Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 18:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
06fbe51c389d145d1a439315a66df4e1d70a89c5fba38e78e4428db43ea7fcb5.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
06fbe51c389d145d1a439315a66df4e1d70a89c5fba38e78e4428db43ea7fcb5.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
06fbe51c389d145d1a439315a66df4e1d70a89c5fba38e78e4428db43ea7fcb5.exe
-
Size
169KB
-
MD5
3888cf45cb445050971ab435b9711b7e
-
SHA1
44d3083f0a05bde2a4f55065b9175080b76fc6d7
-
SHA256
06fbe51c389d145d1a439315a66df4e1d70a89c5fba38e78e4428db43ea7fcb5
-
SHA512
d09600e4bd1985783bd36d7b172aab8a2004c100e0e610b56d8d62e9bd91c91f2a3ee5e1572235a289984718f135401a2112f13c5af5d6a8f085a3566f2bfc98
-
SSDEEP
3072:zKhyNCq8NQYyMhl63MnRPxMeEvPOdgujv6NLPfFFrKP92f65Ha:zNCqwnpRJML3OdgawrFZKPf9
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gljnej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlhkpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlnkmha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffpmnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpiipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlcnda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naoniipe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogeigofa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlkepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nekbmgcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihqkagp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llnofpcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fepiimfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjdmmdnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lflmci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmolnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnfhlin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqmcpahh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpjhkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mholen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajejgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Heihnoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lahkigca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfgdhjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npdjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcojjmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nckjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngkogj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebedndfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhdplq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nefpnhlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgldibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oobjaqaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qbelgood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlkepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjakmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbhomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kqqboncb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpigfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahlgfdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clilkfnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpqpjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocflgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idfbkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmaled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bldcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhkdeggl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhdcji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpngfgle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lckdanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnmehnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldooj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhkbkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcojjmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpigfa32.exe -
Executes dropped EXE 64 IoCs
pid Process 896 Baildokg.exe 2444 Bhcdaibd.exe 2120 Bloqah32.exe 2492 Bkaqmeah.exe 2472 Bkfjhd32.exe 2656 Ckignd32.exe 2532 Cpeofk32.exe 2428 Cfbhnaho.exe 2936 Ccfhhffh.exe 280 Cfgaiaci.exe 1444 Cckace32.exe 752 Cdlnkmha.exe 2876 Dgmglh32.exe 1716 Dnilobkm.exe 576 Djpmccqq.exe 2908 Dgdmmgpj.exe 1084 Doobajme.exe 1848 Emcbkn32.exe 1356 Epaogi32.exe 3064 Epdkli32.exe 1156 Efncicpm.exe 2068 Ebedndfa.exe 3060 Efppoc32.exe 2236 Eeempocb.exe 2796 Egdilkbf.exe 1724 Fhffaj32.exe 2928 Fnpnndgp.exe 1904 Fdoclk32.exe 2504 Fpfdalii.exe 2368 Ffpmnf32.exe 2480 Fjlhneio.exe 2536 Fmlapp32.exe 2484 Globlmmj.exe 1416 Gbijhg32.exe 2692 Gbkgnfbd.exe 1776 Gieojq32.exe 2600 Gldkfl32.exe 2624 Ghkllmoi.exe 2904 Glfhll32.exe 2240 Ggpimica.exe 2244 Gogangdc.exe 1488 Gmjaic32.exe 2328 Gddifnbk.exe 3036 Hknach32.exe 1316 Hmlnoc32.exe 1764 Hahjpbad.exe 2820 Hdfflm32.exe 2976 Hcifgjgc.exe 352 Hicodd32.exe 2184 Hckcmjep.exe 2948 Hejoiedd.exe 2152 Hnagjbdf.exe 2272 Hlcgeo32.exe 1236 Hellne32.exe 2556 Hlfdkoin.exe 2764 Hodpgjha.exe 848 Hacmcfge.exe 2376 Hhmepp32.exe 2660 Hkkalk32.exe 2604 Ieqeidnl.exe 2728 Idceea32.exe 824 Iknnbklc.exe 2200 Ioijbj32.exe 1480 Ifcbodli.exe -
Loads dropped DLL 64 IoCs
pid Process 2296 06fbe51c389d145d1a439315a66df4e1d70a89c5fba38e78e4428db43ea7fcb5.exe 2296 06fbe51c389d145d1a439315a66df4e1d70a89c5fba38e78e4428db43ea7fcb5.exe 896 Baildokg.exe 896 Baildokg.exe 2444 Bhcdaibd.exe 2444 Bhcdaibd.exe 2120 Bloqah32.exe 2120 Bloqah32.exe 2492 Bkaqmeah.exe 2492 Bkaqmeah.exe 2472 Bkfjhd32.exe 2472 Bkfjhd32.exe 2656 Ckignd32.exe 2656 Ckignd32.exe 2532 Cpeofk32.exe 2532 Cpeofk32.exe 2428 Cfbhnaho.exe 2428 Cfbhnaho.exe 2936 Ccfhhffh.exe 2936 Ccfhhffh.exe 280 Cfgaiaci.exe 280 Cfgaiaci.exe 1444 Cckace32.exe 1444 Cckace32.exe 752 Cdlnkmha.exe 752 Cdlnkmha.exe 2876 Dgmglh32.exe 2876 Dgmglh32.exe 1716 Dnilobkm.exe 1716 Dnilobkm.exe 576 Djpmccqq.exe 576 Djpmccqq.exe 2908 Dgdmmgpj.exe 2908 Dgdmmgpj.exe 1084 Doobajme.exe 1084 Doobajme.exe 1848 Emcbkn32.exe 1848 Emcbkn32.exe 1356 Epaogi32.exe 1356 Epaogi32.exe 3064 Epdkli32.exe 3064 Epdkli32.exe 1156 Efncicpm.exe 1156 Efncicpm.exe 2068 Ebedndfa.exe 2068 Ebedndfa.exe 3060 Efppoc32.exe 3060 Efppoc32.exe 2236 Eeempocb.exe 2236 Eeempocb.exe 2796 Egdilkbf.exe 2796 Egdilkbf.exe 1724 Fhffaj32.exe 1724 Fhffaj32.exe 2928 Fnpnndgp.exe 2928 Fnpnndgp.exe 1904 Fdoclk32.exe 1904 Fdoclk32.exe 2504 Fpfdalii.exe 2504 Fpfdalii.exe 2368 Ffpmnf32.exe 2368 Ffpmnf32.exe 2480 Fjlhneio.exe 2480 Fjlhneio.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kaceodek.exe Kjjmbj32.exe File created C:\Windows\SysWOW64\Cldooj32.exe Cjfccn32.exe File created C:\Windows\SysWOW64\Gpncej32.exe Gmpgio32.exe File opened for modification C:\Windows\SysWOW64\Jfknbe32.exe Joaeeklp.exe File opened for modification C:\Windows\SysWOW64\Kpjhkjde.exe Keednado.exe File created C:\Windows\SysWOW64\Dljnnb32.dll Ipgbjl32.exe File created C:\Windows\SysWOW64\Lanaiahq.exe Knpemf32.exe File created C:\Windows\SysWOW64\Idfbkq32.exe Ifcbodli.exe File opened for modification C:\Windows\SysWOW64\Igkdgk32.exe Imfqjbli.exe File created C:\Windows\SysWOW64\Mhgmapfi.exe Mppepcfg.exe File opened for modification C:\Windows\SysWOW64\Ngpolo32.exe Npfgpe32.exe File created C:\Windows\SysWOW64\Fqiaclmk.dll Obcccl32.exe File created C:\Windows\SysWOW64\Ebjglbml.exe Eqijej32.exe File opened for modification C:\Windows\SysWOW64\Npdjje32.exe Nnennj32.exe File created C:\Windows\SysWOW64\Pimkpfeh.exe Obcccl32.exe File created C:\Windows\SysWOW64\Ahgnke32.exe Aehboi32.exe File opened for modification C:\Windows\SysWOW64\Dbkknojp.exe Dolnad32.exe File created C:\Windows\SysWOW64\Kmfoak32.dll Kmjojo32.exe File created C:\Windows\SysWOW64\Lndohedg.exe Lgjfkk32.exe File created C:\Windows\SysWOW64\Dhdcji32.exe Dbkknojp.exe File created C:\Windows\SysWOW64\Abofbl32.dll Fjaonpnn.exe File opened for modification C:\Windows\SysWOW64\Kmgbdo32.exe Kjifhc32.exe File created C:\Windows\SysWOW64\Mdeced32.dll Dgmglh32.exe File created C:\Windows\SysWOW64\Ieqeidnl.exe Hkkalk32.exe File opened for modification C:\Windows\SysWOW64\Lckdanld.exe Lldlqakb.exe File created C:\Windows\SysWOW64\Nchnel32.dll Oobjaqaj.exe File created C:\Windows\SysWOW64\Pbfpik32.exe Pogclp32.exe File opened for modification C:\Windows\SysWOW64\Ceodnl32.exe Ccahbp32.exe File opened for modification C:\Windows\SysWOW64\Lmikibio.exe Ljkomfjl.exe File opened for modification C:\Windows\SysWOW64\Lccdel32.exe Laegiq32.exe File created C:\Windows\SysWOW64\Bioggp32.dll Cfgaiaci.exe File created C:\Windows\SysWOW64\Kgbggnhc.exe Kmmcjehm.exe File opened for modification C:\Windows\SysWOW64\Lflmci32.exe Lpbefoai.exe File opened for modification C:\Windows\SysWOW64\Llnofpcg.exe Lahkigca.exe File created C:\Windows\SysWOW64\Ojolhk32.exe Ngpolo32.exe File created C:\Windows\SysWOW64\Bllbijej.dll Aipddi32.exe File opened for modification C:\Windows\SysWOW64\Ihgainbg.exe Iamimc32.exe File created C:\Windows\SysWOW64\Iompkh32.exe Ipjoplgo.exe File created C:\Windows\SysWOW64\Gieojq32.exe Gbkgnfbd.exe File created C:\Windows\SysWOW64\Fealjk32.dll Hdfflm32.exe File created C:\Windows\SysWOW64\Alogkm32.dll Hodpgjha.exe File opened for modification C:\Windows\SysWOW64\Ogeigofa.exe Ocimgp32.exe File created C:\Windows\SysWOW64\Cohigamf.exe Clilkfnb.exe File created C:\Windows\SysWOW64\Hgmalg32.exe Hdnepk32.exe File created C:\Windows\SysWOW64\Midahn32.dll Eeempocb.exe File created C:\Windows\SysWOW64\Gffoia32.dll Jmocpado.exe File created C:\Windows\SysWOW64\Bmpfojmp.exe Bfenbpec.exe File created C:\Windows\SysWOW64\Lbadbn32.dll Eccmffjf.exe File created C:\Windows\SysWOW64\Jnkpbcjg.exe Jdbkjn32.exe File created C:\Windows\SysWOW64\Kebgia32.exe Kfpgmdog.exe File created C:\Windows\SysWOW64\Gmjaic32.exe Gogangdc.exe File created C:\Windows\SysWOW64\Ncolgf32.dll Hknach32.exe File created C:\Windows\SysWOW64\Hkfagfop.exe Hhgdkjol.exe File created C:\Windows\SysWOW64\Mbmjah32.exe Mlcbenjb.exe File opened for modification C:\Windows\SysWOW64\Ojolhk32.exe Ngpolo32.exe File created C:\Windows\SysWOW64\Oqideepg.exe Ojolhk32.exe File created C:\Windows\SysWOW64\Kfommp32.dll Pnomcl32.exe File created C:\Windows\SysWOW64\Jhljdm32.exe Jfnnha32.exe File created C:\Windows\SysWOW64\Kmgbdo32.exe Kjifhc32.exe File opened for modification C:\Windows\SysWOW64\Dpeekh32.exe Dhnmij32.exe File created C:\Windows\SysWOW64\Ckgkkllh.dll Ddgjdk32.exe File created C:\Windows\SysWOW64\Epdkli32.exe Epaogi32.exe File created C:\Windows\SysWOW64\Ebedndfa.exe Efncicpm.exe File opened for modification C:\Windows\SysWOW64\Kihqkagp.exe Jbnhng32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4092 5112 WerFault.exe 458 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbndm32.dll" Cdlnkmha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jokcgmee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lldlqakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkdneid.dll" Lijjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqkmbmdg.dll" Mlibjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnajilng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmcijcbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbcnhjnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll" Niebhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cekkkkhe.dll" Kfbkmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oqideepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofelmloo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egdilkbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llfifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acjobj32.dll" Lahkigca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahlgfdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igchlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfpgmdog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 06fbe51c389d145d1a439315a66df4e1d70a89c5fba38e78e4428db43ea7fcb5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjlegpjp.dll" Ncgdbmmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eqijej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aghcamqb.dll" Fhneehek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhneehek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nafmbhpm.dll" Jgfqaiod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meppiblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohhkga32.dll" Pbhmnkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bllbijej.dll" Aipddi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pklhlael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekkdc32.dll" Bhkdeggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agkfljge.dll" Hlqdei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcojjmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmocpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpbnlj32.dll" Jifdebic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afldcl32.dll" Kkgmgmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnfhlh32.dll" Cgejac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdkghm32.dll" Ifkacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckgkkllh.dll" Ddgjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Macalohk.dll" Mlhkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdkmeh32.dll" Idfbkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikddbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lollckbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjaonpnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Figlolbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cojema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loinmo32.dll" Cldooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abofbl32.dll" Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdgcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkaiqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Magqncba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgjclbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngdifkpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Naimccpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqgok32.dll" Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgefik32.dll" Ojcecjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmdjdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onjnkb32.dll" Amfcikek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iieipa32.dll" Fllnlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpncej32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2296 wrote to memory of 896 2296 06fbe51c389d145d1a439315a66df4e1d70a89c5fba38e78e4428db43ea7fcb5.exe 28 PID 2296 wrote to memory of 896 2296 06fbe51c389d145d1a439315a66df4e1d70a89c5fba38e78e4428db43ea7fcb5.exe 28 PID 2296 wrote to memory of 896 2296 06fbe51c389d145d1a439315a66df4e1d70a89c5fba38e78e4428db43ea7fcb5.exe 28 PID 2296 wrote to memory of 896 2296 06fbe51c389d145d1a439315a66df4e1d70a89c5fba38e78e4428db43ea7fcb5.exe 28 PID 896 wrote to memory of 2444 896 Baildokg.exe 29 PID 896 wrote to memory of 2444 896 Baildokg.exe 29 PID 896 wrote to memory of 2444 896 Baildokg.exe 29 PID 896 wrote to memory of 2444 896 Baildokg.exe 29 PID 2444 wrote to memory of 2120 2444 Bhcdaibd.exe 30 PID 2444 wrote to memory of 2120 2444 Bhcdaibd.exe 30 PID 2444 wrote to memory of 2120 2444 Bhcdaibd.exe 30 PID 2444 wrote to memory of 2120 2444 Bhcdaibd.exe 30 PID 2120 wrote to memory of 2492 2120 Bloqah32.exe 31 PID 2120 wrote to memory of 2492 2120 Bloqah32.exe 31 PID 2120 wrote to memory of 2492 2120 Bloqah32.exe 31 PID 2120 wrote to memory of 2492 2120 Bloqah32.exe 31 PID 2492 wrote to memory of 2472 2492 Bkaqmeah.exe 32 PID 2492 wrote to memory of 2472 2492 Bkaqmeah.exe 32 PID 2492 wrote to memory of 2472 2492 Bkaqmeah.exe 32 PID 2492 wrote to memory of 2472 2492 Bkaqmeah.exe 32 PID 2472 wrote to memory of 2656 2472 Bkfjhd32.exe 33 PID 2472 wrote to memory of 2656 2472 Bkfjhd32.exe 33 PID 2472 wrote to memory of 2656 2472 Bkfjhd32.exe 33 PID 2472 wrote to memory of 2656 2472 Bkfjhd32.exe 33 PID 2656 wrote to memory of 2532 2656 Ckignd32.exe 34 PID 2656 wrote to memory of 2532 2656 Ckignd32.exe 34 PID 2656 wrote to memory of 2532 2656 Ckignd32.exe 34 PID 2656 wrote to memory of 2532 2656 Ckignd32.exe 34 PID 2532 wrote to memory of 2428 2532 Cpeofk32.exe 35 PID 2532 wrote to memory of 2428 2532 Cpeofk32.exe 35 PID 2532 wrote to memory of 2428 2532 Cpeofk32.exe 35 PID 2532 wrote to memory of 2428 2532 Cpeofk32.exe 35 PID 2428 wrote to memory of 2936 2428 Cfbhnaho.exe 36 PID 2428 wrote to memory of 2936 2428 Cfbhnaho.exe 36 PID 2428 wrote to memory of 2936 2428 Cfbhnaho.exe 36 PID 2428 wrote to memory of 2936 2428 Cfbhnaho.exe 36 PID 2936 wrote to memory of 280 2936 Ccfhhffh.exe 37 PID 2936 wrote to memory of 280 2936 Ccfhhffh.exe 37 PID 2936 wrote to memory of 280 2936 Ccfhhffh.exe 37 PID 2936 wrote to memory of 280 2936 Ccfhhffh.exe 37 PID 280 wrote to memory of 1444 280 Cfgaiaci.exe 38 PID 280 wrote to memory of 1444 280 Cfgaiaci.exe 38 PID 280 wrote to memory of 1444 280 Cfgaiaci.exe 38 PID 280 wrote to memory of 1444 280 Cfgaiaci.exe 38 PID 1444 wrote to memory of 752 1444 Cckace32.exe 39 PID 1444 wrote to memory of 752 1444 Cckace32.exe 39 PID 1444 wrote to memory of 752 1444 Cckace32.exe 39 PID 1444 wrote to memory of 752 1444 Cckace32.exe 39 PID 752 wrote to memory of 2876 752 Cdlnkmha.exe 40 PID 752 wrote to memory of 2876 752 Cdlnkmha.exe 40 PID 752 wrote to memory of 2876 752 Cdlnkmha.exe 40 PID 752 wrote to memory of 2876 752 Cdlnkmha.exe 40 PID 2876 wrote to memory of 1716 2876 Dgmglh32.exe 41 PID 2876 wrote to memory of 1716 2876 Dgmglh32.exe 41 PID 2876 wrote to memory of 1716 2876 Dgmglh32.exe 41 PID 2876 wrote to memory of 1716 2876 Dgmglh32.exe 41 PID 1716 wrote to memory of 576 1716 Dnilobkm.exe 42 PID 1716 wrote to memory of 576 1716 Dnilobkm.exe 42 PID 1716 wrote to memory of 576 1716 Dnilobkm.exe 42 PID 1716 wrote to memory of 576 1716 Dnilobkm.exe 42 PID 576 wrote to memory of 2908 576 Djpmccqq.exe 43 PID 576 wrote to memory of 2908 576 Djpmccqq.exe 43 PID 576 wrote to memory of 2908 576 Djpmccqq.exe 43 PID 576 wrote to memory of 2908 576 Djpmccqq.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\06fbe51c389d145d1a439315a66df4e1d70a89c5fba38e78e4428db43ea7fcb5.exe"C:\Users\Admin\AppData\Local\Temp\06fbe51c389d145d1a439315a66df4e1d70a89c5fba38e78e4428db43ea7fcb5.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1084 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1356 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1156 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1904 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe33⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe34⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1416 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe37⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe38⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe39⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe40⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe43⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe47⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe49⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe50⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe51⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe52⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe54⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe55⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe56⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe58⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe59⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe61⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe62⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe63⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe64⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1480 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe67⤵PID:2188
-
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1940 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe69⤵PID:1248
-
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe70⤵PID:1740
-
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe71⤵PID:1380
-
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe72⤵PID:1500
-
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe73⤵
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe74⤵PID:2172
-
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe75⤵
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe76⤵PID:2508
-
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe77⤵PID:3004
-
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe78⤵PID:1552
-
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe79⤵PID:2652
-
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe80⤵PID:2884
-
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe81⤵PID:1868
-
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe82⤵PID:2712
-
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe83⤵PID:2400
-
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe84⤵
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe85⤵PID:384
-
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:452 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe87⤵PID:1992
-
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe88⤵PID:2540
-
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe89⤵
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe90⤵PID:2340
-
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe91⤵PID:1684
-
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe92⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2292 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe94⤵
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe95⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe96⤵PID:2360
-
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe97⤵PID:2004
-
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe98⤵PID:2020
-
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe99⤵PID:2148
-
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe100⤵PID:1920
-
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe101⤵
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe102⤵
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe103⤵PID:1632
-
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe104⤵PID:532
-
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe105⤵PID:3016
-
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe106⤵PID:2216
-
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1732 -
C:\Windows\SysWOW64\Kmaled32.exeC:\Windows\system32\Kmaled32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2276 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668 -
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe111⤵PID:2356
-
C:\Windows\SysWOW64\Lmcijcbe.exeC:\Windows\system32\Lmcijcbe.exe112⤵
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe113⤵
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe114⤵
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2196 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe116⤵
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe117⤵PID:1680
-
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe118⤵
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe119⤵PID:1548
-
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe120⤵PID:1828
-
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe121⤵PID:876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-