhhnm.exe File created C:\Windows\SysWOW64\Phofkg32.dll Hpkjko32.exe File opened for modification C:\Windows\SysWOW64\Kiccofna.exe Kjqccigf.exe File created C:\Windows\SysWOW64\Bpbbfi32.dll Eqbddk32.exe File created C:\Windows\SysWOW64\Aoipdkgg.dll Bpafkknm.exe File created C:\Windows\SysWOW64\Fddmgjpo.exe Flmefm32.exe File created C:\Windows\SysWOW64\Jmmjdk32.dll Gaemjbcg.exe File created C:\Windows\SysWOW64\Hnojdcfi.exe Hicodd32.exe File opened for modification C:\Windows\SysWOW64\Ocomlemo.exe Okchhc32.exe File created C:\Windows\SysWOW64\Ppmcfdad.dll Dfijnd32.exe File created C:\Windows\SysWOW64\Kgbggnhc.exe Kcfkfo32.exe File created C:\Windows\SysWOW64\Llnofpcg.exe Ldfgebbe.exe File created C:\Windows\SysWOW64\Lajhofao.exe Lmolnh32.exe File opened for modification C:\Windows\SysWOW64\Jgnamk32.exe Jcbellac.exe File opened for modification C:\Windows\SysWOW64\Nceclqan.exe Ndbcpd32.exe File opened for modification C:\Windows\SysWOW64\Qeqbkkej.exe Qbbfopeg.exe File created C:\Windows\SysWOW64\Hpapln32.exe Hlfdkoin.exe File created C:\Windows\SysWOW64\Bkddcl32.dll Pedleg32.exe File created C:\Windows\SysWOW64\Okphjd32.dll Bhigphio.exe File opened for modification C:\Windows\SysWOW64\Fmhheqje.exe Filldb32.exe File created C:\Windows\SysWOW64\Gcghbk32.dll Qimhoi32.exe File created C:\Windows\SysWOW64\Igmdobgi.dll Bdeeqehb.exe File opened for modification C:\Windows\SysWOW64\Pmqdkj32.exe Peiljl32.exe File created C:\Windows\SysWOW64\Monhhk32.exe Mkclhl32.exe File opened for modification C:\Windows\SysWOW64\Apmmjh32.dll Blpjegfm.exe File created C:\Windows\SysWOW64\Cdbdjhmp.exe Ceodnl32.exe File opened for modification C:\Windows\SysWOW64\Dggcffhg.exe Ddigjkid.exe File created C:\Windows\SysWOW64\Nmlnnp32.dll Olmhdf32.exe File created C:\Windows\SysWOW64\Jjlcbpdk.dll Qjjgclai.exe File created C:\Windows\SysWOW64\Bldcpf32.exe Bhigphio.exe File created C:\Windows\SysWOW64\Dhnmij32.exe Djklnnaj.exe File created C:\Windows\SysWOW64\Qinopgfb.dll Baqbenep.exe -
Program crash 1 IoCs
pid pid_target Process 6224 4580 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdljffa.dll" Dflkdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Monhhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfgmhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjjmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaklqfem.dll" Dogefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galmmc32.dll" Dlnbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgmglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpome32.dll" Kifpdelo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pklhlael.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjhknm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Miooigfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjadmnic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Najdnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dolnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbllihbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kaaijdgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pabjem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bingpmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cckace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abhimnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Biicik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjpqdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iokfhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhfipcid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbhela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkoginch.dll" Ffkcbgek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbpnanch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahgnke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahlgfdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onhgbmfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppbfpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdeeqehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbhnhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emeopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffoia32.dll" Jmocpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldlimbcf.dll" Kbqecg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbjbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejmebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imgcddkm.dll" Oghlgdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppjglfon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkfjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmhlp32.dll" Dcfdgiid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfahajeg.dll" Incpoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mihiih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aajpelhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epaogi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdoclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Feeiob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aadloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdacap32.dll" Eojnkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmgdddmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlbeqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbfpik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfjbgnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofbfdmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmhheqje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhbfdjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihankokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mppepcfg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2068 wrote to memory of 1724 2068 a7e474cfb60267984e49a00941f64fc3.exe 28 PID 2068 wrote to memory of 1724 2068 a7e474cfb60267984e49a00941f64fc3.exe 28 PID 2068 wrote to memory of 1724 2068 a7e474cfb60267984e49a00941f64fc3.exe 28 PID 2068 wrote to memory of 1724 2068 a7e474cfb60267984e49a00941f64fc3.exe 28 PID 1724 wrote to memory of 2556 1724 Nbdnoo32.exe 29 PID 1724 wrote to memory of 2556 1724 Nbdnoo32.exe 29 PID 1724 wrote to memory of 2556 1724 Nbdnoo32.exe 29 PID 1724 wrote to memory of 2556 1724 Nbdnoo32.exe 29 PID 2556 wrote to memory of 2568 2556 Nmjblg32.exe 30 PID 2556 wrote to memory of 2568 2556 Nmjblg32.exe 30 PID 2556 wrote to memory of 2568 2556 Nmjblg32.exe 30 PID 2556 wrote to memory of 2568 2556 Nmjblg32.exe 30 PID 2568 wrote to memory of 2664 2568 Nbfjdn32.exe 31 PID 2568 wrote to memory of 2664 2568 Nbfjdn32.exe 31 PID 2568 wrote to memory of 2664 2568 Nbfjdn32.exe 31 PID 2568 wrote to memory of 2664 2568 Nbfjdn32.exe 31 PID 2664 wrote to memory of 2672 2664 Ofbfdmeb.exe 32 PID 2664 wrote to memory of 2672 2664 Ofbfdmeb.exe 32 PID 2664 wrote to memory of 2672 2664 Ofbfdmeb.exe 32 PID 2664 wrote to memory of 2672 2664 Ofbfdmeb.exe 32 PID 2672 wrote to memory of 2488 2672 Omloag32.exe 33 PID 2672 wrote to memory of 2488 2672 Omloag32.exe 33 PID 2672 wrote to memory of 2488 2672 Omloag32.exe 33 PID 2672 wrote to memory of 2488 2672 Omloag32.exe 33 PID 2488 wrote to memory of 1568 2488 Oojknblb.exe 34 PID 2488 wrote to memory of 1568 2488 Oojknblb.exe 34 PID 2488 wrote to memory of 1568 2488 Oojknblb.exe 34 PID 2488 wrote to memory of 1568 2488 Oojknblb.exe 34 PID 1568 wrote to memory of 2308 1568 Onmkio32.exe 35 PID 1568 wrote to memory of 2308 1568 Onmkio32.exe 35 PID 1568 wrote to memory of 2308 1568 Onmkio32.exe 35 PID 1568 wrote to memory of 2308 1568 Onmkio32.exe 35 PID 2308 wrote to memory of 1456 2308 Odgcfijj.exe 36 PID 2308 wrote to memory of 1456 2308 Odgcfijj.exe 36 PID 2308 wrote to memory of 1456 2308 Odgcfijj.exe 36 PID 2308 wrote to memory of 1456 2308 Odgcfijj.exe 36 PID 1456 wrote to memory of 2180 1456 Okalbc32.exe 37 PID 1456 wrote to memory of 2180 1456 Okalbc32.exe 37 PID 1456 wrote to memory of 2180 1456 Okalbc32.exe 37 PID 1456 wrote to memory of 2180 1456 Okalbc32.exe 37 PID 2180 wrote to memory of 1520 2180 Onphoo32.exe 38 PID 2180 wrote to memory of 1520 2180 Onphoo32.exe 38 PID 2180 wrote to memory of 1520 2180 Onphoo32.exe 38 PID 2180 wrote to memory of 1520 2180 Onphoo32.exe 38 PID 1520 wrote to memory of 1876 1520 Oqndkj32.exe 39 PID 1520 wrote to memory of 1876 1520 Oqndkj32.exe 39 PID 1520 wrote to memory of 1876 1520 Oqndkj32.exe 39 PID 1520 wrote to memory of 1876 1520 Oqndkj32.exe 39 PID 1876 wrote to memory of 1440 1876 Oghlgdgk.exe 40 PID 1876 wrote to memory of 1440 1876 Oghlgdgk.exe 40 PID 1876 wrote to memory of 1440 1876 Oghlgdgk.exe 40 PID 1876 wrote to memory of 1440 1876 Oghlgdgk.exe 40 PID 1440 wrote to memory of 1652 1440 Okchhc32.exe 41 PID 1440 wrote to memory of 1652 1440 Okchhc32.exe 41 PID 1440 wrote to memory of 1652 1440 Okchhc32.exe 41 PID 1440 wrote to memory of 1652 1440 Okchhc32.exe 41 PID 1652 wrote to memory of 1184 1652 Ocomlemo.exe 42 PID 1652 wrote to memory of 1184 1652 Ocomlemo.exe 42 PID 1652 wrote to memory of 1184 1652 Ocomlemo.exe 42 PID 1652 wrote to memory of 1184 1652 Ocomlemo.exe 42 PID 1184 wrote to memory of 2056 1184 Ogjimd32.exe 43 PID 1184 wrote to memory of 2056 1184 Ogjimd32.exe 43 PID 1184 wrote to memory of 2056 1184 Ogjimd32.exe 43 PID 1184 wrote to memory of 2056 1184 Ogjimd32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7e474cfb60267984e49a00941f64fc3.exe"C:\Users\Admin\AppData\Local\Temp\a7e474cfb60267984e49a00941f64fc3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1416 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:452 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1296 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe33⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe34⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:280 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe40⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe41⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:356 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe44⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe45⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe46⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe47⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe48⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe49⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe50⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe51⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe52⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe53⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe55⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe56⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe57⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe58⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe60⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe61⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe62⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe63⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe64⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe65⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe66⤵PID:1544
-
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe67⤵PID:1912
-
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe68⤵PID:2212
-
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe69⤵
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe70⤵PID:2920
-
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe72⤵PID:1992
-
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe73⤵
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe74⤵PID:2340
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe76⤵PID:1660
-
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe77⤵PID:2304
-
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe78⤵PID:2120
-
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe79⤵PID:2192
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe80⤵PID:2820
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe81⤵PID:2812
-
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe82⤵PID:1460
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe83⤵PID:3048
-
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe84⤵PID:2296
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3000 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe86⤵PID:2128
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe87⤵
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe88⤵PID:808
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe89⤵PID:1600
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe90⤵PID:1644
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe91⤵
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:848 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2460 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe94⤵PID:2596
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe95⤵
- Modifies registry class
PID:580 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe96⤵PID:1540
-
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe97⤵PID:2028
-
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe98⤵PID:2692
-
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe99⤵PID:2972
-
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe100⤵
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe101⤵PID:2392
-
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe102⤵
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe103⤵PID:1368
-
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe104⤵PID:2668
-
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe105⤵PID:2200
-
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe106⤵PID:792
-
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe107⤵PID:1712
-
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe108⤵PID:1484
-
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe109⤵PID:1200
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe110⤵PID:1948
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe111⤵PID:1896
-
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe112⤵
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe113⤵PID:2188
-
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe114⤵
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe115⤵PID:2272
-
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe116⤵
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe117⤵PID:2944
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe118⤵PID:1900
-
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe119⤵PID:2156
-
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe120⤵
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe121⤵PID:1756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-