Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
30/06/2024, 19:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
17d93621f2cd384a1f9176495d7ebede4f4e387924251da034c1c31a70f4a0ad.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
17d93621f2cd384a1f9176495d7ebede4f4e387924251da034c1c31a70f4a0ad.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
17d93621f2cd384a1f9176495d7ebede4f4e387924251da034c1c31a70f4a0ad.exe
-
Size
92KB
-
MD5
0a5d7d0aa4a720955e433c4840990c0b
-
SHA1
784caef1a2eacc147716a5b292810c0eb67badb0
-
SHA256
17d93621f2cd384a1f9176495d7ebede4f4e387924251da034c1c31a70f4a0ad
-
SHA512
bbcb561b051cee9e2acee5558d03c60881c802e28604955407a225595004015475fb1b104e5588dc3665e195e0ba736a5e6731e959b081df4b85d68b17350457
-
SSDEEP
1536:SjmU1xU668jaQlgk2gX94ZnVkE6BNNMnADtjXq+66DFUABABOVLefE3:QxU6VHapE9kyE6BZtj6+JB8M3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackkppma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pndniaop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgimmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocimgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gljnej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inkccpgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkjdhpea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njiijlbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epdkli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafidiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqopea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdkgocpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piekcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajphib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adhlaggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epieghdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbfpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhbped32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oagmmgdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfeog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioolqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kicmdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbdnko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afiecb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiondcpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icmegf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afnagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmekoalh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgjfkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkfceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qflhbhgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oelmai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooeggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjbcfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkaiqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qngmgjeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdhhqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oobjaqaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djmicm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejkima32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjbdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laplei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgmjjdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhooggdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alhjai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbpodagk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migbnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Komfnnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miooigfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndbcpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflomnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfbpag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhjpaf32.exe -
Executes dropped EXE 64 IoCs
pid Process 3040 Iidbke32.exe 2712 Ibmfdkcf.exe 2696 Ibocjk32.exe 2604 Iiikfehq.exe 2616 Jeplkf32.exe 2632 Jkjdhpea.exe 3044 Jebiaelb.exe 2800 Jbfijjkl.exe 1732 Jgcabqic.exe 1552 Jjanolhg.exe 2492 Jegble32.exe 1772 Jjdkdl32.exe 1080 Jclomamd.exe 2060 Jmdcfg32.exe 1240 Kfmhol32.exe 2828 Kljqgc32.exe 400 Kebepion.exe 1504 Kphimanc.exe 836 Kipnfged.exe 1128 Komfnnck.exe 1544 Kbhbom32.exe 1380 Khekgc32.exe 1620 Kdlkld32.exe 2008 Loapim32.exe 2248 Laplei32.exe 1692 Lmgmjjdn.exe 1712 Limmokib.exe 2780 Ladeqhjd.exe 2684 Llnfaffc.exe 2832 Ldenbcge.exe 1912 Loooca32.exe 2620 Meigpkka.exe 1948 Midcpj32.exe 2816 Mhjpaf32.exe 792 Mlgigdoh.exe 760 Mnieom32.exe 1764 Mgajhbkg.exe 288 Mkmfhacp.exe 1068 Mdejaf32.exe 1088 Mkobnqan.exe 2956 Naikkk32.exe 880 Ncjgbcoi.exe 2284 Nfkpdn32.exe 1488 Nnbhek32.exe 1508 Nqqdag32.exe 2564 Ncoamb32.exe 2300 Ngkmnacm.exe 1396 Njiijlbp.exe 1140 Nqcagfim.exe 1788 Nofabc32.exe 1812 Nbdnoo32.exe 2900 Nhnfkigh.exe 2720 Nkmbgdfl.exe 2204 Nccjhafn.exe 2624 Ofbfdmeb.exe 2404 Omloag32.exe 1420 Oojknblb.exe 3020 Onmkio32.exe 2388 Ofdcjm32.exe 1924 Odgcfijj.exe 1628 Ogfpbeim.exe 1076 Onphoo32.exe 2628 Oqndkj32.exe 2540 Oghlgdgk.exe -
Loads dropped DLL 64 IoCs
pid Process 2480 17d93621f2cd384a1f9176495d7ebede4f4e387924251da034c1c31a70f4a0ad.exe 2480 17d93621f2cd384a1f9176495d7ebede4f4e387924251da034c1c31a70f4a0ad.exe 3040 Iidbke32.exe 3040 Iidbke32.exe 2712 Ibmfdkcf.exe 2712 Ibmfdkcf.exe 2696 Ibocjk32.exe 2696 Ibocjk32.exe 2604 Iiikfehq.exe 2604 Iiikfehq.exe 2616 Jeplkf32.exe 2616 Jeplkf32.exe 2632 Jkjdhpea.exe 2632 Jkjdhpea.exe 3044 Jebiaelb.exe 3044 Jebiaelb.exe 2800 Jbfijjkl.exe 2800 Jbfijjkl.exe 1732 Jgcabqic.exe 1732 Jgcabqic.exe 1552 Jjanolhg.exe 1552 Jjanolhg.exe 2492 Jegble32.exe 2492 Jegble32.exe 1772 Jjdkdl32.exe 1772 Jjdkdl32.exe 1080 Jclomamd.exe 1080 Jclomamd.exe 2060 Jmdcfg32.exe 2060 Jmdcfg32.exe 1240 Kfmhol32.exe 1240 Kfmhol32.exe 2828 Kljqgc32.exe 2828 Kljqgc32.exe 400 Kebepion.exe 400 Kebepion.exe 1504 Kphimanc.exe 1504 Kphimanc.exe 836 Kipnfged.exe 836 Kipnfged.exe 1128 Komfnnck.exe 1128 Komfnnck.exe 1544 Kbhbom32.exe 1544 Kbhbom32.exe 1380 Khekgc32.exe 1380 Khekgc32.exe 1620 Kdlkld32.exe 1620 Kdlkld32.exe 2008 Loapim32.exe 2008 Loapim32.exe 2248 Laplei32.exe 2248 Laplei32.exe 1692 Lmgmjjdn.exe 1692 Lmgmjjdn.exe 1712 Limmokib.exe 1712 Limmokib.exe 2780 Ladeqhjd.exe 2780 Ladeqhjd.exe 2684 Llnfaffc.exe 2684 Llnfaffc.exe 2832 Ldenbcge.exe 2832 Ldenbcge.exe 1912 Loooca32.exe 1912 Loooca32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ednpej32.exe Ebodiofk.exe File created C:\Windows\SysWOW64\Epieghdk.exe Egamfkdh.exe File opened for modification C:\Windows\SysWOW64\Iidbke32.exe 17d93621f2cd384a1f9176495d7ebede4f4e387924251da034c1c31a70f4a0ad.exe File created C:\Windows\SysWOW64\Bppoqeja.exe Bekkcljk.exe File opened for modification C:\Windows\SysWOW64\Nmpnhdfc.exe Nkbalifo.exe File created C:\Windows\SysWOW64\Ncgdbmmp.exe Mpigfa32.exe File created C:\Windows\SysWOW64\Ddgjdk32.exe Dojald32.exe File opened for modification C:\Windows\SysWOW64\Ebodiofk.exe Ekelld32.exe File opened for modification C:\Windows\SysWOW64\Bafidiio.exe Bjlqhoba.exe File opened for modification C:\Windows\SysWOW64\Jjpcbe32.exe Jkmcfhkc.exe File created C:\Windows\SysWOW64\Ljffag32.exe Llcefjgf.exe File created C:\Windows\SysWOW64\Mjkacaml.dll Mholen32.exe File opened for modification C:\Windows\SysWOW64\Pelipl32.exe Pfiidobe.exe File created C:\Windows\SysWOW64\Lpicol32.dll Cngcjo32.exe File created C:\Windows\SysWOW64\Limilm32.dll Kcfkfo32.exe File created C:\Windows\SysWOW64\Cgocalod.dll Ladeqhjd.exe File opened for modification C:\Windows\SysWOW64\Ahgnke32.exe Aehboi32.exe File opened for modification C:\Windows\SysWOW64\Fmcoja32.exe Fjdbnf32.exe File created C:\Windows\SysWOW64\Omkepc32.dll Ndbcpd32.exe File created C:\Windows\SysWOW64\Chboohof.dll Bfcampgf.exe File created C:\Windows\SysWOW64\Baakhm32.exe Bppoqeja.exe File opened for modification C:\Windows\SysWOW64\Oomjlk32.exe Ohcaoajg.exe File created C:\Windows\SysWOW64\Nfkpdn32.exe Ncjgbcoi.exe File created C:\Windows\SysWOW64\Qeqbkkej.exe Qbbfopeg.exe File opened for modification C:\Windows\SysWOW64\Lojomkdn.exe Llkbap32.exe File created C:\Windows\SysWOW64\Pgpeal32.exe Pqemdbaj.exe File opened for modification C:\Windows\SysWOW64\Bilmcf32.exe Afnagk32.exe File created C:\Windows\SysWOW64\Hbfcml32.dll Limfed32.exe File created C:\Windows\SysWOW64\Ajpjcomh.dll Bilmcf32.exe File created C:\Windows\SysWOW64\Ngoohnkj.dll Nigome32.exe File created C:\Windows\SysWOW64\Ecjdib32.dll Amelne32.exe File opened for modification C:\Windows\SysWOW64\Kaklpcoc.exe Kiccofna.exe File opened for modification C:\Windows\SysWOW64\Gmpgio32.exe Gffoldhp.exe File opened for modification C:\Windows\SysWOW64\Meijhc32.exe Mooaljkh.exe File created C:\Windows\SysWOW64\Dhekfh32.dll Aiedjneg.exe File created C:\Windows\SysWOW64\Nblnkb32.dll Ofjfhk32.exe File created C:\Windows\SysWOW64\Cfiini32.dll Mhbped32.exe File created C:\Windows\SysWOW64\Pmdgmd32.dll Ejkima32.exe File created C:\Windows\SysWOW64\Kfbcbd32.exe Kohkfj32.exe File opened for modification C:\Windows\SysWOW64\Mofglh32.exe Mencccop.exe File created C:\Windows\SysWOW64\Oagmmgdm.exe Nkmdpm32.exe File opened for modification C:\Windows\SysWOW64\Nfkpdn32.exe Ncjgbcoi.exe File opened for modification C:\Windows\SysWOW64\Bdlblj32.exe Bpafkknm.exe File created C:\Windows\SysWOW64\Dmafennb.exe Dgdmmgpj.exe File opened for modification C:\Windows\SysWOW64\Ackkppma.exe Amqccfed.exe File created C:\Windows\SysWOW64\Blkioa32.exe Bilmcf32.exe File opened for modification C:\Windows\SysWOW64\Pbhmnkjf.exe Pjadmnic.exe File created C:\Windows\SysWOW64\Ggfblnnh.dll Meijhc32.exe File created C:\Windows\SysWOW64\Onpjghhn.exe Oomjlk32.exe File created C:\Windows\SysWOW64\Ppnidgoj.dll Fpqdkf32.exe File created C:\Windows\SysWOW64\Fbldmm32.dll Ilqpdm32.exe File opened for modification C:\Windows\SysWOW64\Oqqapjnk.exe Ojficpfn.exe File opened for modification C:\Windows\SysWOW64\Boiccdnf.exe Ahokfj32.exe File created C:\Windows\SysWOW64\Ooeggp32.exe Ofmbnkhg.exe File opened for modification C:\Windows\SysWOW64\Ncjgbcoi.exe Naikkk32.exe File opened for modification C:\Windows\SysWOW64\Ahokfj32.exe Aepojo32.exe File opened for modification C:\Windows\SysWOW64\Ijbdha32.exe Ichllgfb.exe File created C:\Windows\SysWOW64\Jbbpnl32.dll Ojigbhlp.exe File opened for modification C:\Windows\SysWOW64\Fjgoce32.exe Fhhcgj32.exe File opened for modification C:\Windows\SysWOW64\Fmhheqje.exe Fjilieka.exe File created C:\Windows\SysWOW64\Ehkdaf32.dll Pbfpik32.exe File created C:\Windows\SysWOW64\Lidengnp.dll Amkpegnj.exe File opened for modification C:\Windows\SysWOW64\Aalmklfi.exe Aiedjneg.exe File created C:\Windows\SysWOW64\Eloemi32.exe Eeempocb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6196 6164 WerFault.exe 646 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ionkallc.dll" Oclilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igakgfpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcfqkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmbknddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eggbcg32.dll" Okfencna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omgaek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdgcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhngjmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekebnbmn.dll" Mencccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoffo32.dll" Jclomamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdgmd32.dll" Ejkima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqdeaqb.dll" Djmicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkhnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeaceffc.dll" Mofglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohcaoajg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll" Hgbebiao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbkgnfbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdildlie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjknnbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjmmbcg.dll" Pkdgpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll" Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaklpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfcml32.dll" Limfed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfjbgnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahaloofd.dll" Oenifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkommo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jabbhcfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmpnhdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfkpqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cclkfdnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfmdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okoafmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfgngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ealffeej.dll" Pfiidobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abpfhcje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qngmgjeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdeeqehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eojnkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfinoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjnamh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Balkchpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mholen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipllekdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfgngh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqhpdhcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aekodi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjnie32.dll" Ajgpbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajlmdcf.dll" Kfmhol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnpbep32.dll" Jfqahgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jchhkjhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kicmdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbonaf32.dll" Cddjebgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjanolhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmlnoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjdkdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdgneh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2480 wrote to memory of 3040 2480 17d93621f2cd384a1f9176495d7ebede4f4e387924251da034c1c31a70f4a0ad.exe 28 PID 2480 wrote to memory of 3040 2480 17d93621f2cd384a1f9176495d7ebede4f4e387924251da034c1c31a70f4a0ad.exe 28 PID 2480 wrote to memory of 3040 2480 17d93621f2cd384a1f9176495d7ebede4f4e387924251da034c1c31a70f4a0ad.exe 28 PID 2480 wrote to memory of 3040 2480 17d93621f2cd384a1f9176495d7ebede4f4e387924251da034c1c31a70f4a0ad.exe 28 PID 3040 wrote to memory of 2712 3040 Iidbke32.exe 29 PID 3040 wrote to memory of 2712 3040 Iidbke32.exe 29 PID 3040 wrote to memory of 2712 3040 Iidbke32.exe 29 PID 3040 wrote to memory of 2712 3040 Iidbke32.exe 29 PID 2712 wrote to memory of 2696 2712 Ibmfdkcf.exe 30 PID 2712 wrote to memory of 2696 2712 Ibmfdkcf.exe 30 PID 2712 wrote to memory of 2696 2712 Ibmfdkcf.exe 30 PID 2712 wrote to memory of 2696 2712 Ibmfdkcf.exe 30 PID 2696 wrote to memory of 2604 2696 Ibocjk32.exe 31 PID 2696 wrote to memory of 2604 2696 Ibocjk32.exe 31 PID 2696 wrote to memory of 2604 2696 Ibocjk32.exe 31 PID 2696 wrote to memory of 2604 2696 Ibocjk32.exe 31 PID 2604 wrote to memory of 2616 2604 Iiikfehq.exe 32 PID 2604 wrote to memory of 2616 2604 Iiikfehq.exe 32 PID 2604 wrote to memory of 2616 2604 Iiikfehq.exe 32 PID 2604 wrote to memory of 2616 2604 Iiikfehq.exe 32 PID 2616 wrote to memory of 2632 2616 Jeplkf32.exe 33 PID 2616 wrote to memory of 2632 2616 Jeplkf32.exe 33 PID 2616 wrote to memory of 2632 2616 Jeplkf32.exe 33 PID 2616 wrote to memory of 2632 2616 Jeplkf32.exe 33 PID 2632 wrote to memory of 3044 2632 Jkjdhpea.exe 34 PID 2632 wrote to memory of 3044 2632 Jkjdhpea.exe 34 PID 2632 wrote to memory of 3044 2632 Jkjdhpea.exe 34 PID 2632 wrote to memory of 3044 2632 Jkjdhpea.exe 34 PID 3044 wrote to memory of 2800 3044 Jebiaelb.exe 35 PID 3044 wrote to memory of 2800 3044 Jebiaelb.exe 35 PID 3044 wrote to memory of 2800 3044 Jebiaelb.exe 35 PID 3044 wrote to memory of 2800 3044 Jebiaelb.exe 35 PID 2800 wrote to memory of 1732 2800 Jbfijjkl.exe 36 PID 2800 wrote to memory of 1732 2800 Jbfijjkl.exe 36 PID 2800 wrote to memory of 1732 2800 Jbfijjkl.exe 36 PID 2800 wrote to memory of 1732 2800 Jbfijjkl.exe 36 PID 1732 wrote to memory of 1552 1732 Jgcabqic.exe 37 PID 1732 wrote to memory of 1552 1732 Jgcabqic.exe 37 PID 1732 wrote to memory of 1552 1732 Jgcabqic.exe 37 PID 1732 wrote to memory of 1552 1732 Jgcabqic.exe 37 PID 1552 wrote to memory of 2492 1552 Jjanolhg.exe 38 PID 1552 wrote to memory of 2492 1552 Jjanolhg.exe 38 PID 1552 wrote to memory of 2492 1552 Jjanolhg.exe 38 PID 1552 wrote to memory of 2492 1552 Jjanolhg.exe 38 PID 2492 wrote to memory of 1772 2492 Jegble32.exe 39 PID 2492 wrote to memory of 1772 2492 Jegble32.exe 39 PID 2492 wrote to memory of 1772 2492 Jegble32.exe 39 PID 2492 wrote to memory of 1772 2492 Jegble32.exe 39 PID 1772 wrote to memory of 1080 1772 Jjdkdl32.exe 40 PID 1772 wrote to memory of 1080 1772 Jjdkdl32.exe 40 PID 1772 wrote to memory of 1080 1772 Jjdkdl32.exe 40 PID 1772 wrote to memory of 1080 1772 Jjdkdl32.exe 40 PID 1080 wrote to memory of 2060 1080 Jclomamd.exe 41 PID 1080 wrote to memory of 2060 1080 Jclomamd.exe 41 PID 1080 wrote to memory of 2060 1080 Jclomamd.exe 41 PID 1080 wrote to memory of 2060 1080 Jclomamd.exe 41 PID 2060 wrote to memory of 1240 2060 Jmdcfg32.exe 42 PID 2060 wrote to memory of 1240 2060 Jmdcfg32.exe 42 PID 2060 wrote to memory of 1240 2060 Jmdcfg32.exe 42 PID 2060 wrote to memory of 1240 2060 Jmdcfg32.exe 42 PID 1240 wrote to memory of 2828 1240 Kfmhol32.exe 43 PID 1240 wrote to memory of 2828 1240 Kfmhol32.exe 43 PID 1240 wrote to memory of 2828 1240 Kfmhol32.exe 43 PID 1240 wrote to memory of 2828 1240 Kfmhol32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\17d93621f2cd384a1f9176495d7ebede4f4e387924251da034c1c31a70f4a0ad.exe"C:\Users\Admin\AppData\Local\Temp\17d93621f2cd384a1f9176495d7ebede4f4e387924251da034c1c31a70f4a0ad.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Iidbke32.exeC:\Windows\system32\Iidbke32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Ibmfdkcf.exeC:\Windows\system32\Ibmfdkcf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Ibocjk32.exeC:\Windows\system32\Ibocjk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Iiikfehq.exeC:\Windows\system32\Iiikfehq.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Jeplkf32.exeC:\Windows\system32\Jeplkf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Jkjdhpea.exeC:\Windows\system32\Jkjdhpea.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Jbfijjkl.exeC:\Windows\system32\Jbfijjkl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Jgcabqic.exeC:\Windows\system32\Jgcabqic.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Jjanolhg.exeC:\Windows\system32\Jjanolhg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Jegble32.exeC:\Windows\system32\Jegble32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Jjdkdl32.exeC:\Windows\system32\Jjdkdl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:400 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:836 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1128 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1380 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1912 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe33⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe34⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe36⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe37⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe38⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe39⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe40⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe41⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe44⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe45⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe46⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe47⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe48⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe50⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe51⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe52⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe53⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe54⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe55⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe56⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe57⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe58⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe59⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe60⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe61⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe62⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe63⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe64⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe65⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe66⤵
- Drops file in System32 directory
PID:772 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe67⤵PID:1868
-
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:576 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe69⤵
- Modifies registry class
PID:672 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe70⤵PID:756
-
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe71⤵
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe72⤵
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe73⤵PID:2844
-
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe74⤵PID:1780
-
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe75⤵PID:2740
-
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe76⤵PID:3028
-
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe77⤵PID:2924
-
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe78⤵PID:2468
-
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe79⤵
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe80⤵PID:2636
-
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe81⤵PID:2256
-
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe82⤵PID:668
-
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe83⤵PID:2408
-
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe84⤵PID:324
-
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe85⤵PID:2352
-
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe86⤵PID:2888
-
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe88⤵PID:2944
-
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe89⤵PID:2668
-
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3024 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe91⤵PID:2912
-
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe92⤵PID:1980
-
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe93⤵
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe94⤵
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe95⤵PID:2120
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:816 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe97⤵PID:2972
-
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe98⤵PID:2076
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe99⤵PID:976
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1724 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe101⤵PID:2424
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2768 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe103⤵PID:2700
-
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe104⤵
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe105⤵PID:2744
-
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe106⤵PID:2664
-
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1936 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe108⤵PID:1064
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe109⤵PID:1804
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe110⤵
- Modifies registry class
PID:648 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:632 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe112⤵PID:2004
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe113⤵
- Drops file in System32 directory
PID:1296 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe114⤵
- Drops file in System32 directory
PID:764 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe115⤵PID:2576
-
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe116⤵PID:2588
-
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe117⤵PID:2560
-
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe118⤵PID:2348
-
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe119⤵PID:1616
-
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2504 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe121⤵PID:1996
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-