Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13/03/2024, 21:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
845a111aed0766f978d9da5839015208869ffe454e08a7a864d67597ee5bdbfd.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
845a111aed0766f978d9da5839015208869ffe454e08a7a864d67597ee5bdbfd.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
845a111aed0766f978d9da5839015208869ffe454e08a7a864d67597ee5bdbfd.exe
-
Size
74KB
-
MD5
f9d8deda22203b26b2599f9bb7af3cb1
-
SHA1
33c08df17641c6e473a6517f28d131644a41458d
-
SHA256
845a111aed0766f978d9da5839015208869ffe454e08a7a864d67597ee5bdbfd
-
SHA512
6fec641c3b142c91db149a06840ff8a8c4a2b2ff1d20001d7aa0e7a017c43b07e27f4b1e73e54368061ee4931aa8f98840c709559b561ff2d540c6b4a31207ae
-
SSDEEP
1536:+Geq9JdyeRvVRzPNhQtOtFS4nnmUzbN7x98Y87M4IoNIp:+GeWOavVRzPfQtuFwqxIwRoyp
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odhfob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpigfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlbeqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaobdjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bppoqeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Neplhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Logbhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohjaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jabbhcfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdbbloa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjdhmdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aidnohbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlkopcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnqqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghqnjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdqna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkoplhip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onecbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncbplk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Annbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qbcpbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emkaol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fadminnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpkbdiqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afiglkle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icjhagdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpjhkjde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlbeqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fidoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icpigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kofopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpleef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Logbhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooeggp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fagjnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blaopqpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbdklf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aigchgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbcfadgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odlojanh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cghggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihjnom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbdonb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgkafo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icfofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnkpbcjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfiale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkhofjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfgngh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebodiofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlfdkoin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keoapb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkijmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcdnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpiipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikddbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhdcji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjongcbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 845a111aed0766f978d9da5839015208869ffe454e08a7a864d67597ee5bdbfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojema32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohaeia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boplllob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkbhgojk.exe -
Executes dropped EXE 64 IoCs
pid Process 1260 Feeiob32.exe 2084 Gpknlk32.exe 2696 Ghfbqn32.exe 2644 Gejcjbah.exe 2612 Ghhofmql.exe 2444 Ghhofmql.exe 560 Gldkfl32.exe 1820 Ghkllmoi.exe 2880 Goddhg32.exe 2684 Gdamqndn.exe 2672 Gaemjbcg.exe 1636 Hgbebiao.exe 2816 Hkpnhgge.exe 1048 Hnojdcfi.exe 2488 Hdhbam32.exe 1740 Hggomh32.exe 1544 Hgilchkf.exe 1720 Hlfdkoin.exe 2784 Hodpgjha.exe 1960 Hlhaqogk.exe 1672 Iaeiieeb.exe 1644 Ieqeidnl.exe 2036 Ilknfn32.exe 2252 Ioijbj32.exe 1716 Idfbkq32.exe 2000 Igdogl32.exe 884 Ijeghgoh.exe 2776 Ikddbj32.exe 2528 Imfqjbli.exe 2720 Icpigm32.exe 2656 Jofiln32.exe 2212 Jgnamk32.exe 2452 Jqfffqpm.exe 2496 Jcdbbloa.exe 1744 Jejhecaj.exe 3004 Jgidao32.exe 2516 Joplbl32.exe 2688 Jbnhng32.exe 1936 Kemejc32.exe 540 Kgkafo32.exe 2852 Kneicieh.exe 1040 Kbqecg32.exe 1564 Keoapb32.exe 292 Kcbakpdo.exe 1036 Kkijmm32.exe 1556 Kmjfdejp.exe 2088 Kcdnao32.exe 956 Kgpjanje.exe 656 Kjnfniii.exe 2412 Knjbnh32.exe 1952 Kpkofpgq.exe 2316 Kcfkfo32.exe 2540 Kfgdhjmk.exe 2596 Kifpdelo.exe 2744 Lpphap32.exe 1596 Lckdanld.exe 2728 Lpbefoai.exe 2484 Loeebl32.exe 3064 Lflmci32.exe 3020 Lijjoe32.exe 2900 Lliflp32.exe 2676 Logbhl32.exe 2180 Leajdfnm.exe 1432 Lhpfqama.exe -
Loads dropped DLL 64 IoCs
pid Process 2004 845a111aed0766f978d9da5839015208869ffe454e08a7a864d67597ee5bdbfd.exe 2004 845a111aed0766f978d9da5839015208869ffe454e08a7a864d67597ee5bdbfd.exe 1260 Feeiob32.exe 1260 Feeiob32.exe 2084 Gpknlk32.exe 2084 Gpknlk32.exe 2696 Ghfbqn32.exe 2696 Ghfbqn32.exe 2644 Gejcjbah.exe 2644 Gejcjbah.exe 2612 Ghhofmql.exe 2612 Ghhofmql.exe 2444 Ghhofmql.exe 2444 Ghhofmql.exe 560 Gldkfl32.exe 560 Gldkfl32.exe 1820 Ghkllmoi.exe 1820 Ghkllmoi.exe 2880 Goddhg32.exe 2880 Goddhg32.exe 2684 Gdamqndn.exe 2684 Gdamqndn.exe 2672 Gaemjbcg.exe 2672 Gaemjbcg.exe 1636 Hgbebiao.exe 1636 Hgbebiao.exe 2816 Hkpnhgge.exe 2816 Hkpnhgge.exe 1048 Hnojdcfi.exe 1048 Hnojdcfi.exe 2488 Hdhbam32.exe 2488 Hdhbam32.exe 1740 Hggomh32.exe 1740 Hggomh32.exe 1544 Hgilchkf.exe 1544 Hgilchkf.exe 1720 Hlfdkoin.exe 1720 Hlfdkoin.exe 2784 Hodpgjha.exe 2784 Hodpgjha.exe 1960 Hlhaqogk.exe 1960 Hlhaqogk.exe 1672 Iaeiieeb.exe 1672 Iaeiieeb.exe 1644 Ieqeidnl.exe 1644 Ieqeidnl.exe 2036 Ilknfn32.exe 2036 Ilknfn32.exe 2252 Ioijbj32.exe 2252 Ioijbj32.exe 1716 Idfbkq32.exe 1716 Idfbkq32.exe 2000 Igdogl32.exe 2000 Igdogl32.exe 884 Ijeghgoh.exe 884 Ijeghgoh.exe 2776 Ikddbj32.exe 2776 Ikddbj32.exe 2528 Imfqjbli.exe 2528 Imfqjbli.exe 2720 Icpigm32.exe 2720 Icpigm32.exe 2656 Jofiln32.exe 2656 Jofiln32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cghggc32.exe Cnobnmpl.exe File created C:\Windows\SysWOW64\Gmgninie.exe Gepehphc.exe File created C:\Windows\SysWOW64\Odjbdb32.exe Onpjghhn.exe File created C:\Windows\SysWOW64\Jjcpjl32.dll Gaemjbcg.exe File created C:\Windows\SysWOW64\Cqljpedj.dll Kgkafo32.exe File created C:\Windows\SysWOW64\Kpkofpgq.exe Knjbnh32.exe File opened for modification C:\Windows\SysWOW64\Pjhknm32.exe Papfegmk.exe File created C:\Windows\SysWOW64\Hdihmjpf.dll Alegac32.exe File opened for modification C:\Windows\SysWOW64\Amhpnkch.exe Ahlgfdeq.exe File opened for modification C:\Windows\SysWOW64\Lmlhnagm.exe Ljmlbfhi.exe File created C:\Windows\SysWOW64\Qqeicede.exe Qbbhgi32.exe File opened for modification C:\Windows\SysWOW64\Afiglkle.exe Agfgqo32.exe File opened for modification C:\Windows\SysWOW64\Apdhjq32.exe Ajgpbj32.exe File opened for modification C:\Windows\SysWOW64\Pjnamh32.exe Pfbelipa.exe File opened for modification C:\Windows\SysWOW64\Hgilchkf.exe Hggomh32.exe File created C:\Windows\SysWOW64\Anccmo32.exe Alegac32.exe File opened for modification C:\Windows\SysWOW64\Ebodiofk.exe Ejhlgaeh.exe File created C:\Windows\SysWOW64\Bbgdfdaf.dll Gbaileio.exe File created C:\Windows\SysWOW64\Gdmlko32.dll Hhehek32.exe File created C:\Windows\SysWOW64\Icjhagdp.exe Iefhhbef.exe File opened for modification C:\Windows\SysWOW64\Abphal32.exe Aigchgkh.exe File created C:\Windows\SysWOW64\Ndjfeo32.exe Nckjkl32.exe File created C:\Windows\SysWOW64\Jgafgmqa.dll Pjpnbg32.exe File opened for modification C:\Windows\SysWOW64\Ghfbqn32.exe Gpknlk32.exe File created C:\Windows\SysWOW64\Fqmmidel.dll Mhdplq32.exe File created C:\Windows\SysWOW64\Mimbdhhb.exe Mcbjgn32.exe File created C:\Windows\SysWOW64\Alnqqd32.exe Qedhdjnh.exe File opened for modification C:\Windows\SysWOW64\Ebmgcohn.exe Dggcffhg.exe File created C:\Windows\SysWOW64\Naimccpo.exe Nibebfpl.exe File created C:\Windows\SysWOW64\Ajgpbj32.exe Abphal32.exe File created C:\Windows\SysWOW64\Njelgo32.dll Ajgpbj32.exe File opened for modification C:\Windows\SysWOW64\Cklfll32.exe Cmgechbh.exe File opened for modification C:\Windows\SysWOW64\Goddhg32.exe Ghkllmoi.exe File created C:\Windows\SysWOW64\Bnpanefm.dll Kbqecg32.exe File created C:\Windows\SysWOW64\Inlepd32.dll Ojahnj32.exe File created C:\Windows\SysWOW64\Kfgdhjmk.exe Kcfkfo32.exe File created C:\Windows\SysWOW64\Mdqmicng.dll Najdnj32.exe File created C:\Windows\SysWOW64\Ocindg32.dll Nceclqan.exe File created C:\Windows\SysWOW64\Habfipdj.exe Hiknhbcg.exe File created C:\Windows\SysWOW64\Eiiddiab.dll Jofbag32.exe File created C:\Windows\SysWOW64\Pnalpimd.dll Oaiibg32.exe File created C:\Windows\SysWOW64\Nacgdhlp.exe Ngnbgplj.exe File opened for modification C:\Windows\SysWOW64\Pciifc32.exe Pbhmnkjf.exe File opened for modification C:\Windows\SysWOW64\Aidnohbk.exe Anojbobe.exe File created C:\Windows\SysWOW64\Cjgheann.dll Ipjoplgo.exe File opened for modification C:\Windows\SysWOW64\Jkjfah32.exe Jhljdm32.exe File created C:\Windows\SysWOW64\Jjpcbe32.exe Jbdonb32.exe File created C:\Windows\SysWOW64\Pgmkloid.dll Nacgdhlp.exe File created C:\Windows\SysWOW64\Jfoagoic.dll Kjfjbdle.exe File created C:\Windows\SysWOW64\Bonoflae.exe Bhdgjb32.exe File opened for modification C:\Windows\SysWOW64\Boplllob.exe Blaopqpo.exe File created C:\Windows\SysWOW64\Gldkfl32.exe Ghhofmql.exe File created C:\Windows\SysWOW64\Fioeja32.dll Ocimgp32.exe File created C:\Windows\SysWOW64\Lnhplkhl.dll Iefhhbef.exe File opened for modification C:\Windows\SysWOW64\Pkidlk32.exe Oqcpob32.exe File created C:\Windows\SysWOW64\Jbdipkfe.dll Afgkfl32.exe File created C:\Windows\SysWOW64\Kifpdelo.exe Kfgdhjmk.exe File created C:\Windows\SysWOW64\Mnghjbjl.dll Cnobnmpl.exe File created C:\Windows\SysWOW64\Qfokbnip.exe Qbcpbo32.exe File opened for modification C:\Windows\SysWOW64\Cojema32.exe Cgcmlcja.exe File created C:\Windows\SysWOW64\Bipikqbi.dll Joaeeklp.exe File opened for modification C:\Windows\SysWOW64\Pokieo32.exe Pjnamh32.exe File opened for modification C:\Windows\SysWOW64\Pfikmh32.exe Poocpnbm.exe File opened for modification C:\Windows\SysWOW64\Ghkllmoi.exe Gldkfl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4400 4268 WerFault.exe 434 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gakcimgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgkeald.dll" Blkioa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpkbdiqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahgnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edfpjabf.dll" Hkfagfop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gccdbl32.dll" Ichllgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odlojanh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjpnbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbhela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbomfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhehek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdqbekcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Baakhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbaileio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 845a111aed0766f978d9da5839015208869ffe454e08a7a864d67597ee5bdbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlfdkoin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iaeiieeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldahol32.dll" Ghfbqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdhbam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocimgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gepehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abphal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Loeebl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obdkcckg.dll" Mkgfckcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncdbcl32.dll" Amhpnkch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldodg32.dll" Maedhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahpjhc32.dll" Ghhofmql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lahkigca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpcfqoam.dll" Jhljdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfdmggnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcdipnqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjbjhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fglipi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpebiecm.dll" Iompkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mihiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgnhbba.dll" Ceodnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckafbbph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfiilbkl.dll" Dkqbaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoladf32.dll" Fbamma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieidmbcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kifpdelo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Annbhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfikmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qkkmqnck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igonafba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgljbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdgmd32.dll" Ekhhadmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cppkph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Effcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biddmpnf.dll" Heglio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aigchgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdihmjpf.dll" Alegac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cojema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blaopqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdoajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akodpalp.dll" Kjnfniii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djhphncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjppa32.dll" Fpqdkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Annbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdkgocpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Boplllob.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2004 wrote to memory of 1260 2004 845a111aed0766f978d9da5839015208869ffe454e08a7a864d67597ee5bdbfd.exe 28 PID 2004 wrote to memory of 1260 2004 845a111aed0766f978d9da5839015208869ffe454e08a7a864d67597ee5bdbfd.exe 28 PID 2004 wrote to memory of 1260 2004 845a111aed0766f978d9da5839015208869ffe454e08a7a864d67597ee5bdbfd.exe 28 PID 2004 wrote to memory of 1260 2004 845a111aed0766f978d9da5839015208869ffe454e08a7a864d67597ee5bdbfd.exe 28 PID 1260 wrote to memory of 2084 1260 Feeiob32.exe 29 PID 1260 wrote to memory of 2084 1260 Feeiob32.exe 29 PID 1260 wrote to memory of 2084 1260 Feeiob32.exe 29 PID 1260 wrote to memory of 2084 1260 Feeiob32.exe 29 PID 2084 wrote to memory of 2696 2084 Gpknlk32.exe 30 PID 2084 wrote to memory of 2696 2084 Gpknlk32.exe 30 PID 2084 wrote to memory of 2696 2084 Gpknlk32.exe 30 PID 2084 wrote to memory of 2696 2084 Gpknlk32.exe 30 PID 2696 wrote to memory of 2644 2696 Ghfbqn32.exe 31 PID 2696 wrote to memory of 2644 2696 Ghfbqn32.exe 31 PID 2696 wrote to memory of 2644 2696 Ghfbqn32.exe 31 PID 2696 wrote to memory of 2644 2696 Ghfbqn32.exe 31 PID 2644 wrote to memory of 2612 2644 Gejcjbah.exe 32 PID 2644 wrote to memory of 2612 2644 Gejcjbah.exe 32 PID 2644 wrote to memory of 2612 2644 Gejcjbah.exe 32 PID 2644 wrote to memory of 2612 2644 Gejcjbah.exe 32 PID 2612 wrote to memory of 2444 2612 Ghhofmql.exe 33 PID 2612 wrote to memory of 2444 2612 Ghhofmql.exe 33 PID 2612 wrote to memory of 2444 2612 Ghhofmql.exe 33 PID 2612 wrote to memory of 2444 2612 Ghhofmql.exe 33 PID 2444 wrote to memory of 560 2444 Ghhofmql.exe 34 PID 2444 wrote to memory of 560 2444 Ghhofmql.exe 34 PID 2444 wrote to memory of 560 2444 Ghhofmql.exe 34 PID 2444 wrote to memory of 560 2444 Ghhofmql.exe 34 PID 560 wrote to memory of 1820 560 Gldkfl32.exe 35 PID 560 wrote to memory of 1820 560 Gldkfl32.exe 35 PID 560 wrote to memory of 1820 560 Gldkfl32.exe 35 PID 560 wrote to memory of 1820 560 Gldkfl32.exe 35 PID 1820 wrote to memory of 2880 1820 Ghkllmoi.exe 36 PID 1820 wrote to memory of 2880 1820 Ghkllmoi.exe 36 PID 1820 wrote to memory of 2880 1820 Ghkllmoi.exe 36 PID 1820 wrote to memory of 2880 1820 Ghkllmoi.exe 36 PID 2880 wrote to memory of 2684 2880 Goddhg32.exe 37 PID 2880 wrote to memory of 2684 2880 Goddhg32.exe 37 PID 2880 wrote to memory of 2684 2880 Goddhg32.exe 37 PID 2880 wrote to memory of 2684 2880 Goddhg32.exe 37 PID 2684 wrote to memory of 2672 2684 Gdamqndn.exe 38 PID 2684 wrote to memory of 2672 2684 Gdamqndn.exe 38 PID 2684 wrote to memory of 2672 2684 Gdamqndn.exe 38 PID 2684 wrote to memory of 2672 2684 Gdamqndn.exe 38 PID 2672 wrote to memory of 1636 2672 Gaemjbcg.exe 39 PID 2672 wrote to memory of 1636 2672 Gaemjbcg.exe 39 PID 2672 wrote to memory of 1636 2672 Gaemjbcg.exe 39 PID 2672 wrote to memory of 1636 2672 Gaemjbcg.exe 39 PID 1636 wrote to memory of 2816 1636 Hgbebiao.exe 40 PID 1636 wrote to memory of 2816 1636 Hgbebiao.exe 40 PID 1636 wrote to memory of 2816 1636 Hgbebiao.exe 40 PID 1636 wrote to memory of 2816 1636 Hgbebiao.exe 40 PID 2816 wrote to memory of 1048 2816 Hkpnhgge.exe 41 PID 2816 wrote to memory of 1048 2816 Hkpnhgge.exe 41 PID 2816 wrote to memory of 1048 2816 Hkpnhgge.exe 41 PID 2816 wrote to memory of 1048 2816 Hkpnhgge.exe 41 PID 1048 wrote to memory of 2488 1048 Hnojdcfi.exe 42 PID 1048 wrote to memory of 2488 1048 Hnojdcfi.exe 42 PID 1048 wrote to memory of 2488 1048 Hnojdcfi.exe 42 PID 1048 wrote to memory of 2488 1048 Hnojdcfi.exe 42 PID 2488 wrote to memory of 1740 2488 Hdhbam32.exe 43 PID 2488 wrote to memory of 1740 2488 Hdhbam32.exe 43 PID 2488 wrote to memory of 1740 2488 Hdhbam32.exe 43 PID 2488 wrote to memory of 1740 2488 Hdhbam32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\845a111aed0766f978d9da5839015208869ffe454e08a7a864d67597ee5bdbfd.exe"C:\Users\Admin\AppData\Local\Temp\845a111aed0766f978d9da5839015208869ffe454e08a7a864d67597ee5bdbfd.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe33⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe34⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe36⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe37⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe38⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe39⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe40⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:540 -
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe42⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe45⤵
- Executes dropped EXE
PID:292 -
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe47⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe49⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:656 -
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe52⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe56⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe57⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe58⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe60⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe61⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe62⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe64⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe65⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe66⤵
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe67⤵PID:724
-
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe68⤵PID:1152
-
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe69⤵PID:2628
-
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe70⤵PID:1472
-
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe71⤵
- Drops file in System32 directory
PID:312 -
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe72⤵PID:1052
-
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe73⤵PID:1396
-
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe74⤵PID:2028
-
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe75⤵
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Mpbaebdd.exeC:\Windows\system32\Mpbaebdd.exe76⤵PID:2352
-
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe77⤵PID:1336
-
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe78⤵
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe79⤵
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe80⤵PID:2564
-
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe81⤵
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe82⤵PID:2480
-
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2996 -
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe84⤵PID:2812
-
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2172 -
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe86⤵
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe87⤵PID:2112
-
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1344 -
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe89⤵PID:1384
-
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1524 -
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe91⤵PID:2360
-
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe92⤵PID:2128
-
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe93⤵PID:1468
-
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe94⤵PID:2184
-
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe96⤵
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe97⤵
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe98⤵PID:1628
-
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe99⤵PID:2536
-
C:\Windows\SysWOW64\Ocgpappk.exeC:\Windows\system32\Ocgpappk.exe100⤵PID:1776
-
C:\Windows\SysWOW64\Ojahnj32.exeC:\Windows\system32\Ojahnj32.exe101⤵
- Drops file in System32 directory
PID:1224 -
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe102⤵PID:2304
-
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe104⤵PID:2772
-
C:\Windows\SysWOW64\Ojcecjee.exeC:\Windows\system32\Ojcecjee.exe105⤵PID:1892
-
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe106⤵PID:2388
-
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe107⤵PID:1404
-
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe108⤵PID:1696
-
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe109⤵PID:2532
-
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe110⤵PID:1756
-
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1608 -
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe112⤵PID:3024
-
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe113⤵PID:2464
-
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe114⤵PID:2436
-
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3040 -
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe116⤵PID:2796
-
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe117⤵PID:2664
-
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe118⤵PID:1664
-
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe119⤵
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Pciifc32.exeC:\Windows\system32\Pciifc32.exe120⤵PID:756
-
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe121⤵PID:2240
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-