Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
17/05/2024, 18:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0bb2e0781845e5ab456554a0ee1b9fcb6cf06681e5eec8cf62dcf09b6b3e15fe.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0bb2e0781845e5ab456554a0ee1b9fcb6cf06681e5eec8cf62dcf09b6b3e15fe.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0bb2e0781845e5ab456554a0ee1b9fcb6cf06681e5eec8cf62dcf09b6b3e15fe.exe
-
Size
224KB
-
MD5
a0332c88605a47b6774c2d59b8f02a24
-
SHA1
72d7fbd9252b4a71cc9dd7eb0aa6ae9d15f3d42c
-
SHA256
0bb2e0781845e5ab456554a0ee1b9fcb6cf06681e5eec8cf62dcf09b6b3e15fe
-
SHA512
d582fd056f90fd518592d89bd7d02f86796afb5bccfb5471237e3f3fe443d8e5a6c2f26d52d8db958a4d9433c61af3c2b91275bea34a3fc65394419ff9530a1e
-
SSDEEP
6144:oHl5UHE4f9FIUpOVw86CmOJfTo9FIUIhrcflDML:m5LaAD6RrI1+lDML
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhmepp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbfahp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aoffmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbfjdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpfhcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffkcbgek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kinaqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgdjnofi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kipnfged.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpolmdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njgldmdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgdmmgpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibocjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnkmjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncoamb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 0bb2e0781845e5ab456554a0ee1b9fcb6cf06681e5eec8cf62dcf09b6b3e15fe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkhmma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gopkmhjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jedefejo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pphjgfqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnmjok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkfciogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dqelenlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnhqdkde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmjok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjgoce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nccjhafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eflgccbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnkmjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bingpmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ladeqhjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkjica32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoffmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bopicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egdilkbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icjfhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkfciogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmgdddmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gopkmhjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faokjpfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaefjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dngoibmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Limmokib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paggai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efppoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffpmnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jebiaelb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Begeknan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmdpejfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Meigpkka.exe -
Executes dropped EXE 64 IoCs
pid Process 1680 Hamjehqk.exe 2144 Hgjbmoob.exe 2528 Hdncgbnl.exe 2788 Hjkkojlc.exe 2688 Hdpplb32.exe 2536 Hkjhimcf.exe 2544 Iqgqacam.exe 2880 Ifdiijpe.exe 1272 Iolmbpfe.exe 1528 Iffeoj32.exe 1852 Iqljlb32.exe 2724 Icjfhn32.exe 1392 Iigoqe32.exe 2092 Ibocjk32.exe 2100 Imeggc32.exe 2016 Ibapoj32.exe 868 Jilhldfn.exe 568 Jnhqdkde.exe 1236 Jagmpg32.exe 1292 Jebiaelb.exe 2980 Jklanp32.exe 1656 Jnkmjk32.exe 376 Jaiiff32.exe 936 Jedefejo.exe 1976 Jcgfbb32.exe 1028 Jnmjok32.exe 2320 Jmpjkggj.exe 2944 Jfhocmnk.exe 2516 Jnofejom.exe 2628 Jclomamd.exe 2940 Jfkkimlh.exe 2408 Jiigehkl.exe 2496 Kfmhol32.exe 2872 Kikdkh32.exe 1208 Kbcicmpj.exe 1612 Kfoedl32.exe 884 Kinaqg32.exe 2708 Knjiin32.exe 2712 Kedaeh32.exe 2064 Kipnfged.exe 2076 Komfnnck.exe 2024 Kbhbom32.exe 688 Kegnkh32.exe 1416 Khekgc32.exe 1836 Kjcgco32.exe 2796 Kanopipl.exe 2604 Keikqhhe.exe 496 Lhggmchi.exe 3028 Lkfciogm.exe 2296 Lmdpejfq.exe 2036 Ldnhad32.exe 1692 Lhjdbcef.exe 1588 Lfmdnp32.exe 2580 Lodlom32.exe 2568 Labhkh32.exe 2424 Lpeifeca.exe 2764 Lgoacojo.exe 2736 Limmokib.exe 2004 Lmiipi32.exe 1968 Ladeqhjd.exe 1512 Lbfahp32.exe 1444 Lkmjin32.exe 2128 Lmkfei32.exe 1984 Llnfaffc.exe -
Loads dropped DLL 64 IoCs
pid Process 2340 0bb2e0781845e5ab456554a0ee1b9fcb6cf06681e5eec8cf62dcf09b6b3e15fe.exe 2340 0bb2e0781845e5ab456554a0ee1b9fcb6cf06681e5eec8cf62dcf09b6b3e15fe.exe 1680 Hamjehqk.exe 1680 Hamjehqk.exe 2144 Hgjbmoob.exe 2144 Hgjbmoob.exe 2528 Hdncgbnl.exe 2528 Hdncgbnl.exe 2788 Hjkkojlc.exe 2788 Hjkkojlc.exe 2688 Hdpplb32.exe 2688 Hdpplb32.exe 2536 Hkjhimcf.exe 2536 Hkjhimcf.exe 2544 Iqgqacam.exe 2544 Iqgqacam.exe 2880 Ifdiijpe.exe 2880 Ifdiijpe.exe 1272 Iolmbpfe.exe 1272 Iolmbpfe.exe 1528 Iffeoj32.exe 1528 Iffeoj32.exe 1852 Iqljlb32.exe 1852 Iqljlb32.exe 2724 Icjfhn32.exe 2724 Icjfhn32.exe 1392 Iigoqe32.exe 1392 Iigoqe32.exe 2092 Ibocjk32.exe 2092 Ibocjk32.exe 2100 Imeggc32.exe 2100 Imeggc32.exe 2016 Ibapoj32.exe 2016 Ibapoj32.exe 868 Jilhldfn.exe 868 Jilhldfn.exe 568 Jnhqdkde.exe 568 Jnhqdkde.exe 1236 Jagmpg32.exe 1236 Jagmpg32.exe 1292 Jebiaelb.exe 1292 Jebiaelb.exe 2980 Jklanp32.exe 2980 Jklanp32.exe 1656 Jnkmjk32.exe 1656 Jnkmjk32.exe 376 Jaiiff32.exe 376 Jaiiff32.exe 936 Jedefejo.exe 936 Jedefejo.exe 1976 Jcgfbb32.exe 1976 Jcgfbb32.exe 1028 Jnmjok32.exe 1028 Jnmjok32.exe 2320 Jmpjkggj.exe 2320 Jmpjkggj.exe 2944 Jfhocmnk.exe 2944 Jfhocmnk.exe 2516 Jnofejom.exe 2516 Jnofejom.exe 2628 Jclomamd.exe 2628 Jclomamd.exe 2940 Jfkkimlh.exe 2940 Jfkkimlh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Flabbihl.exe Fckjalhj.exe File created C:\Windows\SysWOW64\Hnempl32.dll Gacpdbej.exe File created C:\Windows\SysWOW64\Mpolmdkg.exe Mlcple32.exe File created C:\Windows\SysWOW64\Negbaime.dll Mpolmdkg.exe File created C:\Windows\SysWOW64\Bfmimf32.dll Madapkmp.exe File created C:\Windows\SysWOW64\Lmdpejfq.exe Lkfciogm.exe File created C:\Windows\SysWOW64\Pndaof32.dll Plfamfpm.exe File created C:\Windows\SysWOW64\Abpfhcje.exe Admemg32.exe File created C:\Windows\SysWOW64\Mdqafgnf.exe Menakj32.exe File created C:\Windows\SysWOW64\Dmoipopd.exe Dnlidb32.exe File created C:\Windows\SysWOW64\Ahpjhc32.dll Gieojq32.exe File created C:\Windows\SysWOW64\Ohqbqhde.exe Nbfjdn32.exe File opened for modification C:\Windows\SysWOW64\Dgdmmgpj.exe Dchali32.exe File created C:\Windows\SysWOW64\Midahn32.dll Eajaoq32.exe File created C:\Windows\SysWOW64\Fpdhklkl.exe Faagpp32.exe File created C:\Windows\SysWOW64\Hkfeblka.dll Mlcple32.exe File created C:\Windows\SysWOW64\Cnacpn32.dll Mhjpaf32.exe File created C:\Windows\SysWOW64\Poaljn32.dll Ofdcjm32.exe File created C:\Windows\SysWOW64\Hbfdaihk.dll Pphjgfqq.exe File opened for modification C:\Windows\SysWOW64\Coklgg32.exe Cllpkl32.exe File created C:\Windows\SysWOW64\Ciiqqh32.dll Jklanp32.exe File created C:\Windows\SysWOW64\Iklgpmjo.dll Cjlgiqbk.exe File created C:\Windows\SysWOW64\Efjcibje.dll Ebgacddo.exe File created C:\Windows\SysWOW64\Flmefm32.exe Fioija32.exe File created C:\Windows\SysWOW64\Kjcgco32.exe Khekgc32.exe File opened for modification C:\Windows\SysWOW64\Pgobhcac.exe Pphjgfqq.exe File created C:\Windows\SysWOW64\Cfeddafl.exe Cgbdhd32.exe File created C:\Windows\SysWOW64\Mmqgncdn.dll Djefobmk.exe File created C:\Windows\SysWOW64\Kfmhol32.exe Jiigehkl.exe File created C:\Windows\SysWOW64\Elgpfqll.dll Qaefjm32.exe File created C:\Windows\SysWOW64\Nhabimad.dll Jagmpg32.exe File created C:\Windows\SysWOW64\Mcmhiojk.exe Mpolmdkg.exe File created C:\Windows\SysWOW64\Cibcni32.dll Qdccfh32.exe File opened for modification C:\Windows\SysWOW64\Apomfh32.exe Aalmklfi.exe File opened for modification C:\Windows\SysWOW64\Dkkpbgli.exe Ddagfm32.exe File created C:\Windows\SysWOW64\Dgaqgh32.exe Ddcdkl32.exe File opened for modification C:\Windows\SysWOW64\Jnmjok32.exe Jcgfbb32.exe File opened for modification C:\Windows\SysWOW64\Ajdadamj.exe Abmibdlh.exe File created C:\Windows\SysWOW64\Oadqjk32.dll Dkkpbgli.exe File created C:\Windows\SysWOW64\Dlnqnenm.dll Kfmhol32.exe File opened for modification C:\Windows\SysWOW64\Epaogi32.exe Emcbkn32.exe File created C:\Windows\SysWOW64\Gfefiemq.exe Gpknlk32.exe File opened for modification C:\Windows\SysWOW64\Ghhofmql.exe Gieojq32.exe File created C:\Windows\SysWOW64\Iagfoe32.exe Inljnfkg.exe File created C:\Windows\SysWOW64\Kipnfged.exe Kedaeh32.exe File created C:\Windows\SysWOW64\Ljpojo32.dll Paggai32.exe File created C:\Windows\SysWOW64\Ffakeiib.dll Bcaomf32.exe File created C:\Windows\SysWOW64\Emeopn32.exe Eijcpoac.exe File opened for modification C:\Windows\SysWOW64\Bingpmnl.exe Bagpopmj.exe File created C:\Windows\SysWOW64\Clnlnhop.dll Elmigj32.exe File created C:\Windows\SysWOW64\Kbcicmpj.exe Kikdkh32.exe File created C:\Windows\SysWOW64\Kcehqcli.dll Lpeifeca.exe File created C:\Windows\SysWOW64\Ncmdhb32.exe Npnhlg32.exe File opened for modification C:\Windows\SysWOW64\Ogmfbd32.exe Ocajbekl.exe File created C:\Windows\SysWOW64\Qecoqk32.exe Qmlgonbe.exe File created C:\Windows\SysWOW64\Dfdceg32.dll Qecoqk32.exe File created C:\Windows\SysWOW64\Acccpj32.dll Hgjbmoob.exe File created C:\Windows\SysWOW64\Hjkkojlc.exe Hdncgbnl.exe File opened for modification C:\Windows\SysWOW64\Kfoedl32.exe Kbcicmpj.exe File created C:\Windows\SysWOW64\Fbdqmghm.exe Fdapak32.exe File created C:\Windows\SysWOW64\Gpekfank.dll Gphmeo32.exe File created C:\Windows\SysWOW64\Filldb32.exe Ffnphf32.exe File created C:\Windows\SysWOW64\Lndipl32.dll Lhjdbcef.exe File created C:\Windows\SysWOW64\Inbndkhn.dll Meigpkka.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4840 4808 WerFault.exe 381 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcfcmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmjaic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmdpejfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nnbhek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oqndkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcbom32.dll" Nofabc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afmonbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fakndl32.dll" Jfkkimlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doffod32.dll" Oqcnfjli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cbkeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmekj32.dll" Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Obnqem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pbkpna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqamandk.dll" Adhlaggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hgbebiao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aiedjneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpjiammk.dll" Abpfhcje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fpdhklkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qjmkcbcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ekklaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Boiccdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgqjffca.dll" Eflgccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmloladn.dll" Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjhpbe32.dll" Limmokib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnbpqb32.dll" Bbflib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gelppaof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhjfhhen.dll" Oojknblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Faokjpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Adhlaggp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Khekgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmiipi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ogmfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll" Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Glfhll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kfmhol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfecaop.dll" Ncmdhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Plfamfpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghkllmoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aljgfioc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egdilkbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jaiiff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Menakj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hicodd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhahlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhflmk32.dll" Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghmjpap.dll" Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojopmqk.dll" Hellne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcjkcplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfegkapd.dll" Ppmdbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qecoqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhjpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajbdna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoflni32.dll" Cciemedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abpfhcje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kfmhol32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2340 wrote to memory of 1680 2340 0bb2e0781845e5ab456554a0ee1b9fcb6cf06681e5eec8cf62dcf09b6b3e15fe.exe 28 PID 2340 wrote to memory of 1680 2340 0bb2e0781845e5ab456554a0ee1b9fcb6cf06681e5eec8cf62dcf09b6b3e15fe.exe 28 PID 2340 wrote to memory of 1680 2340 0bb2e0781845e5ab456554a0ee1b9fcb6cf06681e5eec8cf62dcf09b6b3e15fe.exe 28 PID 2340 wrote to memory of 1680 2340 0bb2e0781845e5ab456554a0ee1b9fcb6cf06681e5eec8cf62dcf09b6b3e15fe.exe 28 PID 1680 wrote to memory of 2144 1680 Hamjehqk.exe 29 PID 1680 wrote to memory of 2144 1680 Hamjehqk.exe 29 PID 1680 wrote to memory of 2144 1680 Hamjehqk.exe 29 PID 1680 wrote to memory of 2144 1680 Hamjehqk.exe 29 PID 2144 wrote to memory of 2528 2144 Hgjbmoob.exe 30 PID 2144 wrote to memory of 2528 2144 Hgjbmoob.exe 30 PID 2144 wrote to memory of 2528 2144 Hgjbmoob.exe 30 PID 2144 wrote to memory of 2528 2144 Hgjbmoob.exe 30 PID 2528 wrote to memory of 2788 2528 Hdncgbnl.exe 31 PID 2528 wrote to memory of 2788 2528 Hdncgbnl.exe 31 PID 2528 wrote to memory of 2788 2528 Hdncgbnl.exe 31 PID 2528 wrote to memory of 2788 2528 Hdncgbnl.exe 31 PID 2788 wrote to memory of 2688 2788 Hjkkojlc.exe 32 PID 2788 wrote to memory of 2688 2788 Hjkkojlc.exe 32 PID 2788 wrote to memory of 2688 2788 Hjkkojlc.exe 32 PID 2788 wrote to memory of 2688 2788 Hjkkojlc.exe 32 PID 2688 wrote to memory of 2536 2688 Hdpplb32.exe 33 PID 2688 wrote to memory of 2536 2688 Hdpplb32.exe 33 PID 2688 wrote to memory of 2536 2688 Hdpplb32.exe 33 PID 2688 wrote to memory of 2536 2688 Hdpplb32.exe 33 PID 2536 wrote to memory of 2544 2536 Hkjhimcf.exe 34 PID 2536 wrote to memory of 2544 2536 Hkjhimcf.exe 34 PID 2536 wrote to memory of 2544 2536 Hkjhimcf.exe 34 PID 2536 wrote to memory of 2544 2536 Hkjhimcf.exe 34 PID 2544 wrote to memory of 2880 2544 Iqgqacam.exe 35 PID 2544 wrote to memory of 2880 2544 Iqgqacam.exe 35 PID 2544 wrote to memory of 2880 2544 Iqgqacam.exe 35 PID 2544 wrote to memory of 2880 2544 Iqgqacam.exe 35 PID 2880 wrote to memory of 1272 2880 Ifdiijpe.exe 36 PID 2880 wrote to memory of 1272 2880 Ifdiijpe.exe 36 PID 2880 wrote to memory of 1272 2880 Ifdiijpe.exe 36 PID 2880 wrote to memory of 1272 2880 Ifdiijpe.exe 36 PID 1272 wrote to memory of 1528 1272 Iolmbpfe.exe 37 PID 1272 wrote to memory of 1528 1272 Iolmbpfe.exe 37 PID 1272 wrote to memory of 1528 1272 Iolmbpfe.exe 37 PID 1272 wrote to memory of 1528 1272 Iolmbpfe.exe 37 PID 1528 wrote to memory of 1852 1528 Iffeoj32.exe 38 PID 1528 wrote to memory of 1852 1528 Iffeoj32.exe 38 PID 1528 wrote to memory of 1852 1528 Iffeoj32.exe 38 PID 1528 wrote to memory of 1852 1528 Iffeoj32.exe 38 PID 1852 wrote to memory of 2724 1852 Iqljlb32.exe 39 PID 1852 wrote to memory of 2724 1852 Iqljlb32.exe 39 PID 1852 wrote to memory of 2724 1852 Iqljlb32.exe 39 PID 1852 wrote to memory of 2724 1852 Iqljlb32.exe 39 PID 2724 wrote to memory of 1392 2724 Icjfhn32.exe 40 PID 2724 wrote to memory of 1392 2724 Icjfhn32.exe 40 PID 2724 wrote to memory of 1392 2724 Icjfhn32.exe 40 PID 2724 wrote to memory of 1392 2724 Icjfhn32.exe 40 PID 1392 wrote to memory of 2092 1392 Iigoqe32.exe 41 PID 1392 wrote to memory of 2092 1392 Iigoqe32.exe 41 PID 1392 wrote to memory of 2092 1392 Iigoqe32.exe 41 PID 1392 wrote to memory of 2092 1392 Iigoqe32.exe 41 PID 2092 wrote to memory of 2100 2092 Ibocjk32.exe 42 PID 2092 wrote to memory of 2100 2092 Ibocjk32.exe 42 PID 2092 wrote to memory of 2100 2092 Ibocjk32.exe 42 PID 2092 wrote to memory of 2100 2092 Ibocjk32.exe 42 PID 2100 wrote to memory of 2016 2100 Imeggc32.exe 43 PID 2100 wrote to memory of 2016 2100 Imeggc32.exe 43 PID 2100 wrote to memory of 2016 2100 Imeggc32.exe 43 PID 2100 wrote to memory of 2016 2100 Imeggc32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bb2e0781845e5ab456554a0ee1b9fcb6cf06681e5eec8cf62dcf09b6b3e15fe.exe"C:\Users\Admin\AppData\Local\Temp\0bb2e0781845e5ab456554a0ee1b9fcb6cf06681e5eec8cf62dcf09b6b3e15fe.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Hamjehqk.exeC:\Windows\system32\Hamjehqk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Hgjbmoob.exeC:\Windows\system32\Hgjbmoob.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Hdncgbnl.exeC:\Windows\system32\Hdncgbnl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Hjkkojlc.exeC:\Windows\system32\Hjkkojlc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Hdpplb32.exeC:\Windows\system32\Hdpplb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Hkjhimcf.exeC:\Windows\system32\Hkjhimcf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Iqgqacam.exeC:\Windows\system32\Iqgqacam.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Ifdiijpe.exeC:\Windows\system32\Ifdiijpe.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Iolmbpfe.exeC:\Windows\system32\Iolmbpfe.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Iffeoj32.exeC:\Windows\system32\Iffeoj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Iqljlb32.exeC:\Windows\system32\Iqljlb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Icjfhn32.exeC:\Windows\system32\Icjfhn32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Iigoqe32.exeC:\Windows\system32\Iigoqe32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Ibocjk32.exeC:\Windows\system32\Ibocjk32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Imeggc32.exeC:\Windows\system32\Imeggc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Ibapoj32.exeC:\Windows\system32\Ibapoj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Jnhqdkde.exeC:\Windows\system32\Jnhqdkde.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:568 -
C:\Windows\SysWOW64\Jagmpg32.exeC:\Windows\system32\Jagmpg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1236 -
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Windows\SysWOW64\Jklanp32.exeC:\Windows\system32\Jklanp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Jnkmjk32.exeC:\Windows\system32\Jnkmjk32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:376 -
C:\Windows\SysWOW64\Jedefejo.exeC:\Windows\system32\Jedefejo.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:936 -
C:\Windows\SysWOW64\Jcgfbb32.exeC:\Windows\system32\Jcgfbb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Jnmjok32.exeC:\Windows\system32\Jnmjok32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1028 -
C:\Windows\SysWOW64\Jmpjkggj.exeC:\Windows\system32\Jmpjkggj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Jfhocmnk.exeC:\Windows\system32\Jfhocmnk.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Jnofejom.exeC:\Windows\system32\Jnofejom.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1208 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe37⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe39⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe42⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe43⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe44⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1416 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe46⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe47⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe48⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe49⤵
- Executes dropped EXE
PID:496 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe52⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe54⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe55⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe56⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe58⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe63⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe64⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe65⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe66⤵PID:1108
-
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:484 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe68⤵PID:1112
-
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe69⤵PID:2104
-
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe70⤵PID:1604
-
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe71⤵PID:1132
-
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe72⤵PID:2904
-
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe73⤵
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe75⤵PID:2560
-
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe76⤵
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1320 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe78⤵PID:1548
-
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe79⤵PID:1620
-
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe80⤵PID:2124
-
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:748 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:584 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe84⤵PID:1648
-
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1240 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe86⤵PID:1728
-
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe87⤵
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe88⤵PID:2616
-
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe89⤵PID:2596
-
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe90⤵PID:2476
-
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe91⤵PID:1824
-
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe92⤵PID:944
-
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe93⤵PID:1748
-
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe94⤵PID:1316
-
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe95⤵PID:1408
-
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe96⤵PID:1096
-
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe97⤵PID:2088
-
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe98⤵PID:352
-
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe99⤵
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe100⤵
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2892 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe102⤵
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe103⤵PID:2660
-
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe104⤵PID:2744
-
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2432 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe106⤵PID:2588
-
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe107⤵PID:1944
-
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe108⤵PID:932
-
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe109⤵
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe110⤵PID:1448
-
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe111⤵PID:828
-
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe112⤵PID:1880
-
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1796 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1420 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe115⤵PID:2800
-
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe116⤵
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe117⤵PID:2636
-
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe118⤵
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe119⤵PID:1744
-
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe120⤵PID:2396
-
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe121⤵PID:1040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-