Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
06/03/2024, 19:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3d0c144d6c2af7102c4b8db335a1a1e4f4c96face0b02cb550f2456b0ba90d08.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
3d0c144d6c2af7102c4b8db335a1a1e4f4c96face0b02cb550f2456b0ba90d08.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
3d0c144d6c2af7102c4b8db335a1a1e4f4c96face0b02cb550f2456b0ba90d08.exe
-
Size
121KB
-
MD5
04c494d24ae6bd7d758a78a59ad4dcca
-
SHA1
347e8b7bf74a515a87ae96323c49bfe4942782c6
-
SHA256
3d0c144d6c2af7102c4b8db335a1a1e4f4c96face0b02cb550f2456b0ba90d08
-
SHA512
454b33436c8ae6d4b132b70fa839d6dbb303d5f09ff71b40374d4a94a508e2918aae3d4405d9a3190da31014fe5c51b23865eb36c111ba4c8ca5104d8271d67d
-
SSDEEP
1536:0NSftxE0eRPYCuikl/r7WWmnB5niQIVX6x7Vhq28D24VdCCV19zQYOd5ijJnD5io:XnE3hSr7W37nJx8fVdnO7AJnD5tvv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqimgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnieom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppjglfon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpigfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqhpdhcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijoeji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbfeimng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mepnpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pefijfii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojema32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgnnln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pikkiijf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibbcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Impnldeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqljlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijdnehci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbdlejmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjoailji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmpjkggj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjcgco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ondajnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igdogl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmolnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioojhpdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbpjiphi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlapp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcfkfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llfifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khcnad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lipjejgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Magnek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlkpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jiakjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oddpfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhgbba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igcecmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keikqhhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnfjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alhjai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hejoiedd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcihlong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgimmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkiogn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aipddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bppoqeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejobhppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldqegd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofdcjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oicpfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oomhcbjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojkboo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakmph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bloqah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdljbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmjejphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghoegl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjojofgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njkfpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghoegl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pklhlael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgeefbhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmnhfjmg.exe -
Executes dropped EXE 64 IoCs
pid Process 2700 Flgbho32.exe 2620 Fepgqdnc.exe 2540 Fhncmp32.exe 2440 Fklpik32.exe 2468 Fafheedg.exe 2584 Fhppbp32.exe 2160 Fkolnk32.exe 1196 Fmmhjf32.exe 1260 Fahdkebe.exe 1868 Fdgqgqah.exe 1508 Gkaidjhe.exe 2132 Gmoepfhi.exe 1220 Gheimogo.exe 2644 Gkceijfb.exe 1052 Giffeg32.exe 1864 Gmabeeef.exe 1420 Gamnfd32.exe 1760 Gdljbp32.exe 748 Gcojnmdn.exe 1172 Ggjfnk32.exe 2324 Gihbjfkj.exe 1552 Glgofbjn.exe 776 Gpbkgq32.exe 2936 Gdnghpkq.exe 1620 Geocph32.exe 2244 Gikopfih.exe 2564 Gnfkqe32.exe 2632 Ggopijha.exe 2760 Geapeg32.exe 2532 Ghplac32.exe 2300 Gpgdbpob.exe 2588 Hceqnlnf.exe 1336 Hhbigblm.exe 1520 Hlnega32.exe 1488 Holacm32.exe 1920 Holacm32.exe 1264 Hakmph32.exe 2400 Hefipfkg.exe 2732 Hheelbjj.exe 1824 Hlpamq32.exe 2928 Hoonilag.exe 1124 Hamjehqk.exe 2884 Hfifff32.exe 2104 Hhgbba32.exe 1296 Hkeonm32.exe 552 Hoakolod.exe 2452 Hndkji32.exe 1940 Haogkgoh.exe 2600 Hdncgbnl.exe 2612 Hdncgbnl.exe 1736 Hhioga32.exe 2848 Hglocnmp.exe 2108 Hkhkcm32.exe 572 Hjkkojlc.exe 956 Hbbcpg32.exe 2180 Hdpplb32.exe 1464 Hgolhn32.exe 2044 Hkjhimcf.exe 1968 Inhdehbj.exe 2164 Imkdqe32.exe 1756 Iqgqacam.exe 1632 Idblbb32.exe 1100 Icemmopa.exe 2696 Ifdiijpe.exe -
Loads dropped DLL 64 IoCs
pid Process 1976 3d0c144d6c2af7102c4b8db335a1a1e4f4c96face0b02cb550f2456b0ba90d08.exe 1976 3d0c144d6c2af7102c4b8db335a1a1e4f4c96face0b02cb550f2456b0ba90d08.exe 2700 Flgbho32.exe 2700 Flgbho32.exe 2620 Fepgqdnc.exe 2620 Fepgqdnc.exe 2540 Fhncmp32.exe 2540 Fhncmp32.exe 2440 Fklpik32.exe 2440 Fklpik32.exe 2468 Fafheedg.exe 2468 Fafheedg.exe 2584 Fhppbp32.exe 2584 Fhppbp32.exe 2160 Fkolnk32.exe 2160 Fkolnk32.exe 1196 Fmmhjf32.exe 1196 Fmmhjf32.exe 1260 Fahdkebe.exe 1260 Fahdkebe.exe 1868 Fdgqgqah.exe 1868 Fdgqgqah.exe 1508 Gkaidjhe.exe 1508 Gkaidjhe.exe 2132 Gmoepfhi.exe 2132 Gmoepfhi.exe 1220 Gheimogo.exe 1220 Gheimogo.exe 2644 Gkceijfb.exe 2644 Gkceijfb.exe 1052 Giffeg32.exe 1052 Giffeg32.exe 1864 Gmabeeef.exe 1864 Gmabeeef.exe 1420 Gamnfd32.exe 1420 Gamnfd32.exe 1760 Gdljbp32.exe 1760 Gdljbp32.exe 748 Gcojnmdn.exe 748 Gcojnmdn.exe 1172 Ggjfnk32.exe 1172 Ggjfnk32.exe 2324 Gihbjfkj.exe 2324 Gihbjfkj.exe 1552 Glgofbjn.exe 1552 Glgofbjn.exe 776 Gpbkgq32.exe 776 Gpbkgq32.exe 2936 Gdnghpkq.exe 2936 Gdnghpkq.exe 1620 Geocph32.exe 1620 Geocph32.exe 2244 Gikopfih.exe 2244 Gikopfih.exe 2564 Gnfkqe32.exe 2564 Gnfkqe32.exe 2632 Ggopijha.exe 2632 Ggopijha.exe 2760 Geapeg32.exe 2760 Geapeg32.exe 2532 Ghplac32.exe 2532 Ghplac32.exe 2300 Gpgdbpob.exe 2300 Gpgdbpob.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ckafbbph.exe Cgejac32.exe File created C:\Windows\SysWOW64\Igoopg32.dll Laplei32.exe File created C:\Windows\SysWOW64\Ebbjqa32.dll Penfelgm.exe File opened for modification C:\Windows\SysWOW64\Dngoibmo.exe Dkhcmgnl.exe File created C:\Windows\SysWOW64\Gcghbk32.dll Qimhoi32.exe File created C:\Windows\SysWOW64\Cgpgce32.exe Ccdlbf32.exe File created C:\Windows\SysWOW64\Jkbcln32.exe Jicgpb32.exe File opened for modification C:\Windows\SysWOW64\Qcbllb32.exe Qpgpkcpp.exe File created C:\Windows\SysWOW64\Ligkin32.dll Bpiipf32.exe File created C:\Windows\SysWOW64\Khneoedc.dll Meigpkka.exe File created C:\Windows\SysWOW64\Mohbip32.exe Mkmfhacp.exe File created C:\Windows\SysWOW64\Cpeofk32.exe Cpeofk32.exe File created C:\Windows\SysWOW64\Cnobnmpl.exe Ckafbbph.exe File opened for modification C:\Windows\SysWOW64\Hhioga32.exe Hdncgbnl.exe File opened for modification C:\Windows\SysWOW64\Kpjfba32.exe Klnjbbdh.exe File created C:\Windows\SysWOW64\Lmnbkinf.exe Libgjj32.exe File opened for modification C:\Windows\SysWOW64\Meigpkka.exe Lmnbkinf.exe File created C:\Windows\SysWOW64\Ejdmpb32.dll Hlhaqogk.exe File created C:\Windows\SysWOW64\Ebmgcohn.exe Dhdcji32.exe File opened for modification C:\Windows\SysWOW64\Pogclp32.exe Pklhlael.exe File created C:\Windows\SysWOW64\Pmbdhi32.dll Bpleef32.exe File created C:\Windows\SysWOW64\Cgjcijfp.dll Cpkbdiqb.exe File opened for modification C:\Windows\SysWOW64\Aiedjneg.exe Ajbdna32.exe File created C:\Windows\SysWOW64\Ljdjcj32.dll Jmhmpb32.exe File created C:\Windows\SysWOW64\Gffoia32.dll Jicgpb32.exe File created C:\Windows\SysWOW64\Iopodh32.dll Mdmmfa32.exe File created C:\Windows\SysWOW64\Hejkaapg.dll Ioagno32.exe File opened for modification C:\Windows\SysWOW64\Dgmglh32.exe Ckffgg32.exe File opened for modification C:\Windows\SysWOW64\Abpfhcje.exe Admemg32.exe File opened for modification C:\Windows\SysWOW64\Qbcpbo32.exe Qpecfc32.exe File created C:\Windows\SysWOW64\Gkceijfb.exe Gheimogo.exe File opened for modification C:\Windows\SysWOW64\Ifdiijpe.exe Icemmopa.exe File opened for modification C:\Windows\SysWOW64\Jeplkf32.exe Ifmlpigj.exe File created C:\Windows\SysWOW64\Jadhjcfk.dll Plfamfpm.exe File opened for modification C:\Windows\SysWOW64\Mnieom32.exe Mkjica32.exe File opened for modification C:\Windows\SysWOW64\Nhkbkc32.exe Npdjje32.exe File created C:\Windows\SysWOW64\Kmccegik.dll Obafnlpn.exe File created C:\Windows\SysWOW64\Filldb32.exe Fjilieka.exe File opened for modification C:\Windows\SysWOW64\Gonnhhln.exe Globlmmj.exe File created C:\Windows\SysWOW64\Lblqijln.dll Ncjqhmkm.exe File created C:\Windows\SysWOW64\Agcbcgcb.dll Gheimogo.exe File created C:\Windows\SysWOW64\Ghplac32.exe Geapeg32.exe File created C:\Windows\SysWOW64\Jjnmcd32.dll Jnofejom.exe File created C:\Windows\SysWOW64\Facklcaq.dll Flabbihl.exe File created C:\Windows\SysWOW64\Aheocend.dll Gmabeeef.exe File opened for modification C:\Windows\SysWOW64\Nnbhek32.exe Njgldmdc.exe File opened for modification C:\Windows\SysWOW64\Ecejkf32.exe Eojnkg32.exe File created C:\Windows\SysWOW64\Clnlnhop.dll Enkece32.exe File created C:\Windows\SysWOW64\Qahefm32.dll Gpmjak32.exe File created C:\Windows\SysWOW64\Meccii32.exe Mgqcmlgl.exe File created C:\Windows\SysWOW64\Flojhn32.dll Cdbdjhmp.exe File opened for modification C:\Windows\SysWOW64\Bbjbaa32.exe Bpleef32.exe File created C:\Windows\SysWOW64\Glamna32.dll Ofdcjm32.exe File created C:\Windows\SysWOW64\Onmdoioa.exe Ojahnj32.exe File opened for modification C:\Windows\SysWOW64\Biamilfj.exe Bkommo32.exe File opened for modification C:\Windows\SysWOW64\Blbfjg32.exe Bmpfojmp.exe File opened for modification C:\Windows\SysWOW64\Hakmph32.exe Holacm32.exe File created C:\Windows\SysWOW64\Igghmf32.dll Hhioga32.exe File created C:\Windows\SysWOW64\Bdlblj32.exe Banepo32.exe File created C:\Windows\SysWOW64\Nnhkcj32.exe Nkiogn32.exe File created C:\Windows\SysWOW64\Ioagno32.exe Ikekmq32.exe File opened for modification C:\Windows\SysWOW64\Ennaieib.exe Eajaoq32.exe File opened for modification C:\Windows\SysWOW64\Jbelkc32.dll Fphafl32.exe File opened for modification C:\Windows\SysWOW64\Aoepcn32.exe Afohaa32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7280 7256 WerFault.exe 726 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddckpim.dll" Pipopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfiidobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadfjo32.dll" Cpnojioo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Holacm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll" Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmkcoqd.dll" Npdjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpnhh32.dll" Pelipl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll" Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbfjdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odegpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpicol32.dll" Cpeofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lecgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgqcmlgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeioh32.dll" Glgofbjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgnhga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebbjqa32.dll" Penfelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bahbme32.dll" Joifam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgefik32.dll" Ohfeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abmmmm32.dll" Hoonilag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njgldmdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fehjeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddhbked.dll" Gkceijfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddgkcd32.dll" Dbbkja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amkpegnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhgbba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihedjnpm.dll" Libgjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofdcjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fphafl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idhopq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckafbbph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeljhmk.dll" Geapeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkkpbgli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhkbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahdaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dccagcgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikggbpgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jaiiff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Peiljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmnafl32.dll" Kmaled32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qpecfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcdnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncphpjl.dll" Ddigjkid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhfipcid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cclkfdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afiecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpfgi32.dll" Gicbeald.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojahnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndjdlffl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcnpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdkjlm32.dll" Nondgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbfabp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bloqah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabakh32.dll" Gbnccfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgljbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qabcjgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dliijipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpghahi.dll" Dgmglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebmgcohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcplhi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1976 wrote to memory of 2700 1976 3d0c144d6c2af7102c4b8db335a1a1e4f4c96face0b02cb550f2456b0ba90d08.exe 28 PID 1976 wrote to memory of 2700 1976 3d0c144d6c2af7102c4b8db335a1a1e4f4c96face0b02cb550f2456b0ba90d08.exe 28 PID 1976 wrote to memory of 2700 1976 3d0c144d6c2af7102c4b8db335a1a1e4f4c96face0b02cb550f2456b0ba90d08.exe 28 PID 1976 wrote to memory of 2700 1976 3d0c144d6c2af7102c4b8db335a1a1e4f4c96face0b02cb550f2456b0ba90d08.exe 28 PID 2700 wrote to memory of 2620 2700 Flgbho32.exe 29 PID 2700 wrote to memory of 2620 2700 Flgbho32.exe 29 PID 2700 wrote to memory of 2620 2700 Flgbho32.exe 29 PID 2700 wrote to memory of 2620 2700 Flgbho32.exe 29 PID 2620 wrote to memory of 2540 2620 Fepgqdnc.exe 30 PID 2620 wrote to memory of 2540 2620 Fepgqdnc.exe 30 PID 2620 wrote to memory of 2540 2620 Fepgqdnc.exe 30 PID 2620 wrote to memory of 2540 2620 Fepgqdnc.exe 30 PID 2540 wrote to memory of 2440 2540 Fhncmp32.exe 31 PID 2540 wrote to memory of 2440 2540 Fhncmp32.exe 31 PID 2540 wrote to memory of 2440 2540 Fhncmp32.exe 31 PID 2540 wrote to memory of 2440 2540 Fhncmp32.exe 31 PID 2440 wrote to memory of 2468 2440 Fklpik32.exe 32 PID 2440 wrote to memory of 2468 2440 Fklpik32.exe 32 PID 2440 wrote to memory of 2468 2440 Fklpik32.exe 32 PID 2440 wrote to memory of 2468 2440 Fklpik32.exe 32 PID 2468 wrote to memory of 2584 2468 Fafheedg.exe 33 PID 2468 wrote to memory of 2584 2468 Fafheedg.exe 33 PID 2468 wrote to memory of 2584 2468 Fafheedg.exe 33 PID 2468 wrote to memory of 2584 2468 Fafheedg.exe 33 PID 2584 wrote to memory of 2160 2584 Fhppbp32.exe 34 PID 2584 wrote to memory of 2160 2584 Fhppbp32.exe 34 PID 2584 wrote to memory of 2160 2584 Fhppbp32.exe 34 PID 2584 wrote to memory of 2160 2584 Fhppbp32.exe 34 PID 2160 wrote to memory of 1196 2160 Fkolnk32.exe 35 PID 2160 wrote to memory of 1196 2160 Fkolnk32.exe 35 PID 2160 wrote to memory of 1196 2160 Fkolnk32.exe 35 PID 2160 wrote to memory of 1196 2160 Fkolnk32.exe 35 PID 1196 wrote to memory of 1260 1196 Fmmhjf32.exe 36 PID 1196 wrote to memory of 1260 1196 Fmmhjf32.exe 36 PID 1196 wrote to memory of 1260 1196 Fmmhjf32.exe 36 PID 1196 wrote to memory of 1260 1196 Fmmhjf32.exe 36 PID 1260 wrote to memory of 1868 1260 Fahdkebe.exe 37 PID 1260 wrote to memory of 1868 1260 Fahdkebe.exe 37 PID 1260 wrote to memory of 1868 1260 Fahdkebe.exe 37 PID 1260 wrote to memory of 1868 1260 Fahdkebe.exe 37 PID 1868 wrote to memory of 1508 1868 Fdgqgqah.exe 38 PID 1868 wrote to memory of 1508 1868 Fdgqgqah.exe 38 PID 1868 wrote to memory of 1508 1868 Fdgqgqah.exe 38 PID 1868 wrote to memory of 1508 1868 Fdgqgqah.exe 38 PID 1508 wrote to memory of 2132 1508 Gkaidjhe.exe 39 PID 1508 wrote to memory of 2132 1508 Gkaidjhe.exe 39 PID 1508 wrote to memory of 2132 1508 Gkaidjhe.exe 39 PID 1508 wrote to memory of 2132 1508 Gkaidjhe.exe 39 PID 2132 wrote to memory of 1220 2132 Gmoepfhi.exe 40 PID 2132 wrote to memory of 1220 2132 Gmoepfhi.exe 40 PID 2132 wrote to memory of 1220 2132 Gmoepfhi.exe 40 PID 2132 wrote to memory of 1220 2132 Gmoepfhi.exe 40 PID 1220 wrote to memory of 2644 1220 Gheimogo.exe 41 PID 1220 wrote to memory of 2644 1220 Gheimogo.exe 41 PID 1220 wrote to memory of 2644 1220 Gheimogo.exe 41 PID 1220 wrote to memory of 2644 1220 Gheimogo.exe 41 PID 2644 wrote to memory of 1052 2644 Gkceijfb.exe 42 PID 2644 wrote to memory of 1052 2644 Gkceijfb.exe 42 PID 2644 wrote to memory of 1052 2644 Gkceijfb.exe 42 PID 2644 wrote to memory of 1052 2644 Gkceijfb.exe 42 PID 1052 wrote to memory of 1864 1052 Giffeg32.exe 43 PID 1052 wrote to memory of 1864 1052 Giffeg32.exe 43 PID 1052 wrote to memory of 1864 1052 Giffeg32.exe 43 PID 1052 wrote to memory of 1864 1052 Giffeg32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d0c144d6c2af7102c4b8db335a1a1e4f4c96face0b02cb550f2456b0ba90d08.exe"C:\Users\Admin\AppData\Local\Temp\3d0c144d6c2af7102c4b8db335a1a1e4f4c96face0b02cb550f2456b0ba90d08.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Flgbho32.exeC:\Windows\system32\Flgbho32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Fepgqdnc.exeC:\Windows\system32\Fepgqdnc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Fhncmp32.exeC:\Windows\system32\Fhncmp32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Fklpik32.exeC:\Windows\system32\Fklpik32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Fafheedg.exeC:\Windows\system32\Fafheedg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Fhppbp32.exeC:\Windows\system32\Fhppbp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Fkolnk32.exeC:\Windows\system32\Fkolnk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Fmmhjf32.exeC:\Windows\system32\Fmmhjf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Fahdkebe.exeC:\Windows\system32\Fahdkebe.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Fdgqgqah.exeC:\Windows\system32\Fdgqgqah.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Gkaidjhe.exeC:\Windows\system32\Gkaidjhe.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Gmoepfhi.exeC:\Windows\system32\Gmoepfhi.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Gheimogo.exeC:\Windows\system32\Gheimogo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Gkceijfb.exeC:\Windows\system32\Gkceijfb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Giffeg32.exeC:\Windows\system32\Giffeg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Gmabeeef.exeC:\Windows\system32\Gmabeeef.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Gamnfd32.exeC:\Windows\system32\Gamnfd32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1420 -
C:\Windows\SysWOW64\Gdljbp32.exeC:\Windows\system32\Gdljbp32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Gcojnmdn.exeC:\Windows\system32\Gcojnmdn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:748 -
C:\Windows\SysWOW64\Ggjfnk32.exeC:\Windows\system32\Ggjfnk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1172 -
C:\Windows\SysWOW64\Gihbjfkj.exeC:\Windows\system32\Gihbjfkj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Glgofbjn.exeC:\Windows\system32\Glgofbjn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Gpbkgq32.exeC:\Windows\system32\Gpbkgq32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:776 -
C:\Windows\SysWOW64\Gdnghpkq.exeC:\Windows\system32\Gdnghpkq.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Geocph32.exeC:\Windows\system32\Geocph32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Gikopfih.exeC:\Windows\system32\Gikopfih.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Gnfkqe32.exeC:\Windows\system32\Gnfkqe32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Ggopijha.exeC:\Windows\system32\Ggopijha.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Geapeg32.exeC:\Windows\system32\Geapeg32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Ghplac32.exeC:\Windows\system32\Ghplac32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Gpgdbpob.exeC:\Windows\system32\Gpgdbpob.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Hceqnlnf.exeC:\Windows\system32\Hceqnlnf.exe33⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Hhbigblm.exeC:\Windows\system32\Hhbigblm.exe34⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Hlnega32.exeC:\Windows\system32\Hlnega32.exe35⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Holacm32.exeC:\Windows\system32\Holacm32.exe36⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Holacm32.exeC:\Windows\system32\Holacm32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Hakmph32.exeC:\Windows\system32\Hakmph32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Hefipfkg.exeC:\Windows\system32\Hefipfkg.exe39⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Hheelbjj.exeC:\Windows\system32\Hheelbjj.exe40⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Hlpamq32.exeC:\Windows\system32\Hlpamq32.exe41⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Hoonilag.exeC:\Windows\system32\Hoonilag.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Hamjehqk.exeC:\Windows\system32\Hamjehqk.exe43⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Hfifff32.exeC:\Windows\system32\Hfifff32.exe44⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Hhgbba32.exeC:\Windows\system32\Hhgbba32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Hkeonm32.exeC:\Windows\system32\Hkeonm32.exe46⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Hoakolod.exeC:\Windows\system32\Hoakolod.exe47⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Hndkji32.exeC:\Windows\system32\Hndkji32.exe48⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Haogkgoh.exeC:\Windows\system32\Haogkgoh.exe49⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Hdncgbnl.exeC:\Windows\system32\Hdncgbnl.exe50⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Hdncgbnl.exeC:\Windows\system32\Hdncgbnl.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Hhioga32.exeC:\Windows\system32\Hhioga32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Hglocnmp.exeC:\Windows\system32\Hglocnmp.exe53⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Hkhkcm32.exeC:\Windows\system32\Hkhkcm32.exe54⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Hjkkojlc.exeC:\Windows\system32\Hjkkojlc.exe55⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Hbbcpg32.exeC:\Windows\system32\Hbbcpg32.exe56⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Hdpplb32.exeC:\Windows\system32\Hdpplb32.exe57⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Hgolhn32.exeC:\Windows\system32\Hgolhn32.exe58⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Hkjhimcf.exeC:\Windows\system32\Hkjhimcf.exe59⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Inhdehbj.exeC:\Windows\system32\Inhdehbj.exe60⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Imkdqe32.exeC:\Windows\system32\Imkdqe32.exe61⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Iqgqacam.exeC:\Windows\system32\Iqgqacam.exe62⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Idblbb32.exeC:\Windows\system32\Idblbb32.exe63⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Icemmopa.exeC:\Windows\system32\Icemmopa.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1100 -
C:\Windows\SysWOW64\Ifdiijpe.exeC:\Windows\system32\Ifdiijpe.exe65⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Ijoeji32.exeC:\Windows\system32\Ijoeji32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2976 -
C:\Windows\SysWOW64\Inkakhpg.exeC:\Windows\system32\Inkakhpg.exe67⤵PID:960
-
C:\Windows\SysWOW64\Iqimgc32.exeC:\Windows\system32\Iqimgc32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:892 -
C:\Windows\SysWOW64\Iolmbpfe.exeC:\Windows\system32\Iolmbpfe.exe69⤵PID:2088
-
C:\Windows\SysWOW64\Ichico32.exeC:\Windows\system32\Ichico32.exe70⤵PID:704
-
C:\Windows\SysWOW64\Igcecmfg.exeC:\Windows\system32\Igcecmfg.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1644 -
C:\Windows\SysWOW64\Ijaapifk.exeC:\Windows\system32\Ijaapifk.exe72⤵PID:1640
-
C:\Windows\SysWOW64\Iidbke32.exeC:\Windows\system32\Iidbke32.exe73⤵PID:2444
-
C:\Windows\SysWOW64\Impnldeo.exeC:\Windows\system32\Impnldeo.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428 -
C:\Windows\SysWOW64\Iqljlb32.exeC:\Windows\system32\Iqljlb32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2136 -
C:\Windows\SysWOW64\Ioojhpdb.exeC:\Windows\system32\Ioojhpdb.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2124 -
C:\Windows\SysWOW64\Icjfhn32.exeC:\Windows\system32\Icjfhn32.exe77⤵PID:2864
-
C:\Windows\SysWOW64\Ijdnehci.exeC:\Windows\system32\Ijdnehci.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3012 -
C:\Windows\SysWOW64\Iigoqe32.exeC:\Windows\system32\Iigoqe32.exe79⤵PID:2020
-
C:\Windows\SysWOW64\Ikekmq32.exeC:\Windows\system32\Ikekmq32.exe80⤵
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Ioagno32.exeC:\Windows\system32\Ioagno32.exe81⤵
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Ibocjk32.exeC:\Windows\system32\Ibocjk32.exe82⤵PID:1588
-
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe83⤵PID:2052
-
C:\Windows\SysWOW64\Ienoff32.exeC:\Windows\system32\Ienoff32.exe84⤵PID:296
-
C:\Windows\SysWOW64\Imeggc32.exeC:\Windows\system32\Imeggc32.exe85⤵PID:1912
-
C:\Windows\SysWOW64\Ikggbpgd.exeC:\Windows\system32\Ikggbpgd.exe86⤵
- Modifies registry class
PID:996 -
C:\Windows\SysWOW64\Ioccco32.exeC:\Windows\system32\Ioccco32.exe87⤵PID:2220
-
C:\Windows\SysWOW64\Ibapoj32.exeC:\Windows\system32\Ibapoj32.exe88⤵PID:1540
-
C:\Windows\SysWOW64\Ifmlpigj.exeC:\Windows\system32\Ifmlpigj.exe89⤵
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Jeplkf32.exeC:\Windows\system32\Jeplkf32.exe90⤵PID:556
-
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe91⤵PID:2460
-
C:\Windows\SysWOW64\Jgnhga32.exeC:\Windows\system32\Jgnhga32.exe92⤵
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Joepio32.exeC:\Windows\system32\Joepio32.exe93⤵PID:2320
-
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2824 -
C:\Windows\SysWOW64\Jagmpg32.exeC:\Windows\system32\Jagmpg32.exe95⤵PID:2900
-
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe96⤵PID:1244
-
C:\Windows\SysWOW64\Jinead32.exeC:\Windows\system32\Jinead32.exe97⤵PID:2552
-
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe98⤵PID:2340
-
C:\Windows\SysWOW64\Jjoailji.exeC:\Windows\system32\Jjoailji.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2604 -
C:\Windows\SysWOW64\Jnkmjk32.exeC:\Windows\system32\Jnkmjk32.exe100⤵PID:2116
-
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe101⤵
- Modifies registry class
PID:1416 -
C:\Windows\SysWOW64\Jgcabqic.exeC:\Windows\system32\Jgcabqic.exe102⤵PID:2028
-
C:\Windows\SysWOW64\Jkonco32.exeC:\Windows\system32\Jkonco32.exe103⤵PID:2120
-
C:\Windows\SysWOW64\Jjanolhg.exeC:\Windows\system32\Jjanolhg.exe104⤵PID:1364
-
C:\Windows\SysWOW64\Jnmjok32.exeC:\Windows\system32\Jnmjok32.exe105⤵PID:2716
-
C:\Windows\SysWOW64\Jmpjkggj.exeC:\Windows\system32\Jmpjkggj.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1228 -
C:\Windows\SysWOW64\Jcjbgaog.exeC:\Windows\system32\Jcjbgaog.exe107⤵PID:1892
-
C:\Windows\SysWOW64\Jfhocmnk.exeC:\Windows\system32\Jfhocmnk.exe108⤵PID:2808
-
C:\Windows\SysWOW64\Jnofejom.exeC:\Windows\system32\Jnofejom.exe109⤵
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Jancafna.exeC:\Windows\system32\Jancafna.exe110⤵PID:2436
-
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe111⤵PID:1276
-
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe112⤵PID:2288
-
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe113⤵PID:1872
-
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe114⤵PID:852
-
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe115⤵PID:3064
-
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe116⤵PID:2640
-
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe117⤵PID:324
-
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe118⤵PID:1580
-
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe119⤵PID:488
-
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe120⤵PID:1684
-
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe121⤵PID:2476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-