Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
79s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11/07/2024, 05:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ca4e7ff21fe7270e0b0807a22b90f29ba332a13c0eb98ea1d36668ea3d9d7da8.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
ca4e7ff21fe7270e0b0807a22b90f29ba332a13c0eb98ea1d36668ea3d9d7da8.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
ca4e7ff21fe7270e0b0807a22b90f29ba332a13c0eb98ea1d36668ea3d9d7da8.exe
-
Size
192KB
-
MD5
eb3a6c847f2846f9a29f19fc32853484
-
SHA1
2523a3f4c66a9a44370e59125615a3be99a6b244
-
SHA256
ca4e7ff21fe7270e0b0807a22b90f29ba332a13c0eb98ea1d36668ea3d9d7da8
-
SHA512
c19bb4c0af32757cac08da00e7bd45b8693424e1f4f01b474cbaf4478b2f32ec0c66effacece931464a3da4bce7c42bdcf1d8cb9ac077fd760c593d91c0cc4cd
-
SSDEEP
3072:SojNNvF4D+7zhYp++F3v7OICGUeHr4MKy3G7UEqMM6T9pui6yYPaI7DehizrVtNB:tNdFB7zhYp+Qv7OINUndpui6yYPaIGcn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccgahe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idnppjcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnnbqeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mccaodgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjchjcmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfobjdoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhkiae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbbbed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnjqifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gqidme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pblinp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djhldahb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdjgfomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lejppj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajghgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jchobqnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pikkfilp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdpfbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djkodg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlgfqldf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qcjjakip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnppei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phphgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjnhnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hamgno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlbnja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfmjoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgndnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbolce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifqfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmighemp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iglkoaad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmbclj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Behnkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifniaeqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjjnnbfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oemjbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khpaidpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckgogfmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbobgfnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eonfgbhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mekanbol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdpnlo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgdpnqfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfmehdpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iokdaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mqhhbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dlfina32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laenqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dcijmhdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clfkfeno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnoaliln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gokmnlcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdmhcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgnfpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdailaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Peapmhnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agolpnjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dedkbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekblplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Legcjjjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiclnpjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Damhmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjqqianh.exe -
Executes dropped EXE 64 IoCs
pid Process 2888 Jdjgfomh.exe 2936 Jcaqmkpn.exe 2920 Jkobgm32.exe 2732 Kfgcieii.exe 2716 Kkfhglen.exe 2268 Kjnanhhc.exe 1080 Lffohikd.exe 1796 Lkfdfo32.exe 2020 Leqeed32.exe 1192 Mhckloge.exe 3044 Mpoppadq.exe 588 Nilndfgl.exe 2076 Naionh32.exe 2400 Nanhihno.exe 1616 Omgfdhbq.exe 1504 Olopjddf.exe 2204 Oegdcj32.exe 1720 Pgogla32.exe 2576 Pqhkdg32.exe 1016 Qckalamk.exe 2316 Qcmnaaji.exe 1408 Amhopfof.exe 872 Anpahn32.exe 1264 Bgkbfcck.exe 1604 Bjlkhn32.exe 2844 Bjnhnn32.exe 2840 Bpkqfdmp.exe 2972 Cbnfmo32.exe 2356 Clfkfeno.exe 2276 Cligkdlm.exe 2680 Chohqebq.exe 3036 Dhaefepn.exe 2764 Dbkffc32.exe 2476 Ddmofeam.exe 636 Dpflqfeo.exe 1268 Eeeanm32.exe 1920 Eonfgbhc.exe 564 Eopcmb32.exe 2860 Ehhgfgla.exe 2140 Ecbhfeip.exe 1960 Gjnigb32.exe 2372 Gcgnphgf.exe 2608 Hliieioi.exe 2120 Hmheol32.exe 364 Hfajhblm.exe 2644 Hbgjmcba.exe 2640 Hiabjm32.exe 320 Hamgno32.exe 2456 Inqhhc32.exe 1608 Idnppjcj.exe 2932 Ipdaek32.exe 676 Ifniaeqk.exe 1512 Ifqfge32.exe 2740 Ifcbme32.exe 3060 Ilpkel32.exe 2260 Jiclnpjg.exe 1880 Joqdfghn.exe 936 Jlgaek32.exe 956 Jnjjcbiq.exe 1924 Kjfdcc32.exe 2244 Kfmehdpc.exe 2216 Kcqfahom.exe 2068 Kjjnnbfj.exe 1324 Lddoopbi.exe -
Loads dropped DLL 64 IoCs
pid Process 2780 ca4e7ff21fe7270e0b0807a22b90f29ba332a13c0eb98ea1d36668ea3d9d7da8.exe 2780 ca4e7ff21fe7270e0b0807a22b90f29ba332a13c0eb98ea1d36668ea3d9d7da8.exe 2888 Jdjgfomh.exe 2888 Jdjgfomh.exe 2936 Jcaqmkpn.exe 2936 Jcaqmkpn.exe 2920 Jkobgm32.exe 2920 Jkobgm32.exe 2732 Kfgcieii.exe 2732 Kfgcieii.exe 2716 Kkfhglen.exe 2716 Kkfhglen.exe 2268 Kjnanhhc.exe 2268 Kjnanhhc.exe 1080 Lffohikd.exe 1080 Lffohikd.exe 1796 Lkfdfo32.exe 1796 Lkfdfo32.exe 2020 Leqeed32.exe 2020 Leqeed32.exe 1192 Mhckloge.exe 1192 Mhckloge.exe 3044 Mpoppadq.exe 3044 Mpoppadq.exe 588 Nilndfgl.exe 588 Nilndfgl.exe 2076 Naionh32.exe 2076 Naionh32.exe 2400 Nanhihno.exe 2400 Nanhihno.exe 1616 Omgfdhbq.exe 1616 Omgfdhbq.exe 1504 Olopjddf.exe 1504 Olopjddf.exe 2204 Oegdcj32.exe 2204 Oegdcj32.exe 1720 Pgogla32.exe 1720 Pgogla32.exe 2576 Pqhkdg32.exe 2576 Pqhkdg32.exe 1016 Qckalamk.exe 1016 Qckalamk.exe 2316 Qcmnaaji.exe 2316 Qcmnaaji.exe 1408 Amhopfof.exe 1408 Amhopfof.exe 872 Anpahn32.exe 872 Anpahn32.exe 1264 Bgkbfcck.exe 1264 Bgkbfcck.exe 1604 Bjlkhn32.exe 1604 Bjlkhn32.exe 2844 Bjnhnn32.exe 2844 Bjnhnn32.exe 2840 Bpkqfdmp.exe 2840 Bpkqfdmp.exe 2972 Cbnfmo32.exe 2972 Cbnfmo32.exe 2356 Clfkfeno.exe 2356 Clfkfeno.exe 2276 Cligkdlm.exe 2276 Cligkdlm.exe 2680 Chohqebq.exe 2680 Chohqebq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kepajbam.dll Oegdcj32.exe File created C:\Windows\SysWOW64\Eonfgbhc.exe Eeeanm32.exe File opened for modification C:\Windows\SysWOW64\Pppnia32.exe Pghjqlmi.exe File created C:\Windows\SysWOW64\Alqplmlb.exe Adekhkng.exe File created C:\Windows\SysWOW64\Lejppj32.exe Lpmhgc32.exe File opened for modification C:\Windows\SysWOW64\Nilndfgl.exe Mpoppadq.exe File created C:\Windows\SysWOW64\Aqkaef32.dll Onbkle32.exe File created C:\Windows\SysWOW64\Dhoeadlm.dll Gklkdn32.exe File opened for modification C:\Windows\SysWOW64\Ncnmhajo.exe Mpmdff32.exe File created C:\Windows\SysWOW64\Bkefcc32.exe Behnkm32.exe File opened for modification C:\Windows\SysWOW64\Pldnge32.exe Pblinp32.exe File created C:\Windows\SysWOW64\Cnhhia32.exe Ckilmfke.exe File created C:\Windows\SysWOW64\Mpoppadq.exe Mhckloge.exe File created C:\Windows\SysWOW64\Obfdgiji.exe Oimpnc32.exe File opened for modification C:\Windows\SysWOW64\Jhchjgoh.exe Iokdaa32.exe File opened for modification C:\Windows\SysWOW64\Dnmhogjo.exe Dmllgo32.exe File created C:\Windows\SysWOW64\Mbmffd32.dll Fdhigo32.exe File created C:\Windows\SysWOW64\Hamgno32.exe Hiabjm32.exe File created C:\Windows\SysWOW64\Oepghe32.exe Opbopn32.exe File created C:\Windows\SysWOW64\Cpgahgmj.dll Obfdgiji.exe File created C:\Windows\SysWOW64\Cjkoioja.dll Joqdfghn.exe File opened for modification C:\Windows\SysWOW64\Ldlghhde.exe Lhegcg32.exe File created C:\Windows\SysWOW64\Nelglc32.dll Bnhljnhm.exe File created C:\Windows\SysWOW64\Gbolce32.exe Gifhkpgk.exe File created C:\Windows\SysWOW64\Dfnjqifb.exe Dijjgegh.exe File opened for modification C:\Windows\SysWOW64\Qdieaf32.exe Qjqqianh.exe File created C:\Windows\SysWOW64\Pgogla32.exe Oegdcj32.exe File created C:\Windows\SysWOW64\Opbopn32.exe Oemjbe32.exe File created C:\Windows\SysWOW64\Nfqdjl32.dll Baiingae.exe File created C:\Windows\SysWOW64\Gmnlog32.exe Gkoodd32.exe File created C:\Windows\SysWOW64\Iokdaa32.exe Iagchmjn.exe File opened for modification C:\Windows\SysWOW64\Djcbib32.exe Dcijmhdj.exe File opened for modification C:\Windows\SysWOW64\Gpiffngk.exe Gdbeqmag.exe File created C:\Windows\SysWOW64\Ddmfllng.dll Pgogla32.exe File created C:\Windows\SysWOW64\Jkkleb32.dll Qlbnja32.exe File opened for modification C:\Windows\SysWOW64\Fakhhk32.exe Fplknh32.exe File created C:\Windows\SysWOW64\Pacqlcdi.exe Plfhdlfb.exe File created C:\Windows\SysWOW64\Eabgjeef.exe Eleobngo.exe File opened for modification C:\Windows\SysWOW64\Nhngem32.exe Nlgfqldf.exe File created C:\Windows\SysWOW64\Fpddof32.dll Ibbffq32.exe File opened for modification C:\Windows\SysWOW64\Imidgh32.exe Iglkoaad.exe File created C:\Windows\SysWOW64\Ipgpcc32.exe Imidgh32.exe File opened for modification C:\Windows\SysWOW64\Kmeiei32.exe Khfcgbge.exe File created C:\Windows\SysWOW64\Ilmjan32.dll Iagchmjn.exe File created C:\Windows\SysWOW64\Ofefqf32.exe Oiqegb32.exe File created C:\Windows\SysWOW64\Klpjgbfb.dll Damhmc32.exe File opened for modification C:\Windows\SysWOW64\Mdkcgk32.exe Mmpobi32.exe File created C:\Windows\SysWOW64\Hghkmd32.dll Jcmhmp32.exe File opened for modification C:\Windows\SysWOW64\Lckbkfbb.exe Lgdafeln.exe File created C:\Windows\SysWOW64\Popkeh32.exe Ofefqf32.exe File created C:\Windows\SysWOW64\Ogljib32.dll Fcegdnna.exe File created C:\Windows\SysWOW64\Jnjjcbiq.exe Jlgaek32.exe File opened for modification C:\Windows\SysWOW64\Ndiaem32.exe Ndgdpn32.exe File created C:\Windows\SysWOW64\Eabeal32.exe Eekdmk32.exe File created C:\Windows\SysWOW64\Gofajcog.exe Fcoaebjc.exe File created C:\Windows\SysWOW64\Gccjpb32.exe Gofajcog.exe File created C:\Windows\SysWOW64\Ikooof32.dll Ibnodj32.exe File opened for modification C:\Windows\SysWOW64\Njjieace.exe Nbodpo32.exe File created C:\Windows\SysWOW64\Cccgni32.exe Cfpgee32.exe File created C:\Windows\SysWOW64\Oambdf32.dll Iniidj32.exe File created C:\Windows\SysWOW64\Becbne32.dll Jkobgm32.exe File opened for modification C:\Windows\SysWOW64\Jfkbqcam.exe Jigagocd.exe File created C:\Windows\SysWOW64\Nagbnnje.dll Mqhhbn32.exe File opened for modification C:\Windows\SysWOW64\Dedkbb32.exe Ceanmc32.exe -
Program crash 1 IoCs
pid pid_target Process 5100 5068 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbcijqgo.dll" Imepgbnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpbgghhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ofefqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Alqplmlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eabgjeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nifjnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljlkmo32.dll" Gqidme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Effidg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldepenep.dll" Kanfgofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hnomkloi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lllihf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Papmlmbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mnjnolap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Olopjddf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gkoodd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifiilp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bnhljnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pdllci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpkkbcle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Appfggjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmighemp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hedllgjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdkcgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiajmgka.dll" Efdmohmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biqghigf.dll" Lbgkhoml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ecnpgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gacdmc32.dll" Ghlell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kfgcieii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Leqeed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncacf32.dll" Olopjddf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agldbd32.dll" Gdbchd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknkfi32.dll" Njjieace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Anfjpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lnlmmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhffikob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imooak32.dll" Ohkpdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jkobgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lbhphdab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Obilip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gjnigb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mnaiah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfnjqifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Inqhhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bigohejb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Emdgjpkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkbefj32.dll" Fpojlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepjmp32.dll" Khfcgbge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjqaegh.dll" Eedijo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpflqfeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Falakjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ldndng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jcodcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qdieaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepdfd32.dll" Aefaemqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcnbll32.dll" Cjqglf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpblne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmnclpk.dll" Alqplmlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mbjhlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncnmhajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbdblmp.dll" Ccinnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ibnodj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpmhgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkagpjl.dll" Nlfaag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pikkfilp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2780 wrote to memory of 2888 2780 ca4e7ff21fe7270e0b0807a22b90f29ba332a13c0eb98ea1d36668ea3d9d7da8.exe 30 PID 2780 wrote to memory of 2888 2780 ca4e7ff21fe7270e0b0807a22b90f29ba332a13c0eb98ea1d36668ea3d9d7da8.exe 30 PID 2780 wrote to memory of 2888 2780 ca4e7ff21fe7270e0b0807a22b90f29ba332a13c0eb98ea1d36668ea3d9d7da8.exe 30 PID 2780 wrote to memory of 2888 2780 ca4e7ff21fe7270e0b0807a22b90f29ba332a13c0eb98ea1d36668ea3d9d7da8.exe 30 PID 2888 wrote to memory of 2936 2888 Jdjgfomh.exe 31 PID 2888 wrote to memory of 2936 2888 Jdjgfomh.exe 31 PID 2888 wrote to memory of 2936 2888 Jdjgfomh.exe 31 PID 2888 wrote to memory of 2936 2888 Jdjgfomh.exe 31 PID 2936 wrote to memory of 2920 2936 Jcaqmkpn.exe 32 PID 2936 wrote to memory of 2920 2936 Jcaqmkpn.exe 32 PID 2936 wrote to memory of 2920 2936 Jcaqmkpn.exe 32 PID 2936 wrote to memory of 2920 2936 Jcaqmkpn.exe 32 PID 2920 wrote to memory of 2732 2920 Jkobgm32.exe 33 PID 2920 wrote to memory of 2732 2920 Jkobgm32.exe 33 PID 2920 wrote to memory of 2732 2920 Jkobgm32.exe 33 PID 2920 wrote to memory of 2732 2920 Jkobgm32.exe 33 PID 2732 wrote to memory of 2716 2732 Kfgcieii.exe 34 PID 2732 wrote to memory of 2716 2732 Kfgcieii.exe 34 PID 2732 wrote to memory of 2716 2732 Kfgcieii.exe 34 PID 2732 wrote to memory of 2716 2732 Kfgcieii.exe 34 PID 2716 wrote to memory of 2268 2716 Kkfhglen.exe 35 PID 2716 wrote to memory of 2268 2716 Kkfhglen.exe 35 PID 2716 wrote to memory of 2268 2716 Kkfhglen.exe 35 PID 2716 wrote to memory of 2268 2716 Kkfhglen.exe 35 PID 2268 wrote to memory of 1080 2268 Kjnanhhc.exe 36 PID 2268 wrote to memory of 1080 2268 Kjnanhhc.exe 36 PID 2268 wrote to memory of 1080 2268 Kjnanhhc.exe 36 PID 2268 wrote to memory of 1080 2268 Kjnanhhc.exe 36 PID 1080 wrote to memory of 1796 1080 Lffohikd.exe 37 PID 1080 wrote to memory of 1796 1080 Lffohikd.exe 37 PID 1080 wrote to memory of 1796 1080 Lffohikd.exe 37 PID 1080 wrote to memory of 1796 1080 Lffohikd.exe 37 PID 1796 wrote to memory of 2020 1796 Lkfdfo32.exe 38 PID 1796 wrote to memory of 2020 1796 Lkfdfo32.exe 38 PID 1796 wrote to memory of 2020 1796 Lkfdfo32.exe 38 PID 1796 wrote to memory of 2020 1796 Lkfdfo32.exe 38 PID 2020 wrote to memory of 1192 2020 Leqeed32.exe 39 PID 2020 wrote to memory of 1192 2020 Leqeed32.exe 39 PID 2020 wrote to memory of 1192 2020 Leqeed32.exe 39 PID 2020 wrote to memory of 1192 2020 Leqeed32.exe 39 PID 1192 wrote to memory of 3044 1192 Mhckloge.exe 40 PID 1192 wrote to memory of 3044 1192 Mhckloge.exe 40 PID 1192 wrote to memory of 3044 1192 Mhckloge.exe 40 PID 1192 wrote to memory of 3044 1192 Mhckloge.exe 40 PID 3044 wrote to memory of 588 3044 Mpoppadq.exe 41 PID 3044 wrote to memory of 588 3044 Mpoppadq.exe 41 PID 3044 wrote to memory of 588 3044 Mpoppadq.exe 41 PID 3044 wrote to memory of 588 3044 Mpoppadq.exe 41 PID 588 wrote to memory of 2076 588 Nilndfgl.exe 42 PID 588 wrote to memory of 2076 588 Nilndfgl.exe 42 PID 588 wrote to memory of 2076 588 Nilndfgl.exe 42 PID 588 wrote to memory of 2076 588 Nilndfgl.exe 42 PID 2076 wrote to memory of 2400 2076 Naionh32.exe 43 PID 2076 wrote to memory of 2400 2076 Naionh32.exe 43 PID 2076 wrote to memory of 2400 2076 Naionh32.exe 43 PID 2076 wrote to memory of 2400 2076 Naionh32.exe 43 PID 2400 wrote to memory of 1616 2400 Nanhihno.exe 44 PID 2400 wrote to memory of 1616 2400 Nanhihno.exe 44 PID 2400 wrote to memory of 1616 2400 Nanhihno.exe 44 PID 2400 wrote to memory of 1616 2400 Nanhihno.exe 44 PID 1616 wrote to memory of 1504 1616 Omgfdhbq.exe 45 PID 1616 wrote to memory of 1504 1616 Omgfdhbq.exe 45 PID 1616 wrote to memory of 1504 1616 Omgfdhbq.exe 45 PID 1616 wrote to memory of 1504 1616 Omgfdhbq.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca4e7ff21fe7270e0b0807a22b90f29ba332a13c0eb98ea1d36668ea3d9d7da8.exe"C:\Users\Admin\AppData\Local\Temp\ca4e7ff21fe7270e0b0807a22b90f29ba332a13c0eb98ea1d36668ea3d9d7da8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Jdjgfomh.exeC:\Windows\system32\Jdjgfomh.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Jcaqmkpn.exeC:\Windows\system32\Jcaqmkpn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Jkobgm32.exeC:\Windows\system32\Jkobgm32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Kfgcieii.exeC:\Windows\system32\Kfgcieii.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Kkfhglen.exeC:\Windows\system32\Kkfhglen.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Kjnanhhc.exeC:\Windows\system32\Kjnanhhc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Lffohikd.exeC:\Windows\system32\Lffohikd.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Lkfdfo32.exeC:\Windows\system32\Lkfdfo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Leqeed32.exeC:\Windows\system32\Leqeed32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Mhckloge.exeC:\Windows\system32\Mhckloge.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Mpoppadq.exeC:\Windows\system32\Mpoppadq.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Nilndfgl.exeC:\Windows\system32\Nilndfgl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Naionh32.exeC:\Windows\system32\Naionh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Nanhihno.exeC:\Windows\system32\Nanhihno.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Omgfdhbq.exeC:\Windows\system32\Omgfdhbq.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Olopjddf.exeC:\Windows\system32\Olopjddf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1504 -
C:\Windows\SysWOW64\Oegdcj32.exeC:\Windows\system32\Oegdcj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Pgogla32.exeC:\Windows\system32\Pgogla32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Pqhkdg32.exeC:\Windows\system32\Pqhkdg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Qckalamk.exeC:\Windows\system32\Qckalamk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1016 -
C:\Windows\SysWOW64\Qcmnaaji.exeC:\Windows\system32\Qcmnaaji.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Amhopfof.exeC:\Windows\system32\Amhopfof.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1408 -
C:\Windows\SysWOW64\Anpahn32.exeC:\Windows\system32\Anpahn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Bgkbfcck.exeC:\Windows\system32\Bgkbfcck.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1264 -
C:\Windows\SysWOW64\Bjlkhn32.exeC:\Windows\system32\Bjlkhn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Bjnhnn32.exeC:\Windows\system32\Bjnhnn32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Bpkqfdmp.exeC:\Windows\system32\Bpkqfdmp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Cbnfmo32.exeC:\Windows\system32\Cbnfmo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Clfkfeno.exeC:\Windows\system32\Clfkfeno.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Cligkdlm.exeC:\Windows\system32\Cligkdlm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Chohqebq.exeC:\Windows\system32\Chohqebq.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Dhaefepn.exeC:\Windows\system32\Dhaefepn.exe33⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Dbkffc32.exeC:\Windows\system32\Dbkffc32.exe34⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Ddmofeam.exeC:\Windows\system32\Ddmofeam.exe35⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Dpflqfeo.exeC:\Windows\system32\Dpflqfeo.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\Eeeanm32.exeC:\Windows\system32\Eeeanm32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Eonfgbhc.exeC:\Windows\system32\Eonfgbhc.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Eopcmb32.exeC:\Windows\system32\Eopcmb32.exe39⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Ehhgfgla.exeC:\Windows\system32\Ehhgfgla.exe40⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Ecbhfeip.exeC:\Windows\system32\Ecbhfeip.exe41⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Gjnigb32.exeC:\Windows\system32\Gjnigb32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Gcgnphgf.exeC:\Windows\system32\Gcgnphgf.exe43⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Hliieioi.exeC:\Windows\system32\Hliieioi.exe44⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Hmheol32.exeC:\Windows\system32\Hmheol32.exe45⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Hfajhblm.exeC:\Windows\system32\Hfajhblm.exe46⤵
- Executes dropped EXE
PID:364 -
C:\Windows\SysWOW64\Hbgjmcba.exeC:\Windows\system32\Hbgjmcba.exe47⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Hiabjm32.exeC:\Windows\system32\Hiabjm32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Hamgno32.exeC:\Windows\system32\Hamgno32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Inqhhc32.exeC:\Windows\system32\Inqhhc32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Idnppjcj.exeC:\Windows\system32\Idnppjcj.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Ipdaek32.exeC:\Windows\system32\Ipdaek32.exe52⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Ifniaeqk.exeC:\Windows\system32\Ifniaeqk.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Ifqfge32.exeC:\Windows\system32\Ifqfge32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Ifcbme32.exeC:\Windows\system32\Ifcbme32.exe55⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Ilpkel32.exeC:\Windows\system32\Ilpkel32.exe56⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Jiclnpjg.exeC:\Windows\system32\Jiclnpjg.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Joqdfghn.exeC:\Windows\system32\Joqdfghn.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1880 -
C:\Windows\SysWOW64\Jlgaek32.exeC:\Windows\system32\Jlgaek32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\Jnjjcbiq.exeC:\Windows\system32\Jnjjcbiq.exe60⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Kjfdcc32.exeC:\Windows\system32\Kjfdcc32.exe61⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Kfmehdpc.exeC:\Windows\system32\Kfmehdpc.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Kcqfahom.exeC:\Windows\system32\Kcqfahom.exe63⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Kjjnnbfj.exeC:\Windows\system32\Kjjnnbfj.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Lddoopbi.exeC:\Windows\system32\Lddoopbi.exe65⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Lbhphdab.exeC:\Windows\system32\Lbhphdab.exe66⤵
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Lhbhdnio.exeC:\Windows\system32\Lhbhdnio.exe67⤵PID:2312
-
C:\Windows\SysWOW64\Lnopmegg.exeC:\Windows\system32\Lnopmegg.exe68⤵PID:1916
-
C:\Windows\SysWOW64\Lkcqfifp.exeC:\Windows\system32\Lkcqfifp.exe69⤵PID:672
-
C:\Windows\SysWOW64\Ldkeoo32.exeC:\Windows\system32\Ldkeoo32.exe70⤵PID:2448
-
C:\Windows\SysWOW64\Ljhngfkh.exeC:\Windows\system32\Ljhngfkh.exe71⤵PID:2616
-
C:\Windows\SysWOW64\Ljjjmeie.exeC:\Windows\system32\Ljjjmeie.exe72⤵PID:2248
-
C:\Windows\SysWOW64\Mfakbf32.exeC:\Windows\system32\Mfakbf32.exe73⤵PID:2388
-
C:\Windows\SysWOW64\Mmkcoq32.exeC:\Windows\system32\Mmkcoq32.exe74⤵PID:2828
-
C:\Windows\SysWOW64\Mjodhe32.exeC:\Windows\system32\Mjodhe32.exe75⤵PID:2724
-
C:\Windows\SysWOW64\Mbjhlg32.exeC:\Windows\system32\Mbjhlg32.exe76⤵
- Modifies registry class
PID:280 -
C:\Windows\SysWOW64\Mnaiah32.exeC:\Windows\system32\Mnaiah32.exe77⤵
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Mekanbol.exeC:\Windows\system32\Mekanbol.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2332 -
C:\Windows\SysWOW64\Mbobgfnf.exeC:\Windows\system32\Mbobgfnf.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1036 -
C:\Windows\SysWOW64\Nlgfqldf.exeC:\Windows\system32\Nlgfqldf.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Nhngem32.exeC:\Windows\system32\Nhngem32.exe81⤵PID:1772
-
C:\Windows\SysWOW64\Nmkpnd32.exeC:\Windows\system32\Nmkpnd32.exe82⤵PID:1508
-
C:\Windows\SysWOW64\Nfcdfiob.exeC:\Windows\system32\Nfcdfiob.exe83⤵PID:884
-
C:\Windows\SysWOW64\Ndgdpn32.exeC:\Windows\system32\Ndgdpn32.exe84⤵
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Ndiaem32.exeC:\Windows\system32\Ndiaem32.exe85⤵PID:2360
-
C:\Windows\SysWOW64\Nifjnd32.exeC:\Windows\system32\Nifjnd32.exe86⤵
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Oemjbe32.exeC:\Windows\system32\Oemjbe32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Opbopn32.exeC:\Windows\system32\Opbopn32.exe88⤵
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Oepghe32.exeC:\Windows\system32\Oepghe32.exe89⤵PID:1064
-
C:\Windows\SysWOW64\Oimpnc32.exeC:\Windows\system32\Oimpnc32.exe90⤵
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Obfdgiji.exeC:\Windows\system32\Obfdgiji.exe91⤵
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Okailkhd.exeC:\Windows\system32\Okailkhd.exe92⤵PID:3028
-
C:\Windows\SysWOW64\Omoehf32.exeC:\Windows\system32\Omoehf32.exe93⤵PID:3048
-
C:\Windows\SysWOW64\Pghjqlmi.exeC:\Windows\system32\Pghjqlmi.exe94⤵
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Pppnia32.exeC:\Windows\system32\Pppnia32.exe95⤵PID:1440
-
C:\Windows\SysWOW64\Pihbbgjj.exeC:\Windows\system32\Pihbbgjj.exe96⤵PID:2988
-
C:\Windows\SysWOW64\Ppbkoabf.exeC:\Windows\system32\Ppbkoabf.exe97⤵PID:2148
-
C:\Windows\SysWOW64\Pikohg32.exeC:\Windows\system32\Pikohg32.exe98⤵PID:2188
-
C:\Windows\SysWOW64\Peapmhnk.exeC:\Windows\system32\Peapmhnk.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2424 -
C:\Windows\SysWOW64\Pojdem32.exeC:\Windows\system32\Pojdem32.exe100⤵PID:2432
-
C:\Windows\SysWOW64\Pjpicfdb.exeC:\Windows\system32\Pjpicfdb.exe101⤵PID:1544
-
C:\Windows\SysWOW64\Polakmbi.exeC:\Windows\system32\Polakmbi.exe102⤵PID:2328
-
C:\Windows\SysWOW64\Qcjjakip.exeC:\Windows\system32\Qcjjakip.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2588 -
C:\Windows\SysWOW64\Qlbnja32.exeC:\Windows\system32\Qlbnja32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Agolpnjl.exeC:\Windows\system32\Agolpnjl.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1888 -
C:\Windows\SysWOW64\Agaifnhi.exeC:\Windows\system32\Agaifnhi.exe106⤵PID:432
-
C:\Windows\SysWOW64\Bigohejb.exeC:\Windows\system32\Bigohejb.exe107⤵
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Bclcfnih.exeC:\Windows\system32\Bclcfnih.exe108⤵PID:328
-
C:\Windows\SysWOW64\Bkghjq32.exeC:\Windows\system32\Bkghjq32.exe109⤵PID:1404
-
C:\Windows\SysWOW64\Bfmlgi32.exeC:\Windows\system32\Bfmlgi32.exe110⤵PID:2292
-
C:\Windows\SysWOW64\Bebiifka.exeC:\Windows\system32\Bebiifka.exe111⤵PID:1804
-
C:\Windows\SysWOW64\Baiingae.exeC:\Windows\system32\Baiingae.exe112⤵
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Bjanfl32.exeC:\Windows\system32\Bjanfl32.exe113⤵PID:2240
-
C:\Windows\SysWOW64\Cegbce32.exeC:\Windows\system32\Cegbce32.exe114⤵PID:2484
-
C:\Windows\SysWOW64\Epjbienl.exeC:\Windows\system32\Epjbienl.exe115⤵PID:2252
-
C:\Windows\SysWOW64\Empphi32.exeC:\Windows\system32\Empphi32.exe116⤵PID:2592
-
C:\Windows\SysWOW64\Eekdmk32.exeC:\Windows\system32\Eekdmk32.exe117⤵
- Drops file in System32 directory
PID:1700 -
C:\Windows\SysWOW64\Eabeal32.exeC:\Windows\system32\Eabeal32.exe118⤵PID:1944
-
C:\Windows\SysWOW64\Fofekp32.exeC:\Windows\system32\Fofekp32.exe119⤵PID:2704
-
C:\Windows\SysWOW64\Fkmfpabp.exeC:\Windows\system32\Fkmfpabp.exe120⤵PID:2760
-
C:\Windows\SysWOW64\Fkocfa32.exeC:\Windows\system32\Fkocfa32.exe121⤵PID:2284
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-