Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/06/2024, 19:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1afe60e316f66fc4da6333dfdf320f81cde17ce66d45bcf1fbede07a06adfec3.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1afe60e316f66fc4da6333dfdf320f81cde17ce66d45bcf1fbede07a06adfec3.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
1afe60e316f66fc4da6333dfdf320f81cde17ce66d45bcf1fbede07a06adfec3.exe
-
Size
128KB
-
MD5
0600834886a34f5880dc68f417959aa6
-
SHA1
bcab449fda773657d4351db9b5d5564ed987bf7d
-
SHA256
1afe60e316f66fc4da6333dfdf320f81cde17ce66d45bcf1fbede07a06adfec3
-
SHA512
f1eb629c132b70606627a152fc22a068ae53ef05b5f40efa7ee6a176d3916367bb4a985d3338e0e9f1302997ce1f34595a538fac07f780446757198410cd5449
-
SSDEEP
1536:2FhJLBiA/5ZmLMbMOpy8Xm7rsF1+5zVQRQDWRfRa9HprmRfRJCLIXG:mtiAGQbMOpy9sAOeDW5wkpHxG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohigamf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifkacb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofopj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiqpop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbqabkql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkpagq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niikceid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackkppma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abmbhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdbkjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojigbhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nglfapnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haiccald.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofelmloo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofhick32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjmaaddo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Habfipdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifnechbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lahkigca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Inifnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jocflgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbkameaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfdabino.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aecaidjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekklaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcihlong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bioqclil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlbeqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afcenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hakphqja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaldcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ookmfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcbakpdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okikfagn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkmhaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ganpomec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpcmpijk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcmafj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npccpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njlockkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bioqclil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccngld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfikmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfoqmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Annbhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfeppop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idfbkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nialog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcojjmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbjochdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpphap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlngpjlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihoafpmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpbefoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mholen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdneebf.exe -
Executes dropped EXE 64 IoCs
pid Process 2096 Cgmkmecg.exe 2540 Cdakgibq.exe 2676 Cllpkl32.exe 1236 Chcqpmep.exe 2812 Cfgaiaci.exe 2440 Claifkkf.exe 2496 Cdlnkmha.exe 2820 Ckffgg32.exe 2984 Dkhcmgnl.exe 2756 Dqelenlc.exe 1512 Dnilobkm.exe 1928 Ddcdkl32.exe 2652 Dmoipopd.exe 624 Dgdmmgpj.exe 2080 Dqlafm32.exe 1252 Dfijnd32.exe 772 Eflgccbp.exe 1324 Eijcpoac.exe 1864 Epdkli32.exe 2840 Efncicpm.exe 1360 Ekklaj32.exe 896 Eecqjpee.exe 1856 Eiaiqn32.exe 1300 Eloemi32.exe 864 Flabbihl.exe 1564 Faokjpfd.exe 2168 Fmekoalh.exe 2556 Fpdhklkl.exe 2704 Fpfdalii.exe 2696 Fbdqmghm.exe 2736 Fphafl32.exe 1016 Fddmgjpo.exe 2152 Gbijhg32.exe 2964 Gicbeald.exe 2976 Ghfbqn32.exe 2648 Gkgkbipp.exe 1484 Gbnccfpb.exe 1724 Gdopkn32.exe 2776 Gmjaic32.exe 1428 Gphmeo32.exe 2264 Hmlnoc32.exe 2296 Hdfflm32.exe 2108 Hpmgqnfl.exe 680 Hckcmjep.exe 2996 Hlcgeo32.exe 1312 Hgilchkf.exe 2872 Hjhhocjj.exe 776 Hlfdkoin.exe 1148 Hodpgjha.exe 3060 Henidd32.exe 3068 Hlhaqogk.exe 2180 Icbimi32.exe 2120 Iaeiieeb.exe 2452 Ihoafpmp.exe 2828 Ioijbj32.exe 2524 Idfbkq32.exe 2616 Ihankokm.exe 2816 Iokfhi32.exe 2748 Inngcfid.exe 2772 Idhopq32.exe 2784 Ijeghgoh.exe 844 Iblpjdpk.exe 2272 Icmlam32.exe 2424 Ijgdngmf.exe -
Loads dropped DLL 64 IoCs
pid Process 3020 1afe60e316f66fc4da6333dfdf320f81cde17ce66d45bcf1fbede07a06adfec3.exe 3020 1afe60e316f66fc4da6333dfdf320f81cde17ce66d45bcf1fbede07a06adfec3.exe 2096 Cgmkmecg.exe 2096 Cgmkmecg.exe 2540 Cdakgibq.exe 2540 Cdakgibq.exe 2676 Cllpkl32.exe 2676 Cllpkl32.exe 1236 Chcqpmep.exe 1236 Chcqpmep.exe 2812 Cfgaiaci.exe 2812 Cfgaiaci.exe 2440 Claifkkf.exe 2440 Claifkkf.exe 2496 Cdlnkmha.exe 2496 Cdlnkmha.exe 2820 Ckffgg32.exe 2820 Ckffgg32.exe 2984 Dkhcmgnl.exe 2984 Dkhcmgnl.exe 2756 Dqelenlc.exe 2756 Dqelenlc.exe 1512 Dnilobkm.exe 1512 Dnilobkm.exe 1928 Ddcdkl32.exe 1928 Ddcdkl32.exe 2652 Dmoipopd.exe 2652 Dmoipopd.exe 624 Dgdmmgpj.exe 624 Dgdmmgpj.exe 2080 Dqlafm32.exe 2080 Dqlafm32.exe 1252 Dfijnd32.exe 1252 Dfijnd32.exe 772 Eflgccbp.exe 772 Eflgccbp.exe 1324 Eijcpoac.exe 1324 Eijcpoac.exe 1864 Epdkli32.exe 1864 Epdkli32.exe 2840 Efncicpm.exe 2840 Efncicpm.exe 1360 Ekklaj32.exe 1360 Ekklaj32.exe 896 Eecqjpee.exe 896 Eecqjpee.exe 1856 Eiaiqn32.exe 1856 Eiaiqn32.exe 1300 Eloemi32.exe 1300 Eloemi32.exe 864 Flabbihl.exe 864 Flabbihl.exe 1564 Faokjpfd.exe 1564 Faokjpfd.exe 2168 Fmekoalh.exe 2168 Fmekoalh.exe 2556 Fpdhklkl.exe 2556 Fpdhklkl.exe 2704 Fpfdalii.exe 2704 Fpfdalii.exe 2696 Fbdqmghm.exe 2696 Fbdqmghm.exe 2736 Fphafl32.exe 2736 Fphafl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Flabbihl.exe Eloemi32.exe File opened for modification C:\Windows\SysWOW64\Hckcmjep.exe Hpmgqnfl.exe File created C:\Windows\SysWOW64\Lpphap32.exe Kmaled32.exe File opened for modification C:\Windows\SysWOW64\Nejiih32.exe Nlbeqb32.exe File created C:\Windows\SysWOW64\Lnbbbffj.exe Ljffag32.exe File created C:\Windows\SysWOW64\Nlekia32.exe Nigome32.exe File opened for modification C:\Windows\SysWOW64\Dgdmmgpj.exe Dmoipopd.exe File created C:\Windows\SysWOW64\Nejiih32.exe Nlbeqb32.exe File created C:\Windows\SysWOW64\Enfenplo.exe Ecqqpgli.exe File created C:\Windows\SysWOW64\Fhneehek.exe Fepiimfg.exe File created C:\Windows\SysWOW64\Ngdifkpi.exe Ndemjoae.exe File created C:\Windows\SysWOW64\Aamfnkai.exe Aplifb32.exe File created C:\Windows\SysWOW64\Dpbheh32.exe Dndlim32.exe File opened for modification C:\Windows\SysWOW64\Ndemjoae.exe Magqncba.exe File created C:\Windows\SysWOW64\Oalfhf32.exe Okanklik.exe File created C:\Windows\SysWOW64\Bfkpqn32.exe Bdmddc32.exe File created C:\Windows\SysWOW64\Oddpfc32.exe Ojolhk32.exe File opened for modification C:\Windows\SysWOW64\Blgpef32.exe Bemgilhh.exe File opened for modification C:\Windows\SysWOW64\Cdgneh32.exe Cahail32.exe File created C:\Windows\SysWOW64\Fbdjbaea.exe Fjmaaddo.exe File created C:\Windows\SysWOW64\Odmfgh32.dll Heihnoph.exe File created C:\Windows\SysWOW64\Lbgafalg.dll Jocflgga.exe File created C:\Windows\SysWOW64\Ajhgmpfg.exe Adnopfoj.exe File created C:\Windows\SysWOW64\Ckjpacfp.exe Blgpef32.exe File opened for modification C:\Windows\SysWOW64\Cjfccn32.exe Cclkfdnc.exe File created C:\Windows\SysWOW64\Ebpopmpp.dll Fnkjhb32.exe File created C:\Windows\SysWOW64\Kofopj32.exe Kmgbdo32.exe File opened for modification C:\Windows\SysWOW64\Npagjpcd.exe Nlekia32.exe File opened for modification C:\Windows\SysWOW64\Mpmapm32.exe Libicbma.exe File opened for modification C:\Windows\SysWOW64\Efncicpm.exe Epdkli32.exe File created C:\Windows\SysWOW64\Lopekk32.dll Ekklaj32.exe File created C:\Windows\SysWOW64\Hmlnoc32.exe Gphmeo32.exe File opened for modification C:\Windows\SysWOW64\Imfqjbli.exe Ijgdngmf.exe File created C:\Windows\SysWOW64\Kgiaak32.dll Jqdipqbp.exe File created C:\Windows\SysWOW64\Ofmbnkhg.exe Okgnab32.exe File created C:\Windows\SysWOW64\Oepbgcpb.dll Oqcpob32.exe File opened for modification C:\Windows\SysWOW64\Namqci32.exe Nkbhgojk.exe File created C:\Windows\SysWOW64\Fjkhohik.dll Obcccl32.exe File created C:\Windows\SysWOW64\Ilcbjpbn.dll Aadloj32.exe File opened for modification C:\Windows\SysWOW64\Idcokkak.exe Ipgbjl32.exe File created C:\Windows\SysWOW64\Kfbcbd32.exe Kohkfj32.exe File opened for modification C:\Windows\SysWOW64\Libicbma.exe Lfdmggnm.exe File created C:\Windows\SysWOW64\Dglhipbb.dll Kihqkagp.exe File created C:\Windows\SysWOW64\Cclkfdnc.exe Cpnojioo.exe File opened for modification C:\Windows\SysWOW64\Gjdhbc32.exe Ghelfg32.exe File opened for modification C:\Windows\SysWOW64\Jcjdpj32.exe Jnmlhchd.exe File created C:\Windows\SysWOW64\Nffjeaid.dll Leljop32.exe File created C:\Windows\SysWOW64\Lfnbefhd.dll Njlockkm.exe File created C:\Windows\SysWOW64\Bneqdoee.dll Ckjpacfp.exe File created C:\Windows\SysWOW64\Jcjdpj32.exe Jnmlhchd.exe File created C:\Windows\SysWOW64\Aigchgkh.exe Agfgqo32.exe File created C:\Windows\SysWOW64\Mijfnh32.exe Mgljbm32.exe File created C:\Windows\SysWOW64\Gjpmgg32.dll Ccngld32.exe File opened for modification C:\Windows\SysWOW64\Qodlkm32.exe Qkhpkoen.exe File opened for modification C:\Windows\SysWOW64\Pkpagq32.exe Pqkmjh32.exe File created C:\Windows\SysWOW64\Agjiphda.dll Behnnm32.exe File created C:\Windows\SysWOW64\Abofbl32.dll Echfaf32.exe File opened for modification C:\Windows\SysWOW64\Jmmfkafa.exe Jjojofgn.exe File created C:\Windows\SysWOW64\Jdbkjn32.exe Jnicmdli.exe File created C:\Windows\SysWOW64\Piekcd32.exe Pjbjhgde.exe File created C:\Windows\SysWOW64\Pdiadenf.dll Bpfeppop.exe File opened for modification C:\Windows\SysWOW64\Ghfbqn32.exe Gicbeald.exe File opened for modification C:\Windows\SysWOW64\Mgqcmlgl.exe Mcegmm32.exe File created C:\Windows\SysWOW64\Alfadj32.dll Lghjel32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5772 5728 WerFault.exe 529 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojgbclk.dll" Ahdaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjifqd32.dll" Aidnohbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmjqcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qkkmqnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kmmcjehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inlepd32.dll" Onmdoioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdlklmn.dll" Gpncej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnelabi.dll" Haiccald.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kicmdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lnbbbffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ocdmaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfbdiclb.dll" Pqemdbaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obcccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nemacb32.dll" Ahlgfdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afkdakjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njlockkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dndlim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bilmcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gicbeald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbjochdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pqhijbog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bphbeplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnjmhe32.dll" Ijeghgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iimfgo32.dll" Bfadgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Flgeqgog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhloponc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkahecm.dll" Pfikmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 1afe60e316f66fc4da6333dfdf320f81cde17ce66d45bcf1fbede07a06adfec3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pgioaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbbngf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mlfojn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Npojdpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nigome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aaloddnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmekoalh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Icmlam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onmdoioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjiphda.dll" Behnnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhffdaei.dll" Fnfamcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiciogbn.dll" Cgmkmecg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpdnkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bpfeppop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijdkh32.dll" Fmpkjkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppnidgoj.dll" Fncdgcqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgphd32.dll" Flgeqgog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdplpd32.dll" Pcibkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cinfhigl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjcabmga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djihnh32.dll" Pgioaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pikkiijf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mlibjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqiaclmk.dll" Pdaoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdghad32.dll" Hlljjjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnkga32.dll" Qqeicede.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aigchgkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cllpkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hlfdkoin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nolhan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll" Baohhgnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bfkpqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chcqpmep.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3020 wrote to memory of 2096 3020 1afe60e316f66fc4da6333dfdf320f81cde17ce66d45bcf1fbede07a06adfec3.exe 28 PID 3020 wrote to memory of 2096 3020 1afe60e316f66fc4da6333dfdf320f81cde17ce66d45bcf1fbede07a06adfec3.exe 28 PID 3020 wrote to memory of 2096 3020 1afe60e316f66fc4da6333dfdf320f81cde17ce66d45bcf1fbede07a06adfec3.exe 28 PID 3020 wrote to memory of 2096 3020 1afe60e316f66fc4da6333dfdf320f81cde17ce66d45bcf1fbede07a06adfec3.exe 28 PID 2096 wrote to memory of 2540 2096 Cgmkmecg.exe 29 PID 2096 wrote to memory of 2540 2096 Cgmkmecg.exe 29 PID 2096 wrote to memory of 2540 2096 Cgmkmecg.exe 29 PID 2096 wrote to memory of 2540 2096 Cgmkmecg.exe 29 PID 2540 wrote to memory of 2676 2540 Cdakgibq.exe 30 PID 2540 wrote to memory of 2676 2540 Cdakgibq.exe 30 PID 2540 wrote to memory of 2676 2540 Cdakgibq.exe 30 PID 2540 wrote to memory of 2676 2540 Cdakgibq.exe 30 PID 2676 wrote to memory of 1236 2676 Cllpkl32.exe 31 PID 2676 wrote to memory of 1236 2676 Cllpkl32.exe 31 PID 2676 wrote to memory of 1236 2676 Cllpkl32.exe 31 PID 2676 wrote to memory of 1236 2676 Cllpkl32.exe 31 PID 1236 wrote to memory of 2812 1236 Chcqpmep.exe 32 PID 1236 wrote to memory of 2812 1236 Chcqpmep.exe 32 PID 1236 wrote to memory of 2812 1236 Chcqpmep.exe 32 PID 1236 wrote to memory of 2812 1236 Chcqpmep.exe 32 PID 2812 wrote to memory of 2440 2812 Cfgaiaci.exe 33 PID 2812 wrote to memory of 2440 2812 Cfgaiaci.exe 33 PID 2812 wrote to memory of 2440 2812 Cfgaiaci.exe 33 PID 2812 wrote to memory of 2440 2812 Cfgaiaci.exe 33 PID 2440 wrote to memory of 2496 2440 Claifkkf.exe 34 PID 2440 wrote to memory of 2496 2440 Claifkkf.exe 34 PID 2440 wrote to memory of 2496 2440 Claifkkf.exe 34 PID 2440 wrote to memory of 2496 2440 Claifkkf.exe 34 PID 2496 wrote to memory of 2820 2496 Cdlnkmha.exe 35 PID 2496 wrote to memory of 2820 2496 Cdlnkmha.exe 35 PID 2496 wrote to memory of 2820 2496 Cdlnkmha.exe 35 PID 2496 wrote to memory of 2820 2496 Cdlnkmha.exe 35 PID 2820 wrote to memory of 2984 2820 Ckffgg32.exe 36 PID 2820 wrote to memory of 2984 2820 Ckffgg32.exe 36 PID 2820 wrote to memory of 2984 2820 Ckffgg32.exe 36 PID 2820 wrote to memory of 2984 2820 Ckffgg32.exe 36 PID 2984 wrote to memory of 2756 2984 Dkhcmgnl.exe 37 PID 2984 wrote to memory of 2756 2984 Dkhcmgnl.exe 37 PID 2984 wrote to memory of 2756 2984 Dkhcmgnl.exe 37 PID 2984 wrote to memory of 2756 2984 Dkhcmgnl.exe 37 PID 2756 wrote to memory of 1512 2756 Dqelenlc.exe 38 PID 2756 wrote to memory of 1512 2756 Dqelenlc.exe 38 PID 2756 wrote to memory of 1512 2756 Dqelenlc.exe 38 PID 2756 wrote to memory of 1512 2756 Dqelenlc.exe 38 PID 1512 wrote to memory of 1928 1512 Dnilobkm.exe 39 PID 1512 wrote to memory of 1928 1512 Dnilobkm.exe 39 PID 1512 wrote to memory of 1928 1512 Dnilobkm.exe 39 PID 1512 wrote to memory of 1928 1512 Dnilobkm.exe 39 PID 1928 wrote to memory of 2652 1928 Ddcdkl32.exe 40 PID 1928 wrote to memory of 2652 1928 Ddcdkl32.exe 40 PID 1928 wrote to memory of 2652 1928 Ddcdkl32.exe 40 PID 1928 wrote to memory of 2652 1928 Ddcdkl32.exe 40 PID 2652 wrote to memory of 624 2652 Dmoipopd.exe 41 PID 2652 wrote to memory of 624 2652 Dmoipopd.exe 41 PID 2652 wrote to memory of 624 2652 Dmoipopd.exe 41 PID 2652 wrote to memory of 624 2652 Dmoipopd.exe 41 PID 624 wrote to memory of 2080 624 Dgdmmgpj.exe 42 PID 624 wrote to memory of 2080 624 Dgdmmgpj.exe 42 PID 624 wrote to memory of 2080 624 Dgdmmgpj.exe 42 PID 624 wrote to memory of 2080 624 Dgdmmgpj.exe 42 PID 2080 wrote to memory of 1252 2080 Dqlafm32.exe 43 PID 2080 wrote to memory of 1252 2080 Dqlafm32.exe 43 PID 2080 wrote to memory of 1252 2080 Dqlafm32.exe 43 PID 2080 wrote to memory of 1252 2080 Dqlafm32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\1afe60e316f66fc4da6333dfdf320f81cde17ce66d45bcf1fbede07a06adfec3.exe"C:\Users\Admin\AppData\Local\Temp\1afe60e316f66fc4da6333dfdf320f81cde17ce66d45bcf1fbede07a06adfec3.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1252 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:772 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1324 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1360 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1300 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe33⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe34⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe36⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe37⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe38⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe39⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe40⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1428 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe42⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe43⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe45⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe47⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe48⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:776 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe50⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe51⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe52⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe53⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe54⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe58⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe59⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe60⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe61⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe63⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe66⤵PID:668
-
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe67⤵PID:824
-
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2032 -
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe69⤵
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe70⤵PID:2352
-
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe71⤵PID:2248
-
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe72⤵PID:2184
-
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe73⤵PID:1984
-
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe74⤵PID:2608
-
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe75⤵
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe76⤵PID:2620
-
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe77⤵PID:2484
-
C:\Windows\SysWOW64\Jbjochdi.exeC:\Windows\system32\Jbjochdi.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe79⤵PID:1936
-
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe80⤵PID:800
-
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe81⤵PID:2740
-
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe82⤵PID:1620
-
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe83⤵PID:2988
-
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe84⤵PID:1792
-
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe85⤵
- Drops file in System32 directory
PID:1272 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1752 -
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe87⤵PID:1992
-
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe88⤵PID:2664
-
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2844 -
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe90⤵PID:2488
-
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe91⤵PID:2948
-
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe92⤵
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe93⤵PID:296
-
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe94⤵PID:1380
-
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe95⤵PID:2316
-
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2628 -
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe97⤵PID:1172
-
C:\Windows\SysWOW64\Kmaled32.exeC:\Windows\system32\Kmaled32.exe98⤵
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1948 -
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe100⤵PID:1796
-
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1680 -
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3004 -
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe103⤵PID:3052
-
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe104⤵PID:2712
-
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe105⤵PID:2520
-
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe106⤵PID:2792
-
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe107⤵PID:2972
-
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe108⤵PID:2200
-
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1700 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe110⤵PID:2056
-
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe111⤵PID:1184
-
C:\Windows\SysWOW64\Lkppbl32.exeC:\Windows\system32\Lkppbl32.exe112⤵PID:1496
-
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe113⤵PID:1740
-
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe114⤵PID:2880
-
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe115⤵PID:2912
-
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe116⤵PID:2292
-
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe117⤵PID:1684
-
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe118⤵PID:2700
-
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe119⤵PID:2916
-
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe120⤵PID:1520
-
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe121⤵PID:1188
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-