Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21/07/2024, 11:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ba8dbbbf6fdf78071ca5c7ffcf648690N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
ba8dbbbf6fdf78071ca5c7ffcf648690N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
ba8dbbbf6fdf78071ca5c7ffcf648690N.exe
-
Size
194KB
-
MD5
ba8dbbbf6fdf78071ca5c7ffcf648690
-
SHA1
c8aed2908ada6fbc92689cca20ee161c500f9cff
-
SHA256
2fd6af9c22787c793b1f063465a8c065642df1ee788866b5c4e22526f4e20d26
-
SHA512
114787659db3fcdd91f7eee5a96bdab9ef64905d2a76f361e9e16e4c1469e7059939d2136ba276941d6269b2be425153ddfbfda5e7462370b4c16d112b56268a
-
SSDEEP
3072:ZO1PfesMjdSfUNRbCeR0pN03xWlJ7mlOD6pN03:E1PWjjdSfUNRbCeKpNYxWlJ7mkD6pNY
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnafop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khnqbhdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccgahe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkojcgga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knkbimbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmbclj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fokaoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glajmppm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnljkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaieai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lggpdmap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqmmhdka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbolce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iganmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmaoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kihcakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngiiip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lomdcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imaglc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jecnpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckgogfmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaieai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgjjdijo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkkbcpbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cifdmbib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkegimk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfhjjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joohmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaangfjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaaoakmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpblne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eibbqmhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oifelfni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inaliedk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lllkaobc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmocha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lednal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgemgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjbjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akmgoehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bapejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pciiccbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhdmahpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Achlch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Homfboco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flpkll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nffcebdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agmacgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glajmppm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdefgimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dahobdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbjejojn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkihli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feklja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfanjcke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlklik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cincaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Homfboco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkiemqdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbadcdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlijan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfcadq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbmgkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alqplmlb.exe -
Executes dropped EXE 64 IoCs
pid Process 2104 Nlklik32.exe 296 Nmjicn32.exe 2764 Njdbefnf.exe 3068 Ohkpdj32.exe 2948 Ofbikf32.exe 2668 Pbkgegad.exe 1856 Pelpgb32.exe 2372 Peolmb32.exe 2976 Qicoleno.exe 2672 Ajghgd32.exe 1364 Alknnodh.exe 1632 Almjcobe.exe 2140 Bjgdfg32.exe 2244 Bqciha32.exe 984 Cmocha32.exe 564 Cifdmbib.exe 2208 Ccdnipal.exe 2196 Dahobdpe.exe 1604 Djqcki32.exe 3036 Dckdio32.exe 1108 Dpbenpqh.exe 3056 Epgoio32.exe 2232 Ekeiel32.exe 892 Egljjmkp.exe 2524 Eaangfjf.exe 1600 Fcegdnna.exe 2708 Folhio32.exe 2840 Faonqiod.exe 2416 Gpfggeai.exe 2648 Gjolpkhj.exe 2784 Gqmmhdka.exe 2408 Hbafel32.exe 2492 Hmfkbeoc.exe 2992 Hbepplkh.exe 2600 Hbhmfk32.exe 2988 Iamjghnm.exe 2484 Iclfccmq.exe 396 Icponb32.exe 1368 Ipgpcc32.exe 1344 Iiodliep.exe 2220 Jbjejojn.exe 2388 Jnafop32.exe 2428 Jhikhefb.exe 588 Jaaoakmc.exe 980 Joepjokm.exe 1956 Jfadoaih.exe 2304 Jmkmlk32.exe 2260 Kfcadq32.exe 2544 Kaieai32.exe 2308 Kmpfgklo.exe 1308 Kpnbcfkc.exe 2696 Kmbclj32.exe 2124 Kppohf32.exe 2756 Kihcakpa.exe 2892 Kpblne32.exe 2732 Khnqbhdi.exe 2628 Lccepqdo.exe 2336 Lkoidcaj.exe 2936 Lednal32.exe 1316 Lkafib32.exe 2496 Lnobfn32.exe 1800 Lhegcg32.exe 2576 Ljfckodo.exe 2096 Lgjcdc32.exe -
Loads dropped DLL 64 IoCs
pid Process 2532 ba8dbbbf6fdf78071ca5c7ffcf648690N.exe 2532 ba8dbbbf6fdf78071ca5c7ffcf648690N.exe 2104 Nlklik32.exe 2104 Nlklik32.exe 296 Nmjicn32.exe 296 Nmjicn32.exe 2764 Njdbefnf.exe 2764 Njdbefnf.exe 3068 Ohkpdj32.exe 3068 Ohkpdj32.exe 2948 Ofbikf32.exe 2948 Ofbikf32.exe 2668 Pbkgegad.exe 2668 Pbkgegad.exe 1856 Pelpgb32.exe 1856 Pelpgb32.exe 2372 Peolmb32.exe 2372 Peolmb32.exe 2976 Qicoleno.exe 2976 Qicoleno.exe 2672 Ajghgd32.exe 2672 Ajghgd32.exe 1364 Alknnodh.exe 1364 Alknnodh.exe 1632 Almjcobe.exe 1632 Almjcobe.exe 2140 Bjgdfg32.exe 2140 Bjgdfg32.exe 2244 Bqciha32.exe 2244 Bqciha32.exe 984 Cmocha32.exe 984 Cmocha32.exe 564 Cifdmbib.exe 564 Cifdmbib.exe 2208 Ccdnipal.exe 2208 Ccdnipal.exe 2196 Dahobdpe.exe 2196 Dahobdpe.exe 1604 Djqcki32.exe 1604 Djqcki32.exe 3036 Dckdio32.exe 3036 Dckdio32.exe 1108 Dpbenpqh.exe 1108 Dpbenpqh.exe 3056 Epgoio32.exe 3056 Epgoio32.exe 2232 Ekeiel32.exe 2232 Ekeiel32.exe 892 Egljjmkp.exe 892 Egljjmkp.exe 2524 Eaangfjf.exe 2524 Eaangfjf.exe 1600 Fcegdnna.exe 1600 Fcegdnna.exe 2708 Folhio32.exe 2708 Folhio32.exe 2840 Faonqiod.exe 2840 Faonqiod.exe 2416 Gpfggeai.exe 2416 Gpfggeai.exe 2648 Gjolpkhj.exe 2648 Gjolpkhj.exe 2784 Gqmmhdka.exe 2784 Gqmmhdka.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lhegcg32.exe Lnobfn32.exe File created C:\Windows\SysWOW64\Aabfqp32.exe Agmacgcc.exe File created C:\Windows\SysWOW64\Moonqphf.dll Nlklik32.exe File created C:\Windows\SysWOW64\Ajqmqmfm.dll Hnljkf32.exe File opened for modification C:\Windows\SysWOW64\Iihgadhl.exe Imaglc32.exe File opened for modification C:\Windows\SysWOW64\Pngcnpkg.exe Pciiccbm.exe File created C:\Windows\SysWOW64\Mejojlab.dll Eiefqc32.exe File created C:\Windows\SysWOW64\Jgjojj32.dll Ognobcqo.exe File created C:\Windows\SysWOW64\Jboejf32.dll Ahbqliap.exe File opened for modification C:\Windows\SysWOW64\Gmkjjbhg.exe Gdbeqmag.exe File created C:\Windows\SysWOW64\Bnaacb32.dll Ppgfciee.exe File opened for modification C:\Windows\SysWOW64\Flpkll32.exe Fdefgimi.exe File created C:\Windows\SysWOW64\Ebkbpapg.dll Mpcjfa32.exe File opened for modification C:\Windows\SysWOW64\Dkolblkk.exe Cccgni32.exe File created C:\Windows\SysWOW64\Kmbclj32.exe Kpnbcfkc.exe File created C:\Windows\SysWOW64\Mhgpgjoj.exe Mbmgkp32.exe File opened for modification C:\Windows\SysWOW64\Oepianef.exe Opcaiggo.exe File opened for modification C:\Windows\SysWOW64\Jaolad32.exe Jehklc32.exe File created C:\Windows\SysWOW64\Ighchh32.dll Bnfodojp.exe File created C:\Windows\SysWOW64\Fbjpjphf.dll Faonqiod.exe File opened for modification C:\Windows\SysWOW64\Jaaoakmc.exe Jhikhefb.exe File opened for modification C:\Windows\SysWOW64\Ppejmj32.exe Pjhaec32.exe File created C:\Windows\SysWOW64\Hqhiab32.exe Hqemlbqi.exe File created C:\Windows\SysWOW64\Fjjeid32.exe Fmfdppia.exe File created C:\Windows\SysWOW64\Gfobjfcf.dll Folhio32.exe File opened for modification C:\Windows\SysWOW64\Cnmlpd32.exe Bqilfp32.exe File opened for modification C:\Windows\SysWOW64\Hgmhcm32.exe Hgkknm32.exe File created C:\Windows\SysWOW64\Knhoig32.exe Jepjpajn.exe File created C:\Windows\SysWOW64\Gdkejjnc.dll Odgchjhl.exe File opened for modification C:\Windows\SysWOW64\Iganmp32.exe Ibeeeijg.exe File created C:\Windows\SysWOW64\Fjhbihid.dll Onmgeb32.exe File created C:\Windows\SysWOW64\Amhigkdj.dll Oljanhmc.exe File created C:\Windows\SysWOW64\Mbnjnnie.dll Akmgoehg.exe File created C:\Windows\SysWOW64\Ieohfemq.exe Iihgadhl.exe File created C:\Windows\SysWOW64\Lnoncmof.dll Dqknqleg.exe File opened for modification C:\Windows\SysWOW64\Gkjahg32.exe Gbolce32.exe File created C:\Windows\SysWOW64\Kagkebpb.exe Knhoig32.exe File created C:\Windows\SysWOW64\Kaieai32.exe Kfcadq32.exe File created C:\Windows\SysWOW64\Jepjpajn.exe Jkgfgl32.exe File opened for modification C:\Windows\SysWOW64\Glajmppm.exe Fgibijkb.exe File opened for modification C:\Windows\SysWOW64\Gbolce32.exe Feklja32.exe File created C:\Windows\SysWOW64\Maieqidm.dll Inaliedk.exe File created C:\Windows\SysWOW64\Nlklik32.exe ba8dbbbf6fdf78071ca5c7ffcf648690N.exe File created C:\Windows\SysWOW64\Joepjokm.exe Jaaoakmc.exe File created C:\Windows\SysWOW64\Aoilcc32.exe Aeahjn32.exe File created C:\Windows\SysWOW64\Glhkoaij.dll Bjlpjp32.exe File created C:\Windows\SysWOW64\Ebjdjpda.dll Cclkcdpl.exe File created C:\Windows\SysWOW64\Pbbfhefe.dll Omddmkhl.exe File opened for modification C:\Windows\SysWOW64\Ajghgd32.exe Qicoleno.exe File created C:\Windows\SysWOW64\Aoamoefh.exe Qeihfp32.exe File opened for modification C:\Windows\SysWOW64\Ofcldoef.exe Oafclh32.exe File created C:\Windows\SysWOW64\Jkckdi32.dll Lbdghi32.exe File opened for modification C:\Windows\SysWOW64\Onmgeb32.exe Odgchjhl.exe File created C:\Windows\SysWOW64\Hblhqf32.dll Kfcadq32.exe File opened for modification C:\Windows\SysWOW64\Bnfodojp.exe Baoopndk.exe File created C:\Windows\SysWOW64\Pnpbecig.dll Ckgogfmg.exe File created C:\Windows\SysWOW64\Acaoflhe.dll Iclfccmq.exe File created C:\Windows\SysWOW64\Fcegdnna.exe Eaangfjf.exe File opened for modification C:\Windows\SysWOW64\Qlqdmj32.exe Qeglqpaj.exe File opened for modification C:\Windows\SysWOW64\Ejmljg32.exe Eaegaaah.exe File created C:\Windows\SysWOW64\Gfbaeb32.dll Pelpgb32.exe File created C:\Windows\SysWOW64\Inaliedk.exe Hfanjcke.exe File created C:\Windows\SysWOW64\Dlgind32.dll Gbolce32.exe File opened for modification C:\Windows\SysWOW64\Cmocha32.exe Bqciha32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3996 3860 WerFault.exe 312 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaieai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmfdppia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgemgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbmahjbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaangfjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjmqekgm.dll" Oafjfokk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odgchjhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecbjdbcp.dll" Hqemlbqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngiiip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgpmbgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efahjm32.dll" Ajghgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igoagpja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqdpee32.dll" Nonqca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpbenpqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfieec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faonqiod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Homfboco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmelfeqn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbcdjpba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbhmfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jecnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecoobjme.dll" ba8dbbbf6fdf78071ca5c7ffcf648690N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hphiggmf.dll" Mckpba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdgdlnop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Almjcobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljfckodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cekfdc32.dll" Ljfckodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eigbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggikja32.dll" Hlgmkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmocha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iclfccmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaieai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhmjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfkjnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbepplkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmbdfolj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdcfle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbkgegad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmocha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhegcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgjjdijo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaegaaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jecnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqkgbkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oepianef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjfdpckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqilfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbmahjbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehahglmg.dll" Jnlfjjpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahqedfmd.dll" Qdfhlggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfnalqca.dll" Jmelfeqn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nonqca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dghjmlnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhmjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkkbcpbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bopclafg.dll" Nncaejie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkoidcaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbickmoq.dll" Eamgeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phelnhnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eibbqmhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nknplm32.dll" Lhegcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdemap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdhadgoa.dll" Cgnpmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lanmde32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2104 2532 ba8dbbbf6fdf78071ca5c7ffcf648690N.exe 29 PID 2532 wrote to memory of 2104 2532 ba8dbbbf6fdf78071ca5c7ffcf648690N.exe 29 PID 2532 wrote to memory of 2104 2532 ba8dbbbf6fdf78071ca5c7ffcf648690N.exe 29 PID 2532 wrote to memory of 2104 2532 ba8dbbbf6fdf78071ca5c7ffcf648690N.exe 29 PID 2104 wrote to memory of 296 2104 Nlklik32.exe 30 PID 2104 wrote to memory of 296 2104 Nlklik32.exe 30 PID 2104 wrote to memory of 296 2104 Nlklik32.exe 30 PID 2104 wrote to memory of 296 2104 Nlklik32.exe 30 PID 296 wrote to memory of 2764 296 Nmjicn32.exe 31 PID 296 wrote to memory of 2764 296 Nmjicn32.exe 31 PID 296 wrote to memory of 2764 296 Nmjicn32.exe 31 PID 296 wrote to memory of 2764 296 Nmjicn32.exe 31 PID 2764 wrote to memory of 3068 2764 Njdbefnf.exe 32 PID 2764 wrote to memory of 3068 2764 Njdbefnf.exe 32 PID 2764 wrote to memory of 3068 2764 Njdbefnf.exe 32 PID 2764 wrote to memory of 3068 2764 Njdbefnf.exe 32 PID 3068 wrote to memory of 2948 3068 Ohkpdj32.exe 33 PID 3068 wrote to memory of 2948 3068 Ohkpdj32.exe 33 PID 3068 wrote to memory of 2948 3068 Ohkpdj32.exe 33 PID 3068 wrote to memory of 2948 3068 Ohkpdj32.exe 33 PID 2948 wrote to memory of 2668 2948 Ofbikf32.exe 34 PID 2948 wrote to memory of 2668 2948 Ofbikf32.exe 34 PID 2948 wrote to memory of 2668 2948 Ofbikf32.exe 34 PID 2948 wrote to memory of 2668 2948 Ofbikf32.exe 34 PID 2668 wrote to memory of 1856 2668 Pbkgegad.exe 35 PID 2668 wrote to memory of 1856 2668 Pbkgegad.exe 35 PID 2668 wrote to memory of 1856 2668 Pbkgegad.exe 35 PID 2668 wrote to memory of 1856 2668 Pbkgegad.exe 35 PID 1856 wrote to memory of 2372 1856 Pelpgb32.exe 36 PID 1856 wrote to memory of 2372 1856 Pelpgb32.exe 36 PID 1856 wrote to memory of 2372 1856 Pelpgb32.exe 36 PID 1856 wrote to memory of 2372 1856 Pelpgb32.exe 36 PID 2372 wrote to memory of 2976 2372 Peolmb32.exe 37 PID 2372 wrote to memory of 2976 2372 Peolmb32.exe 37 PID 2372 wrote to memory of 2976 2372 Peolmb32.exe 37 PID 2372 wrote to memory of 2976 2372 Peolmb32.exe 37 PID 2976 wrote to memory of 2672 2976 Qicoleno.exe 38 PID 2976 wrote to memory of 2672 2976 Qicoleno.exe 38 PID 2976 wrote to memory of 2672 2976 Qicoleno.exe 38 PID 2976 wrote to memory of 2672 2976 Qicoleno.exe 38 PID 2672 wrote to memory of 1364 2672 Ajghgd32.exe 39 PID 2672 wrote to memory of 1364 2672 Ajghgd32.exe 39 PID 2672 wrote to memory of 1364 2672 Ajghgd32.exe 39 PID 2672 wrote to memory of 1364 2672 Ajghgd32.exe 39 PID 1364 wrote to memory of 1632 1364 Alknnodh.exe 40 PID 1364 wrote to memory of 1632 1364 Alknnodh.exe 40 PID 1364 wrote to memory of 1632 1364 Alknnodh.exe 40 PID 1364 wrote to memory of 1632 1364 Alknnodh.exe 40 PID 1632 wrote to memory of 2140 1632 Almjcobe.exe 41 PID 1632 wrote to memory of 2140 1632 Almjcobe.exe 41 PID 1632 wrote to memory of 2140 1632 Almjcobe.exe 41 PID 1632 wrote to memory of 2140 1632 Almjcobe.exe 41 PID 2140 wrote to memory of 2244 2140 Bjgdfg32.exe 42 PID 2140 wrote to memory of 2244 2140 Bjgdfg32.exe 42 PID 2140 wrote to memory of 2244 2140 Bjgdfg32.exe 42 PID 2140 wrote to memory of 2244 2140 Bjgdfg32.exe 42 PID 2244 wrote to memory of 984 2244 Bqciha32.exe 43 PID 2244 wrote to memory of 984 2244 Bqciha32.exe 43 PID 2244 wrote to memory of 984 2244 Bqciha32.exe 43 PID 2244 wrote to memory of 984 2244 Bqciha32.exe 43 PID 984 wrote to memory of 564 984 Cmocha32.exe 44 PID 984 wrote to memory of 564 984 Cmocha32.exe 44 PID 984 wrote to memory of 564 984 Cmocha32.exe 44 PID 984 wrote to memory of 564 984 Cmocha32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba8dbbbf6fdf78071ca5c7ffcf648690N.exe"C:\Users\Admin\AppData\Local\Temp\ba8dbbbf6fdf78071ca5c7ffcf648690N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Nlklik32.exeC:\Windows\system32\Nlklik32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Nmjicn32.exeC:\Windows\system32\Nmjicn32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:296 -
C:\Windows\SysWOW64\Njdbefnf.exeC:\Windows\system32\Njdbefnf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Ohkpdj32.exeC:\Windows\system32\Ohkpdj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Ofbikf32.exeC:\Windows\system32\Ofbikf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Pbkgegad.exeC:\Windows\system32\Pbkgegad.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Pelpgb32.exeC:\Windows\system32\Pelpgb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Peolmb32.exeC:\Windows\system32\Peolmb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Qicoleno.exeC:\Windows\system32\Qicoleno.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Ajghgd32.exeC:\Windows\system32\Ajghgd32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Alknnodh.exeC:\Windows\system32\Alknnodh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Almjcobe.exeC:\Windows\system32\Almjcobe.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Bjgdfg32.exeC:\Windows\system32\Bjgdfg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Bqciha32.exeC:\Windows\system32\Bqciha32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Cmocha32.exeC:\Windows\system32\Cmocha32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\Cifdmbib.exeC:\Windows\system32\Cifdmbib.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:564 -
C:\Windows\SysWOW64\Ccdnipal.exeC:\Windows\system32\Ccdnipal.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Dahobdpe.exeC:\Windows\system32\Dahobdpe.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Djqcki32.exeC:\Windows\system32\Djqcki32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Dckdio32.exeC:\Windows\system32\Dckdio32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Dpbenpqh.exeC:\Windows\system32\Dpbenpqh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Epgoio32.exeC:\Windows\system32\Epgoio32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Ekeiel32.exeC:\Windows\system32\Ekeiel32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Egljjmkp.exeC:\Windows\system32\Egljjmkp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Eaangfjf.exeC:\Windows\system32\Eaangfjf.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Fcegdnna.exeC:\Windows\system32\Fcegdnna.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Folhio32.exeC:\Windows\system32\Folhio32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Faonqiod.exeC:\Windows\system32\Faonqiod.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Gpfggeai.exeC:\Windows\system32\Gpfggeai.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416 -
C:\Windows\SysWOW64\Gjolpkhj.exeC:\Windows\system32\Gjolpkhj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Gqmmhdka.exeC:\Windows\system32\Gqmmhdka.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Hbafel32.exeC:\Windows\system32\Hbafel32.exe33⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Hmfkbeoc.exeC:\Windows\system32\Hmfkbeoc.exe34⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Hbepplkh.exeC:\Windows\system32\Hbepplkh.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Hbhmfk32.exeC:\Windows\system32\Hbhmfk32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Iamjghnm.exeC:\Windows\system32\Iamjghnm.exe37⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Iclfccmq.exeC:\Windows\system32\Iclfccmq.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Icponb32.exeC:\Windows\system32\Icponb32.exe39⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Ipgpcc32.exeC:\Windows\system32\Ipgpcc32.exe40⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Iiodliep.exeC:\Windows\system32\Iiodliep.exe41⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Jbjejojn.exeC:\Windows\system32\Jbjejojn.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Jnafop32.exeC:\Windows\system32\Jnafop32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Jhikhefb.exeC:\Windows\system32\Jhikhefb.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Jaaoakmc.exeC:\Windows\system32\Jaaoakmc.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:588 -
C:\Windows\SysWOW64\Joepjokm.exeC:\Windows\system32\Joepjokm.exe46⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Jfadoaih.exeC:\Windows\system32\Jfadoaih.exe47⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Jmkmlk32.exeC:\Windows\system32\Jmkmlk32.exe48⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Kfcadq32.exeC:\Windows\system32\Kfcadq32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\Kaieai32.exeC:\Windows\system32\Kaieai32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Kmpfgklo.exeC:\Windows\system32\Kmpfgklo.exe51⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Kpnbcfkc.exeC:\Windows\system32\Kpnbcfkc.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Kmbclj32.exeC:\Windows\system32\Kmbclj32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Kppohf32.exeC:\Windows\system32\Kppohf32.exe54⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Kihcakpa.exeC:\Windows\system32\Kihcakpa.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Kpblne32.exeC:\Windows\system32\Kpblne32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Khnqbhdi.exeC:\Windows\system32\Khnqbhdi.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Lccepqdo.exeC:\Windows\system32\Lccepqdo.exe58⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Lkoidcaj.exeC:\Windows\system32\Lkoidcaj.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Lednal32.exeC:\Windows\system32\Lednal32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Lkafib32.exeC:\Windows\system32\Lkafib32.exe61⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Lnobfn32.exeC:\Windows\system32\Lnobfn32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Lhegcg32.exeC:\Windows\system32\Lhegcg32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Ljfckodo.exeC:\Windows\system32\Ljfckodo.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Lgjcdc32.exeC:\Windows\system32\Lgjcdc32.exe65⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Ldndng32.exeC:\Windows\system32\Ldndng32.exe66⤵PID:1092
-
C:\Windows\SysWOW64\Mfoqephq.exeC:\Windows\system32\Mfoqephq.exe67⤵PID:2480
-
C:\Windows\SysWOW64\Mpeebhhf.exeC:\Windows\system32\Mpeebhhf.exe68⤵PID:1708
-
C:\Windows\SysWOW64\Mlkegimk.exeC:\Windows\system32\Mlkegimk.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:636 -
C:\Windows\SysWOW64\Mcendc32.exeC:\Windows\system32\Mcendc32.exe70⤵PID:2564
-
C:\Windows\SysWOW64\Mchjjc32.exeC:\Windows\system32\Mchjjc32.exe71⤵PID:836
-
C:\Windows\SysWOW64\Mffgfo32.exeC:\Windows\system32\Mffgfo32.exe72⤵PID:2404
-
C:\Windows\SysWOW64\Mbmgkp32.exeC:\Windows\system32\Mbmgkp32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1032 -
C:\Windows\SysWOW64\Mhgpgjoj.exeC:\Windows\system32\Mhgpgjoj.exe74⤵PID:2772
-
C:\Windows\SysWOW64\Ngafdepl.exeC:\Windows\system32\Ngafdepl.exe75⤵PID:2008
-
C:\Windows\SysWOW64\Nplkhh32.exeC:\Windows\system32\Nplkhh32.exe76⤵PID:3024
-
C:\Windows\SysWOW64\Nffcebdd.exeC:\Windows\system32\Nffcebdd.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3044 -
C:\Windows\SysWOW64\Nqkgbkdj.exeC:\Windows\system32\Nqkgbkdj.exe78⤵
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Omddmkhl.exeC:\Windows\system32\Omddmkhl.exe79⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Opcaiggo.exeC:\Windows\system32\Opcaiggo.exe80⤵
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Oepianef.exeC:\Windows\system32\Oepianef.exe81⤵
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Oljanhmc.exeC:\Windows\system32\Oljanhmc.exe82⤵
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Oafjfokk.exeC:\Windows\system32\Oafjfokk.exe83⤵
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Ohqbbi32.exeC:\Windows\system32\Ohqbbi32.exe84⤵PID:2036
-
C:\Windows\SysWOW64\Odgchjhl.exeC:\Windows\system32\Odgchjhl.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Onmgeb32.exeC:\Windows\system32\Onmgeb32.exe86⤵
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Phelnhnb.exeC:\Windows\system32\Phelnhnb.exe87⤵
- Modifies registry class
PID:1568 -
C:\Windows\SysWOW64\Pmbdfolj.exeC:\Windows\system32\Pmbdfolj.exe88⤵
- Modifies registry class
PID:1196 -
C:\Windows\SysWOW64\Pjfdpckc.exeC:\Windows\system32\Pjfdpckc.exe89⤵
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Pjhaec32.exeC:\Windows\system32\Pjhaec32.exe90⤵
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Ppejmj32.exeC:\Windows\system32\Ppejmj32.exe91⤵PID:2932
-
C:\Windows\SysWOW64\Pfobjdoe.exeC:\Windows\system32\Pfobjdoe.exe92⤵PID:2960
-
C:\Windows\SysWOW64\Ppgfciee.exeC:\Windows\system32\Ppgfciee.exe93⤵
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Pedokpcm.exeC:\Windows\system32\Pedokpcm.exe94⤵PID:940
-
C:\Windows\SysWOW64\Qeglqpaj.exeC:\Windows\system32\Qeglqpaj.exe95⤵
- Drops file in System32 directory
PID:1144 -
C:\Windows\SysWOW64\Qlqdmj32.exeC:\Windows\system32\Qlqdmj32.exe96⤵PID:1848
-
C:\Windows\SysWOW64\Qeihfp32.exeC:\Windows\system32\Qeihfp32.exe97⤵
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Aoamoefh.exeC:\Windows\system32\Aoamoefh.exe98⤵PID:608
-
C:\Windows\SysWOW64\Agmacgcc.exeC:\Windows\system32\Agmacgcc.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Aabfqp32.exeC:\Windows\system32\Aabfqp32.exe100⤵PID:1572
-
C:\Windows\SysWOW64\Akjjifji.exeC:\Windows\system32\Akjjifji.exe101⤵PID:944
-
C:\Windows\SysWOW64\Akmgoehg.exeC:\Windows\system32\Akmgoehg.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:968 -
C:\Windows\SysWOW64\Achlch32.exeC:\Windows\system32\Achlch32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1560 -
C:\Windows\SysWOW64\Alqplmlb.exeC:\Windows\system32\Alqplmlb.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:912 -
C:\Windows\SysWOW64\Bfieec32.exeC:\Windows\system32\Bfieec32.exe105⤵
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Bapejd32.exeC:\Windows\system32\Bapejd32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2828 -
C:\Windows\SysWOW64\Bkhjcing.exeC:\Windows\system32\Bkhjcing.exe107⤵PID:3064
-
C:\Windows\SysWOW64\Bdpnlo32.exeC:\Windows\system32\Bdpnlo32.exe108⤵PID:2780
-
C:\Windows\SysWOW64\Bofbih32.exeC:\Windows\system32\Bofbih32.exe109⤵PID:2984
-
C:\Windows\SysWOW64\Bgagnjbi.exeC:\Windows\system32\Bgagnjbi.exe110⤵PID:2364
-
C:\Windows\SysWOW64\Bqilfp32.exeC:\Windows\system32\Bqilfp32.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Cnmlpd32.exeC:\Windows\system32\Cnmlpd32.exe112⤵PID:2928
-
C:\Windows\SysWOW64\Cdgdlnop.exeC:\Windows\system32\Cdgdlnop.exe113⤵
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Cjdmee32.exeC:\Windows\system32\Cjdmee32.exe114⤵PID:1892
-
C:\Windows\SysWOW64\Ccmanjch.exeC:\Windows\system32\Ccmanjch.exe115⤵PID:2288
-
C:\Windows\SysWOW64\Cgjjdijo.exeC:\Windows\system32\Cgjjdijo.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Cmgblphf.exeC:\Windows\system32\Cmgblphf.exe117⤵PID:1488
-
C:\Windows\SysWOW64\Cincaq32.exeC:\Windows\system32\Cincaq32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1628 -
C:\Windows\SysWOW64\Cccgni32.exeC:\Windows\system32\Cccgni32.exe119⤵
- Drops file in System32 directory
PID:776 -
C:\Windows\SysWOW64\Dkolblkk.exeC:\Windows\system32\Dkolblkk.exe120⤵PID:1012
-
C:\Windows\SysWOW64\Dgemgm32.exeC:\Windows\system32\Dgemgm32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-