Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
05/07/2024, 22:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6302c1d28f8d3601f796e1cd246fb9204977dc1c795305ded855bb8c2ccd27b7.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
6302c1d28f8d3601f796e1cd246fb9204977dc1c795305ded855bb8c2ccd27b7.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
6302c1d28f8d3601f796e1cd246fb9204977dc1c795305ded855bb8c2ccd27b7.exe
-
Size
669KB
-
MD5
07b7af36ad7c55e3a1739b6d7ec1b334
-
SHA1
fd14c97cfbefe87ea6055ad902f39ed04783a770
-
SHA256
6302c1d28f8d3601f796e1cd246fb9204977dc1c795305ded855bb8c2ccd27b7
-
SHA512
0aa6e4215a33a9659d49d682f5ded03fdb3a7550fabcfaca2db9b1855ff503745817515dfedaa64eb544a99f166e5b88159a2ba023b1353ce72bd9a7627bffe7
-
SSDEEP
12288:rjN/5XQC8XwueVKhMpQnqr+cI3a72LXrY6x46UbR/qYglMi:rjN/5XP5pchMpQnqrdX72LbY6x46uR/i
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epaodjlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkpppmko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Empphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eigpmjqg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cifdmbib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljjjmeie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocihgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iaegbmlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbpcbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaalom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idepdhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbpfpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llfcik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Komjmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlhdjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcjjakip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnpofe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeceim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkgelh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdahnmck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eaalom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiqdmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fakhhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggbjag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nafknbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nidmhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjanfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cihqbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elnonp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldndng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pelnniga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmlqimph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpdefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jndhddaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abbjbnoq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmmlccfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omjeba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldndng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgjpcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfppgohb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndgdpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omlahqeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnaokn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echlmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfmahkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbkdgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilceog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkkckdhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jaoblk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpnbcfkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhniebne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dglkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffjghppi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmmpdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibhieo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkajkoml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igcjgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Manljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckkhga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iiaoip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnihneon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcmdpcle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npkaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cahmik32.exe -
Executes dropped EXE 64 IoCs
pid Process 1884 Ceacoqfi.exe 1620 Coldmfkf.exe 2856 Deiipp32.exe 2860 Dkhnmfle.exe 2864 Djmknb32.exe 2320 Echlmh32.exe 744 Elpqemll.exe 1632 Ekhjlioa.exe 2888 Ebdoocdk.exe 400 Fgcdlj32.exe 2904 Fnoiocfj.exe 584 Fclbgj32.exe 2240 Gfogneop.exe 2400 Glomllkd.exe 2340 Gegaeabe.exe 964 Gekkpqnp.exe 1168 Hhlcal32.exe 1464 Hdcdfmqe.exe 1804 Hfaqbh32.exe 1664 Hmkiobge.exe 2244 Hfdmhh32.exe 1504 Hplbamdf.exe 2656 Hbknmicj.exe 1472 Ibmkbh32.exe 2172 Ileoknhh.exe 2308 Iiipeb32.exe 2960 Iaddid32.exe 2976 Idcqep32.exe 2896 Iebmpcjc.exe 2968 Igcjgk32.exe 2772 Ihcfan32.exe 936 Igffmkno.exe 1440 Jkdoci32.exe 1920 Jnbkodci.exe 2996 Jndhddaf.exe 2764 Jlghpa32.exe 288 Jhniebne.exe 1028 Jafmngde.exe 1528 Jhqeka32.exe 2388 Jkobgm32.exe 2428 Klonqpbi.exe 684 Komjmk32.exe 2012 Kheofahm.exe 1776 Kkckblgq.exe 1680 Koogbk32.exe 552 Kgjlgm32.exe 296 Knddcg32.exe 1948 Kdnlpaln.exe 2652 Kgmilmkb.exe 2312 Kmjaddii.exe 2432 Kgoebmip.exe 2944 Kninog32.exe 2836 Lfdbcing.exe 2708 Ljpnch32.exe 748 Lchclmla.exe 1232 Lffohikd.exe 1408 Lkcgapjl.exe 1816 Lckpbm32.exe 2356 Lkfdfo32.exe 2480 Lpapgnpb.exe 2068 Lenioenj.exe 1348 Lpcmlnnp.exe 236 Leqeed32.exe 2672 Mgoaap32.exe -
Loads dropped DLL 64 IoCs
pid Process 2108 6302c1d28f8d3601f796e1cd246fb9204977dc1c795305ded855bb8c2ccd27b7.exe 2108 6302c1d28f8d3601f796e1cd246fb9204977dc1c795305ded855bb8c2ccd27b7.exe 1884 Ceacoqfi.exe 1884 Ceacoqfi.exe 1620 Coldmfkf.exe 1620 Coldmfkf.exe 2856 Deiipp32.exe 2856 Deiipp32.exe 2860 Dkhnmfle.exe 2860 Dkhnmfle.exe 2864 Djmknb32.exe 2864 Djmknb32.exe 2320 Echlmh32.exe 2320 Echlmh32.exe 744 Elpqemll.exe 744 Elpqemll.exe 1632 Ekhjlioa.exe 1632 Ekhjlioa.exe 2888 Ebdoocdk.exe 2888 Ebdoocdk.exe 400 Fgcdlj32.exe 400 Fgcdlj32.exe 2904 Fnoiocfj.exe 2904 Fnoiocfj.exe 584 Fclbgj32.exe 584 Fclbgj32.exe 2240 Gfogneop.exe 2240 Gfogneop.exe 2400 Glomllkd.exe 2400 Glomllkd.exe 2340 Gegaeabe.exe 2340 Gegaeabe.exe 964 Gekkpqnp.exe 964 Gekkpqnp.exe 1168 Hhlcal32.exe 1168 Hhlcal32.exe 1464 Hdcdfmqe.exe 1464 Hdcdfmqe.exe 1804 Hfaqbh32.exe 1804 Hfaqbh32.exe 1664 Hmkiobge.exe 1664 Hmkiobge.exe 2244 Hfdmhh32.exe 2244 Hfdmhh32.exe 1504 Hplbamdf.exe 1504 Hplbamdf.exe 2656 Hbknmicj.exe 2656 Hbknmicj.exe 1472 Ibmkbh32.exe 1472 Ibmkbh32.exe 1592 Iencdc32.exe 1592 Iencdc32.exe 2308 Iiipeb32.exe 2308 Iiipeb32.exe 2960 Iaddid32.exe 2960 Iaddid32.exe 2976 Idcqep32.exe 2976 Idcqep32.exe 2896 Iebmpcjc.exe 2896 Iebmpcjc.exe 2968 Igcjgk32.exe 2968 Igcjgk32.exe 2772 Ihcfan32.exe 2772 Ihcfan32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jhahcjcf.exe Jgpklb32.exe File created C:\Windows\SysWOW64\Gaclkmid.dll Dogpfc32.exe File created C:\Windows\SysWOW64\Kbokplfi.dll Eaooin32.exe File created C:\Windows\SysWOW64\Aoakfl32.exe Qkeofnfk.exe File created C:\Windows\SysWOW64\Bbdmljln.exe Bnhqll32.exe File created C:\Windows\SysWOW64\Ehjqif32.exe Eigpmjqg.exe File created C:\Windows\SysWOW64\Dajiok32.exe Dicann32.exe File opened for modification C:\Windows\SysWOW64\Lddoopbi.exe Kccbgh32.exe File created C:\Windows\SysWOW64\Kkigfdjo.exe Kgmkef32.exe File created C:\Windows\SysWOW64\Cafamgkk.dll Djqcki32.exe File created C:\Windows\SysWOW64\Coldmfkf.exe Ceacoqfi.exe File opened for modification C:\Windows\SysWOW64\Bbdmljln.exe Bnhqll32.exe File created C:\Windows\SysWOW64\Dmiihjak.exe Dgoakpjn.exe File opened for modification C:\Windows\SysWOW64\Okolfkjg.exe Oebdndlp.exe File created C:\Windows\SysWOW64\Bfmlgi32.exe Bocckoom.exe File opened for modification C:\Windows\SysWOW64\Mpeebhhf.exe Mjkmfn32.exe File created C:\Windows\SysWOW64\Opjlkc32.exe Onlooh32.exe File created C:\Windows\SysWOW64\Eagiho32.exe Eoimlc32.exe File opened for modification C:\Windows\SysWOW64\Ffjghppi.exe Fbnkha32.exe File created C:\Windows\SysWOW64\Ifghji32.dll Jacjna32.exe File created C:\Windows\SysWOW64\Lbhphdab.exe Lnmcge32.exe File opened for modification C:\Windows\SysWOW64\Mkconepp.exe Mchjjc32.exe File opened for modification C:\Windows\SysWOW64\Iaddid32.exe Iiipeb32.exe File created C:\Windows\SysWOW64\Ighmnbma.dll Npffaq32.exe File created C:\Windows\SysWOW64\Jdbfjm32.exe Jeofnpke.exe File created C:\Windows\SysWOW64\Pngjlfla.dll Ilmgef32.exe File created C:\Windows\SysWOW64\Njnmiaib.dll Jffhec32.exe File created C:\Windows\SysWOW64\Bjgbmoda.exe Bejiehfi.exe File opened for modification C:\Windows\SysWOW64\Odimdqne.exe Odgqoa32.exe File created C:\Windows\SysWOW64\Bnedic32.dll Pppnia32.exe File created C:\Windows\SysWOW64\Ncpgeh32.exe Npdkdjhp.exe File created C:\Windows\SysWOW64\Kccbgh32.exe Kkljfj32.exe File opened for modification C:\Windows\SysWOW64\Oaeacppk.exe Omjeba32.exe File created C:\Windows\SysWOW64\Egmqcllm.dll Aglhph32.exe File created C:\Windows\SysWOW64\Eoldfbid.dll Iaddid32.exe File opened for modification C:\Windows\SysWOW64\Mmngof32.exe Mcfbfaao.exe File opened for modification C:\Windows\SysWOW64\Nomphm32.exe Naionh32.exe File created C:\Windows\SysWOW64\Gdodjlda.exe Gfldno32.exe File created C:\Windows\SysWOW64\Gngiba32.exe Gikpjk32.exe File opened for modification C:\Windows\SysWOW64\Bqffna32.exe Bdoeipjh.exe File created C:\Windows\SysWOW64\Mpoibb32.dll Idpmejag.exe File created C:\Windows\SysWOW64\Jkkleb32.dll Ahllda32.exe File opened for modification C:\Windows\SysWOW64\Lkffohon.exe Ljejgp32.exe File created C:\Windows\SysWOW64\Lbdldg32.dll Jlddpkgh.exe File created C:\Windows\SysWOW64\Dqffpm32.dll Mbobgfnf.exe File opened for modification C:\Windows\SysWOW64\Lbjlnd32.exe Lolpah32.exe File created C:\Windows\SysWOW64\Dhdddnep.exe Dpmlcpdm.exe File opened for modification C:\Windows\SysWOW64\Olehbh32.exe Nfhpjaba.exe File created C:\Windows\SysWOW64\Dahgqohh.dll Kpeonkig.exe File opened for modification C:\Windows\SysWOW64\Peaibajp.exe Plheil32.exe File created C:\Windows\SysWOW64\Iljakp32.dll Ljpnch32.exe File opened for modification C:\Windows\SysWOW64\Ekdglcmh.exe Edkopifk.exe File created C:\Windows\SysWOW64\Geaaolbo.exe Gqfeom32.exe File created C:\Windows\SysWOW64\Doapanne.exe Dhggdcgh.exe File created C:\Windows\SysWOW64\Pbenfb32.dll Eiimci32.exe File created C:\Windows\SysWOW64\Hbengc32.exe Hnjagdlj.exe File created C:\Windows\SysWOW64\Jhbeejlb.dll Pooaaink.exe File opened for modification C:\Windows\SysWOW64\Fdjddf32.exe Fakhhk32.exe File created C:\Windows\SysWOW64\Hfbckagm.exe Hccfoehi.exe File created C:\Windows\SysWOW64\Dkpabqoa.exe Dfdeab32.exe File created C:\Windows\SysWOW64\Bnagimbb.dll Iklbhdga.exe File created C:\Windows\SysWOW64\Afffgjma.exe Ankabh32.exe File opened for modification C:\Windows\SysWOW64\Nnkekfkd.exe Npieoi32.exe File created C:\Windows\SysWOW64\Eboeqj32.dll Gmaoomld.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 860 2804 WerFault.exe 832 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbkdgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Goodpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmchhqaf.dll" Qiekadkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oebdndlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfpofi32.dll" Pnfkheap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Beplcfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfphmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lckpbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicjdfnm.dll" Flkmokoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmacpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jimcoh32.dll" Mcendc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jddbpmpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klmfgnjo.dll" Oafhmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblaal32.dll" Polakmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmeimblp.dll" Kgmkef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakhmhh.dll" Cnpnga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehdnkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egkgad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfldno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcgcmql.dll" Nlklik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnkekfkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fldbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdhfhda.dll" Hmlkhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kplfmfmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaopnk32.dll" Klimcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhodpidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epdljjjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klbdiokf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blcikifh.dll" Mmifiahi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgcdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhniebne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aokdga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfppgohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfkobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmiihjak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hchpjddc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnaokn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijcmo32.dll" Iiipeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmminemb.dll" Eaalom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkebgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pimlmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmmkohc.dll" Ihilqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llbmlo32.dll" Cpkmehol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdodjlda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqfeom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oiniaboi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifahpnfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omddmkhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjbcik32.dll" Knddcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bklomf32.dll" Kmjaddii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbkolmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipapioii.dll" Ijhkembk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Peaibajp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agilkijf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afpchl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgghgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aihboppa.dll" Lkcqfifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndagjbio.dll" Lkhcdhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlabjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eabgpg32.dll" Agilkijf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elnonp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eopcmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gknfaehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qogkcdjb.dll" Joqdfghn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2108 wrote to memory of 1884 2108 6302c1d28f8d3601f796e1cd246fb9204977dc1c795305ded855bb8c2ccd27b7.exe 30 PID 2108 wrote to memory of 1884 2108 6302c1d28f8d3601f796e1cd246fb9204977dc1c795305ded855bb8c2ccd27b7.exe 30 PID 2108 wrote to memory of 1884 2108 6302c1d28f8d3601f796e1cd246fb9204977dc1c795305ded855bb8c2ccd27b7.exe 30 PID 2108 wrote to memory of 1884 2108 6302c1d28f8d3601f796e1cd246fb9204977dc1c795305ded855bb8c2ccd27b7.exe 30 PID 1884 wrote to memory of 1620 1884 Ceacoqfi.exe 31 PID 1884 wrote to memory of 1620 1884 Ceacoqfi.exe 31 PID 1884 wrote to memory of 1620 1884 Ceacoqfi.exe 31 PID 1884 wrote to memory of 1620 1884 Ceacoqfi.exe 31 PID 1620 wrote to memory of 2856 1620 Coldmfkf.exe 32 PID 1620 wrote to memory of 2856 1620 Coldmfkf.exe 32 PID 1620 wrote to memory of 2856 1620 Coldmfkf.exe 32 PID 1620 wrote to memory of 2856 1620 Coldmfkf.exe 32 PID 2856 wrote to memory of 2860 2856 Deiipp32.exe 33 PID 2856 wrote to memory of 2860 2856 Deiipp32.exe 33 PID 2856 wrote to memory of 2860 2856 Deiipp32.exe 33 PID 2856 wrote to memory of 2860 2856 Deiipp32.exe 33 PID 2860 wrote to memory of 2864 2860 Dkhnmfle.exe 34 PID 2860 wrote to memory of 2864 2860 Dkhnmfle.exe 34 PID 2860 wrote to memory of 2864 2860 Dkhnmfle.exe 34 PID 2860 wrote to memory of 2864 2860 Dkhnmfle.exe 34 PID 2864 wrote to memory of 2320 2864 Djmknb32.exe 35 PID 2864 wrote to memory of 2320 2864 Djmknb32.exe 35 PID 2864 wrote to memory of 2320 2864 Djmknb32.exe 35 PID 2864 wrote to memory of 2320 2864 Djmknb32.exe 35 PID 2320 wrote to memory of 744 2320 Echlmh32.exe 36 PID 2320 wrote to memory of 744 2320 Echlmh32.exe 36 PID 2320 wrote to memory of 744 2320 Echlmh32.exe 36 PID 2320 wrote to memory of 744 2320 Echlmh32.exe 36 PID 744 wrote to memory of 1632 744 Elpqemll.exe 37 PID 744 wrote to memory of 1632 744 Elpqemll.exe 37 PID 744 wrote to memory of 1632 744 Elpqemll.exe 37 PID 744 wrote to memory of 1632 744 Elpqemll.exe 37 PID 1632 wrote to memory of 2888 1632 Ekhjlioa.exe 38 PID 1632 wrote to memory of 2888 1632 Ekhjlioa.exe 38 PID 1632 wrote to memory of 2888 1632 Ekhjlioa.exe 38 PID 1632 wrote to memory of 2888 1632 Ekhjlioa.exe 38 PID 2888 wrote to memory of 400 2888 Ebdoocdk.exe 39 PID 2888 wrote to memory of 400 2888 Ebdoocdk.exe 39 PID 2888 wrote to memory of 400 2888 Ebdoocdk.exe 39 PID 2888 wrote to memory of 400 2888 Ebdoocdk.exe 39 PID 400 wrote to memory of 2904 400 Fgcdlj32.exe 40 PID 400 wrote to memory of 2904 400 Fgcdlj32.exe 40 PID 400 wrote to memory of 2904 400 Fgcdlj32.exe 40 PID 400 wrote to memory of 2904 400 Fgcdlj32.exe 40 PID 2904 wrote to memory of 584 2904 Fnoiocfj.exe 41 PID 2904 wrote to memory of 584 2904 Fnoiocfj.exe 41 PID 2904 wrote to memory of 584 2904 Fnoiocfj.exe 41 PID 2904 wrote to memory of 584 2904 Fnoiocfj.exe 41 PID 584 wrote to memory of 2240 584 Fclbgj32.exe 42 PID 584 wrote to memory of 2240 584 Fclbgj32.exe 42 PID 584 wrote to memory of 2240 584 Fclbgj32.exe 42 PID 584 wrote to memory of 2240 584 Fclbgj32.exe 42 PID 2240 wrote to memory of 2400 2240 Gfogneop.exe 43 PID 2240 wrote to memory of 2400 2240 Gfogneop.exe 43 PID 2240 wrote to memory of 2400 2240 Gfogneop.exe 43 PID 2240 wrote to memory of 2400 2240 Gfogneop.exe 43 PID 2400 wrote to memory of 2340 2400 Glomllkd.exe 44 PID 2400 wrote to memory of 2340 2400 Glomllkd.exe 44 PID 2400 wrote to memory of 2340 2400 Glomllkd.exe 44 PID 2400 wrote to memory of 2340 2400 Glomllkd.exe 44 PID 2340 wrote to memory of 964 2340 Gegaeabe.exe 45 PID 2340 wrote to memory of 964 2340 Gegaeabe.exe 45 PID 2340 wrote to memory of 964 2340 Gegaeabe.exe 45 PID 2340 wrote to memory of 964 2340 Gegaeabe.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6302c1d28f8d3601f796e1cd246fb9204977dc1c795305ded855bb8c2ccd27b7.exe"C:\Users\Admin\AppData\Local\Temp\6302c1d28f8d3601f796e1cd246fb9204977dc1c795305ded855bb8c2ccd27b7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Ceacoqfi.exeC:\Windows\system32\Ceacoqfi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Coldmfkf.exeC:\Windows\system32\Coldmfkf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Deiipp32.exeC:\Windows\system32\Deiipp32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Dkhnmfle.exeC:\Windows\system32\Dkhnmfle.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Djmknb32.exeC:\Windows\system32\Djmknb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Echlmh32.exeC:\Windows\system32\Echlmh32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Elpqemll.exeC:\Windows\system32\Elpqemll.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\Ekhjlioa.exeC:\Windows\system32\Ekhjlioa.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Ebdoocdk.exeC:\Windows\system32\Ebdoocdk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Fgcdlj32.exeC:\Windows\system32\Fgcdlj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Fnoiocfj.exeC:\Windows\system32\Fnoiocfj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Fclbgj32.exeC:\Windows\system32\Fclbgj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Gfogneop.exeC:\Windows\system32\Gfogneop.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Glomllkd.exeC:\Windows\system32\Glomllkd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Gegaeabe.exeC:\Windows\system32\Gegaeabe.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Gekkpqnp.exeC:\Windows\system32\Gekkpqnp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Hhlcal32.exeC:\Windows\system32\Hhlcal32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1168 -
C:\Windows\SysWOW64\Hdcdfmqe.exeC:\Windows\system32\Hdcdfmqe.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\Hfaqbh32.exeC:\Windows\system32\Hfaqbh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Hmkiobge.exeC:\Windows\system32\Hmkiobge.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Hfdmhh32.exeC:\Windows\system32\Hfdmhh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Hplbamdf.exeC:\Windows\system32\Hplbamdf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\Hbknmicj.exeC:\Windows\system32\Hbknmicj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Ibmkbh32.exeC:\Windows\system32\Ibmkbh32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1472 -
C:\Windows\SysWOW64\Ileoknhh.exeC:\Windows\system32\Ileoknhh.exe26⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Iencdc32.exeC:\Windows\system32\Iencdc32.exe27⤵
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Iiipeb32.exeC:\Windows\system32\Iiipeb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Iaddid32.exeC:\Windows\system32\Iaddid32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Idcqep32.exeC:\Windows\system32\Idcqep32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Iebmpcjc.exeC:\Windows\system32\Iebmpcjc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Igcjgk32.exeC:\Windows\system32\Igcjgk32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Ihcfan32.exeC:\Windows\system32\Ihcfan32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Igffmkno.exeC:\Windows\system32\Igffmkno.exe34⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Jkdoci32.exeC:\Windows\system32\Jkdoci32.exe35⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Jnbkodci.exeC:\Windows\system32\Jnbkodci.exe36⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Jndhddaf.exeC:\Windows\system32\Jndhddaf.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Jlghpa32.exeC:\Windows\system32\Jlghpa32.exe38⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Jhniebne.exeC:\Windows\system32\Jhniebne.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:288 -
C:\Windows\SysWOW64\Jafmngde.exeC:\Windows\system32\Jafmngde.exe40⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Jhqeka32.exeC:\Windows\system32\Jhqeka32.exe41⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Jkobgm32.exeC:\Windows\system32\Jkobgm32.exe42⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Klonqpbi.exeC:\Windows\system32\Klonqpbi.exe43⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Komjmk32.exeC:\Windows\system32\Komjmk32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Kheofahm.exeC:\Windows\system32\Kheofahm.exe45⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Kkckblgq.exeC:\Windows\system32\Kkckblgq.exe46⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Koogbk32.exeC:\Windows\system32\Koogbk32.exe47⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Kgjlgm32.exeC:\Windows\system32\Kgjlgm32.exe48⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Knddcg32.exeC:\Windows\system32\Knddcg32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:296 -
C:\Windows\SysWOW64\Kdnlpaln.exeC:\Windows\system32\Kdnlpaln.exe50⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Kgmilmkb.exeC:\Windows\system32\Kgmilmkb.exe51⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Kmjaddii.exeC:\Windows\system32\Kmjaddii.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Kgoebmip.exeC:\Windows\system32\Kgoebmip.exe53⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Kninog32.exeC:\Windows\system32\Kninog32.exe54⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Lfdbcing.exeC:\Windows\system32\Lfdbcing.exe55⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Ljpnch32.exeC:\Windows\system32\Ljpnch32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Lchclmla.exeC:\Windows\system32\Lchclmla.exe57⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Lffohikd.exeC:\Windows\system32\Lffohikd.exe58⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Lkcgapjl.exeC:\Windows\system32\Lkcgapjl.exe59⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Lckpbm32.exeC:\Windows\system32\Lckpbm32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Lkfdfo32.exeC:\Windows\system32\Lkfdfo32.exe61⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Lpapgnpb.exeC:\Windows\system32\Lpapgnpb.exe62⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Lenioenj.exeC:\Windows\system32\Lenioenj.exe63⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Lpcmlnnp.exeC:\Windows\system32\Lpcmlnnp.exe64⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Leqeed32.exeC:\Windows\system32\Leqeed32.exe65⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Mgoaap32.exeC:\Windows\system32\Mgoaap32.exe66⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Mecbjd32.exeC:\Windows\system32\Mecbjd32.exe67⤵PID:860
-
C:\Windows\SysWOW64\Mcfbfaao.exeC:\Windows\system32\Mcfbfaao.exe68⤵
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Mmngof32.exeC:\Windows\system32\Mmngof32.exe69⤵PID:2536
-
C:\Windows\SysWOW64\Meeopdhb.exeC:\Windows\system32\Meeopdhb.exe70⤵PID:1688
-
C:\Windows\SysWOW64\Mnncii32.exeC:\Windows\system32\Mnncii32.exe71⤵PID:1588
-
C:\Windows\SysWOW64\Malpee32.exeC:\Windows\system32\Malpee32.exe72⤵PID:324
-
C:\Windows\SysWOW64\Mhfhaoec.exeC:\Windows\system32\Mhfhaoec.exe73⤵PID:3012
-
C:\Windows\SysWOW64\Migdig32.exeC:\Windows\system32\Migdig32.exe74⤵PID:3008
-
C:\Windows\SysWOW64\Manljd32.exeC:\Windows\system32\Manljd32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2288 -
C:\Windows\SysWOW64\Miiaogio.exeC:\Windows\system32\Miiaogio.exe76⤵PID:1600
-
C:\Windows\SysWOW64\Mmemoe32.exeC:\Windows\system32\Mmemoe32.exe77⤵PID:824
-
C:\Windows\SysWOW64\Nfmahkhh.exeC:\Windows\system32\Nfmahkhh.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2784 -
C:\Windows\SysWOW64\Npffaq32.exeC:\Windows\system32\Npffaq32.exe79⤵
- Drops file in System32 directory
PID:916 -
C:\Windows\SysWOW64\Noifmmec.exeC:\Windows\system32\Noifmmec.exe80⤵PID:2196
-
C:\Windows\SysWOW64\Nebnigmp.exeC:\Windows\system32\Nebnigmp.exe81⤵PID:1368
-
C:\Windows\SysWOW64\Nokcbm32.exeC:\Windows\system32\Nokcbm32.exe82⤵PID:1540
-
C:\Windows\SysWOW64\Naionh32.exeC:\Windows\system32\Naionh32.exe83⤵
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Nomphm32.exeC:\Windows\system32\Nomphm32.exe84⤵PID:596
-
C:\Windows\SysWOW64\Ndjhpcoe.exeC:\Windows\system32\Ndjhpcoe.exe85⤵PID:1888
-
C:\Windows\SysWOW64\Nlapaapg.exeC:\Windows\system32\Nlapaapg.exe86⤵PID:1160
-
C:\Windows\SysWOW64\Nmbmii32.exeC:\Windows\system32\Nmbmii32.exe87⤵PID:1364
-
C:\Windows\SysWOW64\Nhhqfb32.exeC:\Windows\system32\Nhhqfb32.exe88⤵PID:2732
-
C:\Windows\SysWOW64\Okfmbm32.exeC:\Windows\system32\Okfmbm32.exe89⤵PID:1624
-
C:\Windows\SysWOW64\Opcejd32.exeC:\Windows\system32\Opcejd32.exe90⤵PID:2128
-
C:\Windows\SysWOW64\Ohjmlaci.exeC:\Windows\system32\Ohjmlaci.exe91⤵PID:2992
-
C:\Windows\SysWOW64\Okijhmcm.exeC:\Windows\system32\Okijhmcm.exe92⤵PID:660
-
C:\Windows\SysWOW64\Ocdnloph.exeC:\Windows\system32\Ocdnloph.exe93⤵PID:1808
-
C:\Windows\SysWOW64\Oingii32.exeC:\Windows\system32\Oingii32.exe94⤵PID:2276
-
C:\Windows\SysWOW64\Odckfb32.exeC:\Windows\system32\Odckfb32.exe95⤵PID:1500
-
C:\Windows\SysWOW64\Oeegnj32.exeC:\Windows\system32\Oeegnj32.exe96⤵PID:932
-
C:\Windows\SysWOW64\Onlooh32.exeC:\Windows\system32\Onlooh32.exe97⤵
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Opjlkc32.exeC:\Windows\system32\Opjlkc32.exe98⤵PID:2232
-
C:\Windows\SysWOW64\Ocihgo32.exeC:\Windows\system32\Ocihgo32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2044 -
C:\Windows\SysWOW64\Ogddhmdl.exeC:\Windows\system32\Ogddhmdl.exe100⤵PID:2164
-
C:\Windows\SysWOW64\Piemih32.exeC:\Windows\system32\Piemih32.exe101⤵PID:3044
-
C:\Windows\SysWOW64\Plcied32.exeC:\Windows\system32\Plcied32.exe102⤵PID:2916
-
C:\Windows\SysWOW64\Pelnniga.exeC:\Windows\system32\Pelnniga.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2424 -
C:\Windows\SysWOW64\Phjjkefd.exeC:\Windows\system32\Phjjkefd.exe104⤵PID:2224
-
C:\Windows\SysWOW64\Pabncj32.exeC:\Windows\system32\Pabncj32.exe105⤵PID:3048
-
C:\Windows\SysWOW64\Pdajpf32.exeC:\Windows\system32\Pdajpf32.exe106⤵PID:2092
-
C:\Windows\SysWOW64\Phmfpddb.exeC:\Windows\system32\Phmfpddb.exe107⤵PID:1752
-
C:\Windows\SysWOW64\Pqhkdg32.exeC:\Windows\system32\Pqhkdg32.exe108⤵PID:1444
-
C:\Windows\SysWOW64\Phocfd32.exeC:\Windows\system32\Phocfd32.exe109⤵PID:2600
-
C:\Windows\SysWOW64\Pnllnk32.exeC:\Windows\system32\Pnllnk32.exe110⤵PID:264
-
C:\Windows\SysWOW64\Pgdpgqgg.exeC:\Windows\system32\Pgdpgqgg.exe111⤵PID:676
-
C:\Windows\SysWOW64\Pkplgoop.exeC:\Windows\system32\Pkplgoop.exe112⤵PID:1696
-
C:\Windows\SysWOW64\Qgfmlp32.exeC:\Windows\system32\Qgfmlp32.exe113⤵PID:568
-
C:\Windows\SysWOW64\Qfimhmlo.exeC:\Windows\system32\Qfimhmlo.exe114⤵PID:2852
-
C:\Windows\SysWOW64\Qoaaqb32.exeC:\Windows\system32\Qoaaqb32.exe115⤵PID:2868
-
C:\Windows\SysWOW64\Qgiibp32.exeC:\Windows\system32\Qgiibp32.exe116⤵PID:3024
-
C:\Windows\SysWOW64\Amebjgai.exeC:\Windows\system32\Amebjgai.exe117⤵PID:2912
-
C:\Windows\SysWOW64\Abbjbnoq.exeC:\Windows\system32\Abbjbnoq.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Ailboh32.exeC:\Windows\system32\Ailboh32.exe119⤵PID:1436
-
C:\Windows\SysWOW64\Acbglq32.exeC:\Windows\system32\Acbglq32.exe120⤵PID:1972
-
C:\Windows\SysWOW64\Afpchl32.exeC:\Windows\system32\Afpchl32.exe121⤵
- Modifies registry class
PID:1760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-