Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/03/2024, 18:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
04a8b06d6356fb40209f64cde9285d64677adfe97b15e6aa442bcb28e68ac138.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
04a8b06d6356fb40209f64cde9285d64677adfe97b15e6aa442bcb28e68ac138.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
04a8b06d6356fb40209f64cde9285d64677adfe97b15e6aa442bcb28e68ac138.exe
-
Size
52KB
-
MD5
e2e75c2bd5b0ba3973a49ab9ea6cb5e1
-
SHA1
64896db5b960a34761bc2a69107618e657668986
-
SHA256
04a8b06d6356fb40209f64cde9285d64677adfe97b15e6aa442bcb28e68ac138
-
SHA512
6669f5e2f90662267b5a5bfd96b01542f3d1fb4a0c24b3718d4954d97f9f48bbb2c32d864033197035e9b919bb014a23deff55c8bbe073125ab17aafd45933e7
-
SSDEEP
768:AsXjwf+s347rTN0+46/PWkQVYQxcMIYQRTInPP20FTd+/1H5F/sl6MABvKWe:TXjHsIXTH4WqqQxcMNcTIPew6MAdKZ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gihbjfkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kebepion.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmkio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiedjneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkgmgmfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncahjgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edkcojga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpgdbpob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lganiohl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqlafm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokcgmee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdnghpkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kikdkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ongnonkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apomfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlgigdoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okalbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbbfopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiaiqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqideepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njkfpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pndniaop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajphib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdamqndn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicodd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdogl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkpagq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giffeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlpamq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqcnfjli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hacmcfge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmmiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emkaol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldqegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcnpbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioojhpdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmjok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpeifeca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oomhcbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhcdaibd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epdkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pikkiijf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afiecb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlpamq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oobjaqaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cklmgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icjfhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odegpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihankokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idklfpon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacgdhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooeggp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnbablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jakfkfpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maphdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efncicpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfoocjfd.exe -
Executes dropped EXE 64 IoCs
pid Process 2660 Gkaidjhe.exe 2620 Gakaqd32.exe 2884 Gdimmp32.exe 2764 Gkceijfb.exe 2644 Giffeg32.exe 2964 Gmabeeef.exe 1180 Gdljbp32.exe 2096 Gkeboj32.exe 2744 Gihbjfkj.exe 1660 Glgofbjn.exe 2192 Gdnghpkq.exe 2820 Gglcdkjd.exe 1292 Geocph32.exe 2352 Gnfkqe32.exe 2284 Gccdil32.exe 540 Geapeg32.exe 712 Gllhaa32.exe 1120 Gpgdbpob.exe 880 Hceqnlnf.exe 412 Hedmkgmi.exe 2164 Hjpike32.exe 1412 Hlnega32.exe 624 Hkqecnkq.exe 1860 Hakmph32.exe 572 Hefipfkg.exe 2776 Hheelbjj.exe 2580 Hlpamq32.exe 2616 Hndkji32.exe 2896 Haogkgoh.exe 2708 Hdncgbnl.exe 2276 Hglocnmp.exe 2372 Hjkkojlc.exe 2980 Hqddldcp.exe 2848 Hjmhdi32.exe 1580 Inhdehbj.exe 2868 Iqgqacam.exe 2788 Idblbb32.exe 1564 Icemmopa.exe 2792 Igainn32.exe 1456 Ijoeji32.exe 1848 Inkakhpg.exe 608 Ichico32.exe 2828 Igcecmfg.exe 688 Iffeoj32.exe 1908 Iidbke32.exe 848 Ioojhpdb.exe 2112 Icjfhn32.exe 1152 Ifhbdj32.exe 1788 Ijdnehci.exe 1196 Imbkadcl.exe 1236 Iclcnnji.exe 1672 Ifkojiim.exe 2320 Iiikfehq.exe 2684 Ikggbpgd.exe 2640 Ioccco32.exe 2492 Ibapoj32.exe 2516 Jeplkf32.exe 2152 Jkjdhpea.exe 2984 Jkjdhpea.exe 2568 Jnhqdkde.exe 1804 Jbdlejmn.exe 1980 Jebiaelb.exe 2784 Jgqemakf.exe 2540 Jjoailji.exe -
Loads dropped DLL 64 IoCs
pid Process 868 04a8b06d6356fb40209f64cde9285d64677adfe97b15e6aa442bcb28e68ac138.exe 868 04a8b06d6356fb40209f64cde9285d64677adfe97b15e6aa442bcb28e68ac138.exe 2660 Gkaidjhe.exe 2660 Gkaidjhe.exe 2620 Gakaqd32.exe 2620 Gakaqd32.exe 2884 Gdimmp32.exe 2884 Gdimmp32.exe 2764 Gkceijfb.exe 2764 Gkceijfb.exe 2644 Giffeg32.exe 2644 Giffeg32.exe 2964 Gmabeeef.exe 2964 Gmabeeef.exe 1180 Gdljbp32.exe 1180 Gdljbp32.exe 2096 Gkeboj32.exe 2096 Gkeboj32.exe 2744 Gihbjfkj.exe 2744 Gihbjfkj.exe 1660 Glgofbjn.exe 1660 Glgofbjn.exe 2192 Gdnghpkq.exe 2192 Gdnghpkq.exe 2820 Gglcdkjd.exe 2820 Gglcdkjd.exe 1292 Geocph32.exe 1292 Geocph32.exe 2352 Gnfkqe32.exe 2352 Gnfkqe32.exe 2284 Gccdil32.exe 2284 Gccdil32.exe 540 Geapeg32.exe 540 Geapeg32.exe 712 Gllhaa32.exe 712 Gllhaa32.exe 1120 Gpgdbpob.exe 1120 Gpgdbpob.exe 880 Hceqnlnf.exe 880 Hceqnlnf.exe 412 Hedmkgmi.exe 412 Hedmkgmi.exe 2164 Hjpike32.exe 2164 Hjpike32.exe 1412 Hlnega32.exe 1412 Hlnega32.exe 624 Hkqecnkq.exe 624 Hkqecnkq.exe 1860 Hakmph32.exe 1860 Hakmph32.exe 572 Hefipfkg.exe 572 Hefipfkg.exe 2776 Hheelbjj.exe 2776 Hheelbjj.exe 2580 Hlpamq32.exe 2580 Hlpamq32.exe 2616 Hndkji32.exe 2616 Hndkji32.exe 2896 Haogkgoh.exe 2896 Haogkgoh.exe 2708 Hdncgbnl.exe 2708 Hdncgbnl.exe 2276 Hglocnmp.exe 2276 Hglocnmp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Higdqfol.dll Pbpjiphi.exe File created C:\Windows\SysWOW64\Gldkfl32.exe Ghhofmql.exe File opened for modification C:\Windows\SysWOW64\Jjlnif32.exe Jgnamk32.exe File created C:\Windows\SysWOW64\Nmpipp32.dll Lpdbloof.exe File created C:\Windows\SysWOW64\Nhiffc32.exe Ndmjedoi.exe File created C:\Windows\SysWOW64\Jjoailji.exe Jgqemakf.exe File created C:\Windows\SysWOW64\Kipnfged.exe Kfaajlfp.exe File created C:\Windows\SysWOW64\Ongnonkb.exe Ofpfnqjp.exe File created C:\Windows\SysWOW64\Ddbkoipg.dll Ofpfnqjp.exe File created C:\Windows\SysWOW64\Cfgnhbba.dll Cohigamf.exe File created C:\Windows\SysWOW64\Geemiobo.dll Edkcojga.exe File created C:\Windows\SysWOW64\Ghjkhm32.dll Ijoeji32.exe File created C:\Windows\SysWOW64\Laplei32.exe Loapim32.exe File opened for modification C:\Windows\SysWOW64\Fbgmbg32.exe Ffpmnf32.exe File opened for modification C:\Windows\SysWOW64\Gonnhhln.exe Globlmmj.exe File created C:\Windows\SysWOW64\Jlbjhf32.dll Lhpfqama.exe File created C:\Windows\SysWOW64\Nbipbe32.dll Kbcicmpj.exe File opened for modification C:\Windows\SysWOW64\Llccmb32.exe Kdlkld32.exe File created C:\Windows\SysWOW64\Anapbp32.dll Dqhhknjp.exe File opened for modification C:\Windows\SysWOW64\Pfjbgnme.exe Pggbla32.exe File created C:\Windows\SysWOW64\Opiehf32.dll Cgcmlcja.exe File created C:\Windows\SysWOW64\Madapkmp.exe Mnieom32.exe File opened for modification C:\Windows\SysWOW64\Ppoqge32.exe Plcdgfbo.exe File created C:\Windows\SysWOW64\Lecgje32.exe Lahkigca.exe File created C:\Windows\SysWOW64\Bhahlj32.exe Bingpmnl.exe File opened for modification C:\Windows\SysWOW64\Gphmeo32.exe Gaemjbcg.exe File created C:\Windows\SysWOW64\Mdqmicng.dll Najdnj32.exe File created C:\Windows\SysWOW64\Aoffmd32.exe Aoffmd32.exe File created C:\Windows\SysWOW64\Efncicpm.exe Ecpgmhai.exe File created C:\Windows\SysWOW64\Mjghmm32.dll Jeplkf32.exe File created C:\Windows\SysWOW64\Aiedjneg.exe Affhncfc.exe File created C:\Windows\SysWOW64\Bgknheej.exe Bdlblj32.exe File created C:\Windows\SysWOW64\Ikkbnm32.dll Fpdhklkl.exe File opened for modification C:\Windows\SysWOW64\Nhfipcid.exe Nehmdhja.exe File opened for modification C:\Windows\SysWOW64\Komfnnck.exe Klnjbbdh.exe File created C:\Windows\SysWOW64\Ahcfok32.dll Dbehoa32.exe File opened for modification C:\Windows\SysWOW64\Ihdkao32.exe Idhopq32.exe File opened for modification C:\Windows\SysWOW64\Pjenhm32.exe Pfjbgnme.exe File opened for modification C:\Windows\SysWOW64\Bldcpf32.exe Bhigphio.exe File opened for modification C:\Windows\SysWOW64\Glfhll32.exe Gdopkn32.exe File opened for modification C:\Windows\SysWOW64\Hmlnoc32.exe Hiqbndpb.exe File opened for modification C:\Windows\SysWOW64\Ldfgebbe.exe Lecgje32.exe File created C:\Windows\SysWOW64\Okgnab32.exe Ohibdf32.exe File created C:\Windows\SysWOW64\Bghabf32.exe Bdjefj32.exe File opened for modification C:\Windows\SysWOW64\Ecmkghcl.exe Epaogi32.exe File opened for modification C:\Windows\SysWOW64\Gmgdddmq.exe Gkihhhnm.exe File created C:\Windows\SysWOW64\Bmfmjjgm.dll Abjebn32.exe File created C:\Windows\SysWOW64\Jjifqd32.dll Aidnohbk.exe File opened for modification C:\Windows\SysWOW64\Ajjcbpdd.exe Afohaa32.exe File created C:\Windows\SysWOW64\Jakfkfpc.exe Jmpjkggj.exe File created C:\Windows\SysWOW64\Ejpdgffb.dll Jmpjkggj.exe File created C:\Windows\SysWOW64\Clomqk32.exe Cfeddafl.exe File created C:\Windows\SysWOW64\Fddcahee.dll Oddpfc32.exe File created C:\Windows\SysWOW64\Ddeaalpg.exe Djpmccqq.exe File created C:\Windows\SysWOW64\Gobgcg32.exe Gldkfl32.exe File created C:\Windows\SysWOW64\Iknqdmpf.dll Idhopq32.exe File created C:\Windows\SysWOW64\Ldfgebbe.exe Lecgje32.exe File created C:\Windows\SysWOW64\Dggcffhg.exe Dhdcji32.exe File created C:\Windows\SysWOW64\Gkceijfb.exe Gdimmp32.exe File opened for modification C:\Windows\SysWOW64\Hpapln32.exe Hlfdkoin.exe File created C:\Windows\SysWOW64\Iokfhi32.exe Igdogl32.exe File created C:\Windows\SysWOW64\Gdljbp32.exe Gmabeeef.exe File opened for modification C:\Windows\SysWOW64\Nkeelohh.exe Nhfipcid.exe File opened for modification C:\Windows\SysWOW64\Abhimnma.exe Anlmmp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7496 7472 WerFault.exe 729 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghohc32.dll" Cgejac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajklhn32.dll" Icjfhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbelgood.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okikfagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhdlkdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgejac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqqdag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjhjlg32.dll" Mdqafgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppoqge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdcec32.dll" Cobbhfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kahojc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jknpfqoh.dll" Mmahdggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nneloe32.dll" Npfgpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpooed32.dll" Baakhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Libgjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldfgebbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbqpqcoj.dll" Pgplkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bihebmne.dll" Imbkadcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alhjai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkebie32.dll" Bhcdaibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnhje32.dll" Gonnhhln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfahhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnmehnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maphdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghhofmql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glfhll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpfkqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npdjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmqjgdc.dll" Pggbla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppbfpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebpkce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbkeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll" Hiekid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inngcfid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnakg32.dll" Ldcamcih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpmlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfgmhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnhqdkde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiaiqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjijdadm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flabbihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inngcfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idmhkpml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmcijcbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqhiplaj.dll" Adnopfoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfiidobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofpfnqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmnbkinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgobhcac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajphib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eilpeooq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejhlgaeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpgdbpob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnefdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll" Gobgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpipp32.dll" Lpdbloof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbfpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlkdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hndkji32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 868 wrote to memory of 2660 868 04a8b06d6356fb40209f64cde9285d64677adfe97b15e6aa442bcb28e68ac138.exe 28 PID 868 wrote to memory of 2660 868 04a8b06d6356fb40209f64cde9285d64677adfe97b15e6aa442bcb28e68ac138.exe 28 PID 868 wrote to memory of 2660 868 04a8b06d6356fb40209f64cde9285d64677adfe97b15e6aa442bcb28e68ac138.exe 28 PID 868 wrote to memory of 2660 868 04a8b06d6356fb40209f64cde9285d64677adfe97b15e6aa442bcb28e68ac138.exe 28 PID 2660 wrote to memory of 2620 2660 Gkaidjhe.exe 29 PID 2660 wrote to memory of 2620 2660 Gkaidjhe.exe 29 PID 2660 wrote to memory of 2620 2660 Gkaidjhe.exe 29 PID 2660 wrote to memory of 2620 2660 Gkaidjhe.exe 29 PID 2620 wrote to memory of 2884 2620 Gakaqd32.exe 30 PID 2620 wrote to memory of 2884 2620 Gakaqd32.exe 30 PID 2620 wrote to memory of 2884 2620 Gakaqd32.exe 30 PID 2620 wrote to memory of 2884 2620 Gakaqd32.exe 30 PID 2884 wrote to memory of 2764 2884 Gdimmp32.exe 31 PID 2884 wrote to memory of 2764 2884 Gdimmp32.exe 31 PID 2884 wrote to memory of 2764 2884 Gdimmp32.exe 31 PID 2884 wrote to memory of 2764 2884 Gdimmp32.exe 31 PID 2764 wrote to memory of 2644 2764 Gkceijfb.exe 32 PID 2764 wrote to memory of 2644 2764 Gkceijfb.exe 32 PID 2764 wrote to memory of 2644 2764 Gkceijfb.exe 32 PID 2764 wrote to memory of 2644 2764 Gkceijfb.exe 32 PID 2644 wrote to memory of 2964 2644 Giffeg32.exe 33 PID 2644 wrote to memory of 2964 2644 Giffeg32.exe 33 PID 2644 wrote to memory of 2964 2644 Giffeg32.exe 33 PID 2644 wrote to memory of 2964 2644 Giffeg32.exe 33 PID 2964 wrote to memory of 1180 2964 Gmabeeef.exe 34 PID 2964 wrote to memory of 1180 2964 Gmabeeef.exe 34 PID 2964 wrote to memory of 1180 2964 Gmabeeef.exe 34 PID 2964 wrote to memory of 1180 2964 Gmabeeef.exe 34 PID 1180 wrote to memory of 2096 1180 Gdljbp32.exe 35 PID 1180 wrote to memory of 2096 1180 Gdljbp32.exe 35 PID 1180 wrote to memory of 2096 1180 Gdljbp32.exe 35 PID 1180 wrote to memory of 2096 1180 Gdljbp32.exe 35 PID 2096 wrote to memory of 2744 2096 Gkeboj32.exe 36 PID 2096 wrote to memory of 2744 2096 Gkeboj32.exe 36 PID 2096 wrote to memory of 2744 2096 Gkeboj32.exe 36 PID 2096 wrote to memory of 2744 2096 Gkeboj32.exe 36 PID 2744 wrote to memory of 1660 2744 Gihbjfkj.exe 37 PID 2744 wrote to memory of 1660 2744 Gihbjfkj.exe 37 PID 2744 wrote to memory of 1660 2744 Gihbjfkj.exe 37 PID 2744 wrote to memory of 1660 2744 Gihbjfkj.exe 37 PID 1660 wrote to memory of 2192 1660 Glgofbjn.exe 38 PID 1660 wrote to memory of 2192 1660 Glgofbjn.exe 38 PID 1660 wrote to memory of 2192 1660 Glgofbjn.exe 38 PID 1660 wrote to memory of 2192 1660 Glgofbjn.exe 38 PID 2192 wrote to memory of 2820 2192 Gdnghpkq.exe 39 PID 2192 wrote to memory of 2820 2192 Gdnghpkq.exe 39 PID 2192 wrote to memory of 2820 2192 Gdnghpkq.exe 39 PID 2192 wrote to memory of 2820 2192 Gdnghpkq.exe 39 PID 2820 wrote to memory of 1292 2820 Gglcdkjd.exe 40 PID 2820 wrote to memory of 1292 2820 Gglcdkjd.exe 40 PID 2820 wrote to memory of 1292 2820 Gglcdkjd.exe 40 PID 2820 wrote to memory of 1292 2820 Gglcdkjd.exe 40 PID 1292 wrote to memory of 2352 1292 Geocph32.exe 41 PID 1292 wrote to memory of 2352 1292 Geocph32.exe 41 PID 1292 wrote to memory of 2352 1292 Geocph32.exe 41 PID 1292 wrote to memory of 2352 1292 Geocph32.exe 41 PID 2352 wrote to memory of 2284 2352 Gnfkqe32.exe 42 PID 2352 wrote to memory of 2284 2352 Gnfkqe32.exe 42 PID 2352 wrote to memory of 2284 2352 Gnfkqe32.exe 42 PID 2352 wrote to memory of 2284 2352 Gnfkqe32.exe 42 PID 2284 wrote to memory of 540 2284 Gccdil32.exe 43 PID 2284 wrote to memory of 540 2284 Gccdil32.exe 43 PID 2284 wrote to memory of 540 2284 Gccdil32.exe 43 PID 2284 wrote to memory of 540 2284 Gccdil32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\04a8b06d6356fb40209f64cde9285d64677adfe97b15e6aa442bcb28e68ac138.exe"C:\Users\Admin\AppData\Local\Temp\04a8b06d6356fb40209f64cde9285d64677adfe97b15e6aa442bcb28e68ac138.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Gkaidjhe.exeC:\Windows\system32\Gkaidjhe.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Gakaqd32.exeC:\Windows\system32\Gakaqd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Gdimmp32.exeC:\Windows\system32\Gdimmp32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Gkceijfb.exeC:\Windows\system32\Gkceijfb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Giffeg32.exeC:\Windows\system32\Giffeg32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Gmabeeef.exeC:\Windows\system32\Gmabeeef.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Gdljbp32.exeC:\Windows\system32\Gdljbp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Gkeboj32.exeC:\Windows\system32\Gkeboj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Gihbjfkj.exeC:\Windows\system32\Gihbjfkj.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Glgofbjn.exeC:\Windows\system32\Glgofbjn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Gdnghpkq.exeC:\Windows\system32\Gdnghpkq.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Gglcdkjd.exeC:\Windows\system32\Gglcdkjd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Geocph32.exeC:\Windows\system32\Geocph32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Gnfkqe32.exeC:\Windows\system32\Gnfkqe32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Gccdil32.exeC:\Windows\system32\Gccdil32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Geapeg32.exeC:\Windows\system32\Geapeg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:540 -
C:\Windows\SysWOW64\Gllhaa32.exeC:\Windows\system32\Gllhaa32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:712 -
C:\Windows\SysWOW64\Gpgdbpob.exeC:\Windows\system32\Gpgdbpob.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1120 -
C:\Windows\SysWOW64\Hceqnlnf.exeC:\Windows\system32\Hceqnlnf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880 -
C:\Windows\SysWOW64\Hedmkgmi.exeC:\Windows\system32\Hedmkgmi.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:412 -
C:\Windows\SysWOW64\Hjpike32.exeC:\Windows\system32\Hjpike32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Hlnega32.exeC:\Windows\system32\Hlnega32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1412 -
C:\Windows\SysWOW64\Hkqecnkq.exeC:\Windows\system32\Hkqecnkq.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:624 -
C:\Windows\SysWOW64\Hakmph32.exeC:\Windows\system32\Hakmph32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Hefipfkg.exeC:\Windows\system32\Hefipfkg.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Windows\SysWOW64\Hheelbjj.exeC:\Windows\system32\Hheelbjj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Hlpamq32.exeC:\Windows\system32\Hlpamq32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Hndkji32.exeC:\Windows\system32\Hndkji32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Haogkgoh.exeC:\Windows\system32\Haogkgoh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Hdncgbnl.exeC:\Windows\system32\Hdncgbnl.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Hglocnmp.exeC:\Windows\system32\Hglocnmp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Hjkkojlc.exeC:\Windows\system32\Hjkkojlc.exe33⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Hqddldcp.exeC:\Windows\system32\Hqddldcp.exe34⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Hjmhdi32.exeC:\Windows\system32\Hjmhdi32.exe35⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Inhdehbj.exeC:\Windows\system32\Inhdehbj.exe36⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Iqgqacam.exeC:\Windows\system32\Iqgqacam.exe37⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Idblbb32.exeC:\Windows\system32\Idblbb32.exe38⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Icemmopa.exeC:\Windows\system32\Icemmopa.exe39⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Igainn32.exeC:\Windows\system32\Igainn32.exe40⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Ijoeji32.exeC:\Windows\system32\Ijoeji32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1456 -
C:\Windows\SysWOW64\Inkakhpg.exeC:\Windows\system32\Inkakhpg.exe42⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Ichico32.exeC:\Windows\system32\Ichico32.exe43⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Igcecmfg.exeC:\Windows\system32\Igcecmfg.exe44⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Iffeoj32.exeC:\Windows\system32\Iffeoj32.exe45⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Iidbke32.exeC:\Windows\system32\Iidbke32.exe46⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Ioojhpdb.exeC:\Windows\system32\Ioojhpdb.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Icjfhn32.exeC:\Windows\system32\Icjfhn32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Ifhbdj32.exeC:\Windows\system32\Ifhbdj32.exe49⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Ijdnehci.exeC:\Windows\system32\Ijdnehci.exe50⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Imbkadcl.exeC:\Windows\system32\Imbkadcl.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1196 -
C:\Windows\SysWOW64\Iclcnnji.exeC:\Windows\system32\Iclcnnji.exe52⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe53⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Iiikfehq.exeC:\Windows\system32\Iiikfehq.exe54⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Ikggbpgd.exeC:\Windows\system32\Ikggbpgd.exe55⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Ioccco32.exeC:\Windows\system32\Ioccco32.exe56⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Ibapoj32.exeC:\Windows\system32\Ibapoj32.exe57⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Jeplkf32.exeC:\Windows\system32\Jeplkf32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Jkjdhpea.exeC:\Windows\system32\Jkjdhpea.exe59⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Jkjdhpea.exeC:\Windows\system32\Jkjdhpea.exe60⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Jnhqdkde.exeC:\Windows\system32\Jnhqdkde.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe62⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe63⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Jjoailji.exeC:\Windows\system32\Jjoailji.exe65⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Jbfijjkl.exeC:\Windows\system32\Jbfijjkl.exe66⤵PID:3048
-
C:\Windows\SysWOW64\Jcgfbb32.exeC:\Windows\system32\Jcgfbb32.exe67⤵PID:2072
-
C:\Windows\SysWOW64\Jkonco32.exeC:\Windows\system32\Jkonco32.exe68⤵PID:1520
-
C:\Windows\SysWOW64\Jnmjok32.exeC:\Windows\system32\Jnmjok32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:584 -
C:\Windows\SysWOW64\Jmpjkggj.exeC:\Windows\system32\Jmpjkggj.exe70⤵
- Drops file in System32 directory
PID:1212 -
C:\Windows\SysWOW64\Jakfkfpc.exeC:\Windows\system32\Jakfkfpc.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1408 -
C:\Windows\SysWOW64\Jcjbgaog.exeC:\Windows\system32\Jcjbgaog.exe72⤵PID:2080
-
C:\Windows\SysWOW64\Jjdkdl32.exeC:\Windows\system32\Jjdkdl32.exe73⤵PID:380
-
C:\Windows\SysWOW64\Jnofejom.exeC:\Windows\system32\Jnofejom.exe74⤵PID:2176
-
C:\Windows\SysWOW64\Jancafna.exeC:\Windows\system32\Jancafna.exe75⤵PID:908
-
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe76⤵PID:2680
-
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe77⤵PID:3056
-
C:\Windows\SysWOW64\Jjfgjk32.exeC:\Windows\system32\Jjfgjk32.exe78⤵PID:2880
-
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe79⤵PID:2544
-
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe80⤵PID:2996
-
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe81⤵PID:1464
-
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe82⤵PID:1428
-
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2508 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe84⤵PID:2832
-
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe85⤵PID:900
-
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe86⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1100 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe88⤵PID:2424
-
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe89⤵PID:2168
-
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe90⤵
- Drops file in System32 directory
PID:1360 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe91⤵PID:3000
-
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe92⤵
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe93⤵PID:2220
-
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe94⤵PID:2668
-
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe95⤵PID:2968
-
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe96⤵PID:2300
-
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe97⤵PID:1620
-
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe98⤵PID:2976
-
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe99⤵PID:2748
-
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe100⤵PID:1588
-
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe101⤵PID:1760
-
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe102⤵PID:2904
-
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe103⤵
- Drops file in System32 directory
PID:1356 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe104⤵PID:544
-
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe105⤵
- Drops file in System32 directory
PID:108 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe106⤵PID:2116
-
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe107⤵PID:2244
-
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe108⤵PID:2728
-
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:112 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2624 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe111⤵PID:2636
-
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe112⤵PID:320
-
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe113⤵PID:1716
-
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe114⤵
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe115⤵PID:2816
-
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1800 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe117⤵PID:384
-
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe118⤵PID:2448
-
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe119⤵PID:860
-
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe120⤵PID:1076
-
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe121⤵
- Modifies registry class
PID:1916
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-