Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
37s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19/03/2024, 19:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
41e92de3ba3aaff85e9929088e16124385c92be5a5dd1aa4982a2edf0438da66.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
41e92de3ba3aaff85e9929088e16124385c92be5a5dd1aa4982a2edf0438da66.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
41e92de3ba3aaff85e9929088e16124385c92be5a5dd1aa4982a2edf0438da66.exe
-
Size
128KB
-
MD5
594dc1d592d5b69a71fc3a5dd4ae2213
-
SHA1
da007bdc2c76323733d3f4e46c8e530b66158ae9
-
SHA256
41e92de3ba3aaff85e9929088e16124385c92be5a5dd1aa4982a2edf0438da66
-
SHA512
a33a96fa189bbb4f2508c5c999bb5a22683de6a38583a840092c1fa8b9c9781986808104a3694c2304a5422c87d8f796bdfedc8aa697a5d3cf8eabd5b33328b2
-
SSDEEP
3072:uaG0722kbEE1KseugB66bDrLXfzoeqarm9mTKpAImA:uaja2AKsevB9vXfxqySSKpRmA
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjbndpmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbclgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajgbkbjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Domccejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nihcog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjjaikoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khgkpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alihaioe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmfkfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgehno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hinbppna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkggmldl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Japciodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcegin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iieepbje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldokfakl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhddk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fccglehn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajpepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deollamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iinhdmma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpjifjdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjhcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baojapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmgfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilcalnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Joidhh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mggabaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjhcegll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jelfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anjlebjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aakjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Debadpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eakooqih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khnapkjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lidgcclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klhemhpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghibjjnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnglnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iichjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbafdlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjbbpmgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqcmmjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mblbnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlqjkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iapgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjifodii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loclai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehpalp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpkpadnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbpfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cheido32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecnoijbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edcnakpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhjmfnok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcgmfgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bekmle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpafapbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcfemmna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Honnki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eacljf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjjmijme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pciddedl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iieepbje.exe -
Executes dropped EXE 64 IoCs
pid Process 2832 Aollokco.exe 2612 Aggpdnpj.exe 2532 Anahqh32.exe 2664 Aigmnqgm.exe 2584 Aababceh.exe 1888 Bnhoag32.exe 2488 Bcegin32.exe 2880 Baigca32.exe 1916 Bekmle32.exe 2600 Bncaekhp.exe 2492 Cadjgf32.exe 1972 Cohkpj32.exe 1572 Ckolek32.exe 1912 Cffljlpc.exe 1088 Cheido32.exe 2140 Danmmd32.exe 1160 Dljkcb32.exe 688 Debplg32.exe 1364 Dojddmec.exe 1428 Dkadjn32.exe 896 Dakmfh32.exe 2184 Eoompl32.exe 572 Eapfagno.exe 1796 Egmojnlf.exe 3040 Edqocbkp.exe 2884 Eniclh32.exe 2904 Egahen32.exe 2660 Fchijone.exe 2936 Fcjeon32.exe 2720 Fhgnge32.exe 2340 Fbpbpkpj.exe 2752 Fbbofjnh.exe 2544 Fdbhge32.exe 2680 Fkmqdpce.exe 1148 Gcheib32.exe 2208 Gegabegc.exe 1652 Gqnbhf32.exe 1976 Gfkkpmko.exe 1980 Gjicfk32.exe 1716 Gmgpbf32.exe 2132 Hnkion32.exe 2016 Heealhla.exe 588 Hbiaemkk.exe 648 Hhejnc32.exe 1492 Hlccdboi.exe 604 Hmeolj32.exe 2188 Iphecepe.exe 1000 Ifampo32.exe 2232 Ipjahd32.exe 2908 Imnbbi32.exe 2656 Ipokcdjn.exe 2940 Iapgkl32.exe 2372 Jbpdeogo.exe 2676 Jkkija32.exe 2452 Jgaiobjn.exe 2876 Jdejhfig.exe 2888 Jjbbpmgo.exe 2512 Jdhgnf32.exe 2836 Kfkpknkq.exe 1944 Klehgh32.exe 1928 Kfnmpn32.exe 1836 Klhemhpk.exe 940 Kljabgnh.exe 1896 Kohnoc32.exe -
Loads dropped DLL 64 IoCs
pid Process 2504 41e92de3ba3aaff85e9929088e16124385c92be5a5dd1aa4982a2edf0438da66.exe 2504 41e92de3ba3aaff85e9929088e16124385c92be5a5dd1aa4982a2edf0438da66.exe 2832 Aollokco.exe 2832 Aollokco.exe 2612 Aggpdnpj.exe 2612 Aggpdnpj.exe 2532 Anahqh32.exe 2532 Anahqh32.exe 2664 Aigmnqgm.exe 2664 Aigmnqgm.exe 2584 Aababceh.exe 2584 Aababceh.exe 1888 Bnhoag32.exe 1888 Bnhoag32.exe 2488 Bcegin32.exe 2488 Bcegin32.exe 2880 Baigca32.exe 2880 Baigca32.exe 1916 Bekmle32.exe 1916 Bekmle32.exe 2600 Bncaekhp.exe 2600 Bncaekhp.exe 2492 Cadjgf32.exe 2492 Cadjgf32.exe 1972 Cohkpj32.exe 1972 Cohkpj32.exe 1572 Ckolek32.exe 1572 Ckolek32.exe 1912 Cffljlpc.exe 1912 Cffljlpc.exe 1088 Cheido32.exe 1088 Cheido32.exe 2140 Danmmd32.exe 2140 Danmmd32.exe 1160 Dljkcb32.exe 1160 Dljkcb32.exe 688 Debplg32.exe 688 Debplg32.exe 1364 Dojddmec.exe 1364 Dojddmec.exe 1428 Dkadjn32.exe 1428 Dkadjn32.exe 896 Dakmfh32.exe 896 Dakmfh32.exe 2184 Eoompl32.exe 2184 Eoompl32.exe 572 Eapfagno.exe 572 Eapfagno.exe 1796 Egmojnlf.exe 1796 Egmojnlf.exe 3040 Edqocbkp.exe 3040 Edqocbkp.exe 2884 Eniclh32.exe 2884 Eniclh32.exe 2904 Egahen32.exe 2904 Egahen32.exe 2660 Fchijone.exe 2660 Fchijone.exe 2936 Fcjeon32.exe 2936 Fcjeon32.exe 2720 Fhgnge32.exe 2720 Fhgnge32.exe 2340 Fbpbpkpj.exe 2340 Fbpbpkpj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eapfagno.exe Eoompl32.exe File created C:\Windows\SysWOW64\Ioiepeog.dll Mijamjnm.exe File opened for modification C:\Windows\SysWOW64\Pciddedl.exe Pgbdodnh.exe File opened for modification C:\Windows\SysWOW64\Cmmcpi32.exe Cceogcfj.exe File opened for modification C:\Windows\SysWOW64\Loclai32.exe Lhiddoph.exe File created C:\Windows\SysWOW64\Ekaggl32.dll Klhemhpk.exe File created C:\Windows\SysWOW64\Damocb32.dll Panaeb32.exe File created C:\Windows\SysWOW64\Opialpld.exe Oioipf32.exe File created C:\Windows\SysWOW64\Pjleclph.exe Pdbmfb32.exe File created C:\Windows\SysWOW64\Ndjcbk32.dll Ldjpbign.exe File created C:\Windows\SysWOW64\Mqpflg32.exe Mggabaea.exe File created C:\Windows\SysWOW64\Dhhgkj32.dll Icafgmbe.exe File created C:\Windows\SysWOW64\Ilnomp32.exe Injndk32.exe File opened for modification C:\Windows\SysWOW64\Bjmeiq32.exe Bjkhdacm.exe File created C:\Windows\SysWOW64\Joidhh32.exe Jlkglm32.exe File created C:\Windows\SysWOW64\Pjddaagq.dll Gcgqgd32.exe File opened for modification C:\Windows\SysWOW64\Gfkkpmko.exe Gqnbhf32.exe File created C:\Windows\SysWOW64\Pebncn32.dll Ldmopa32.exe File created C:\Windows\SysWOW64\Fdpcbceo.dll Mjqmig32.exe File created C:\Windows\SysWOW64\Jbbccgmp.exe Jlhkgm32.exe File opened for modification C:\Windows\SysWOW64\Kmegjdad.exe Kbpbmkan.exe File created C:\Windows\SysWOW64\Elipgofb.exe Eijdkcgn.exe File opened for modification C:\Windows\SysWOW64\Ihpfgalh.exe Ieajkfmd.exe File created C:\Windows\SysWOW64\Pidfdofi.exe Pdgmlhha.exe File created C:\Windows\SysWOW64\Bgmdailj.dll Bjkhdacm.exe File opened for modification C:\Windows\SysWOW64\Bacihmoo.exe Boemlbpk.exe File opened for modification C:\Windows\SysWOW64\Ohfcfb32.exe Objjnkie.exe File created C:\Windows\SysWOW64\Mplfpn32.dll Fbbofjnh.exe File created C:\Windows\SysWOW64\Nlhjhi32.exe Nlfmbibo.exe File created C:\Windows\SysWOW64\Lmmbhhfg.dll Dbfbnddq.exe File created C:\Windows\SysWOW64\Dniefn32.dll Emdeok32.exe File opened for modification C:\Windows\SysWOW64\Ppcbgkka.exe Ogknoe32.exe File created C:\Windows\SysWOW64\Llechb32.dll Lboiol32.exe File created C:\Windows\SysWOW64\Pojhbfni.dll Jbbccgmp.exe File created C:\Windows\SysWOW64\Mfnqeb32.dll Imgnjb32.exe File opened for modification C:\Windows\SysWOW64\Icfpbl32.exe Iahceq32.exe File created C:\Windows\SysWOW64\Oqfopomn.dll Honnki32.exe File created C:\Windows\SysWOW64\Dpdidmdg.dll Nbjeinje.exe File created C:\Windows\SysWOW64\Ldmopa32.exe Lncfcgeb.exe File opened for modification C:\Windows\SysWOW64\Ieponofk.exe Hmdkjmip.exe File created C:\Windows\SysWOW64\Bmlael32.exe Bjmeiq32.exe File opened for modification C:\Windows\SysWOW64\Aejlnmkm.exe Apmcefmf.exe File opened for modification C:\Windows\SysWOW64\Emdeok32.exe Edidqf32.exe File opened for modification C:\Windows\SysWOW64\Panaeb32.exe Pciddedl.exe File created C:\Windows\SysWOW64\Oeaqig32.exe Ncpdbohb.exe File created C:\Windows\SysWOW64\Pbonaedo.dll Hnmacpfj.exe File created C:\Windows\SysWOW64\Fflkbagk.dll Jlkglm32.exe File opened for modification C:\Windows\SysWOW64\Jmnqje32.exe Jdflqo32.exe File created C:\Windows\SysWOW64\Plbkfdba.exe Picojhcm.exe File created C:\Windows\SysWOW64\Djiqcmnn.dll Ndqkleln.exe File opened for modification C:\Windows\SysWOW64\Pojecajj.exe Pafdjmkq.exe File created C:\Windows\SysWOW64\Gcheib32.exe Fkmqdpce.exe File opened for modification C:\Windows\SysWOW64\Imnbbi32.exe Ipjahd32.exe File created C:\Windows\SysWOW64\Imbjcpnn.exe Ijcngenj.exe File created C:\Windows\SysWOW64\Kmnfciac.dll Jpjifjdg.exe File opened for modification C:\Windows\SysWOW64\Kfnmpn32.exe Klehgh32.exe File created C:\Windows\SysWOW64\Bbjclbek.dll Akabgebj.exe File created C:\Windows\SysWOW64\Oioipf32.exe Opfegp32.exe File opened for modification C:\Windows\SysWOW64\Bolcma32.exe Bgdkkc32.exe File created C:\Windows\SysWOW64\Fchook32.dll Bigkel32.exe File created C:\Windows\SysWOW64\Ojgidcjn.dll Oeaqig32.exe File created C:\Windows\SysWOW64\Pgdekc32.dll Qejpoi32.exe File created C:\Windows\SysWOW64\Keppajog.dll Imbjcpnn.exe File created C:\Windows\SysWOW64\Fpcgndfi.dll Gdegfn32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knbnol32.dll" Ojbbmnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ollopmbl.dll" Lfoojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edlhqlfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eakhdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 41e92de3ba3aaff85e9929088e16124385c92be5a5dd1aa4982a2edf0438da66.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbjeinje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbhhdnlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbbccgmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmgfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Niedqnen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpnmgdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnhhline.dll" Hbdjcffd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oiafee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmbmdane.dll" 41e92de3ba3aaff85e9929088e16124385c92be5a5dd1aa4982a2edf0438da66.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlkglm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnejim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piaoqi32.dll" Gpggei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikaihg32.dll" Ibcphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oekjjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadafg32.dll" Egahen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbiaemkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kalhln32.dll" Pnchhllf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnhoag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdcfhj32.dll" Elipgofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbgiha32.dll" Gfejjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eeldkonl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dahifbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphcfh32.dll" Ogknoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fflkbagk.dll" Jlkglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaipmp32.dll" Gjicfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqahnjpk.dll" Jbpdeogo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eimcjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aigmnqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gegabegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgbdodnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmjki32.dll" Eecafd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cohkpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbclgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oehdan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nihcog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhimbk32.dll" Ndfnecgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boemlbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnmdhn32.dll" Fadndbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnnhngjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpdgbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnjbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eimllb32.dll" Debadpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnejim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Baojapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddgejcp.dll" Mmgfqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cheido32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anjlebjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iahceq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhcool32.dll" Dnjoco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eeldkonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihnijmcj.dll" Kpkpadnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pciddedl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfodfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll" Caifjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnhoag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjleclph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dobfbpbc.dll" Cidddj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfhdnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fccglehn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2832 2504 41e92de3ba3aaff85e9929088e16124385c92be5a5dd1aa4982a2edf0438da66.exe 28 PID 2504 wrote to memory of 2832 2504 41e92de3ba3aaff85e9929088e16124385c92be5a5dd1aa4982a2edf0438da66.exe 28 PID 2504 wrote to memory of 2832 2504 41e92de3ba3aaff85e9929088e16124385c92be5a5dd1aa4982a2edf0438da66.exe 28 PID 2504 wrote to memory of 2832 2504 41e92de3ba3aaff85e9929088e16124385c92be5a5dd1aa4982a2edf0438da66.exe 28 PID 2832 wrote to memory of 2612 2832 Aollokco.exe 29 PID 2832 wrote to memory of 2612 2832 Aollokco.exe 29 PID 2832 wrote to memory of 2612 2832 Aollokco.exe 29 PID 2832 wrote to memory of 2612 2832 Aollokco.exe 29 PID 2612 wrote to memory of 2532 2612 Aggpdnpj.exe 30 PID 2612 wrote to memory of 2532 2612 Aggpdnpj.exe 30 PID 2612 wrote to memory of 2532 2612 Aggpdnpj.exe 30 PID 2612 wrote to memory of 2532 2612 Aggpdnpj.exe 30 PID 2532 wrote to memory of 2664 2532 Anahqh32.exe 31 PID 2532 wrote to memory of 2664 2532 Anahqh32.exe 31 PID 2532 wrote to memory of 2664 2532 Anahqh32.exe 31 PID 2532 wrote to memory of 2664 2532 Anahqh32.exe 31 PID 2664 wrote to memory of 2584 2664 Aigmnqgm.exe 32 PID 2664 wrote to memory of 2584 2664 Aigmnqgm.exe 32 PID 2664 wrote to memory of 2584 2664 Aigmnqgm.exe 32 PID 2664 wrote to memory of 2584 2664 Aigmnqgm.exe 32 PID 2584 wrote to memory of 1888 2584 Aababceh.exe 33 PID 2584 wrote to memory of 1888 2584 Aababceh.exe 33 PID 2584 wrote to memory of 1888 2584 Aababceh.exe 33 PID 2584 wrote to memory of 1888 2584 Aababceh.exe 33 PID 1888 wrote to memory of 2488 1888 Bnhoag32.exe 34 PID 1888 wrote to memory of 2488 1888 Bnhoag32.exe 34 PID 1888 wrote to memory of 2488 1888 Bnhoag32.exe 34 PID 1888 wrote to memory of 2488 1888 Bnhoag32.exe 34 PID 2488 wrote to memory of 2880 2488 Bcegin32.exe 35 PID 2488 wrote to memory of 2880 2488 Bcegin32.exe 35 PID 2488 wrote to memory of 2880 2488 Bcegin32.exe 35 PID 2488 wrote to memory of 2880 2488 Bcegin32.exe 35 PID 2880 wrote to memory of 1916 2880 Baigca32.exe 36 PID 2880 wrote to memory of 1916 2880 Baigca32.exe 36 PID 2880 wrote to memory of 1916 2880 Baigca32.exe 36 PID 2880 wrote to memory of 1916 2880 Baigca32.exe 36 PID 1916 wrote to memory of 2600 1916 Bekmle32.exe 37 PID 1916 wrote to memory of 2600 1916 Bekmle32.exe 37 PID 1916 wrote to memory of 2600 1916 Bekmle32.exe 37 PID 1916 wrote to memory of 2600 1916 Bekmle32.exe 37 PID 2600 wrote to memory of 2492 2600 Bncaekhp.exe 38 PID 2600 wrote to memory of 2492 2600 Bncaekhp.exe 38 PID 2600 wrote to memory of 2492 2600 Bncaekhp.exe 38 PID 2600 wrote to memory of 2492 2600 Bncaekhp.exe 38 PID 2492 wrote to memory of 1972 2492 Cadjgf32.exe 39 PID 2492 wrote to memory of 1972 2492 Cadjgf32.exe 39 PID 2492 wrote to memory of 1972 2492 Cadjgf32.exe 39 PID 2492 wrote to memory of 1972 2492 Cadjgf32.exe 39 PID 1972 wrote to memory of 1572 1972 Cohkpj32.exe 40 PID 1972 wrote to memory of 1572 1972 Cohkpj32.exe 40 PID 1972 wrote to memory of 1572 1972 Cohkpj32.exe 40 PID 1972 wrote to memory of 1572 1972 Cohkpj32.exe 40 PID 1572 wrote to memory of 1912 1572 Ckolek32.exe 41 PID 1572 wrote to memory of 1912 1572 Ckolek32.exe 41 PID 1572 wrote to memory of 1912 1572 Ckolek32.exe 41 PID 1572 wrote to memory of 1912 1572 Ckolek32.exe 41 PID 1912 wrote to memory of 1088 1912 Cffljlpc.exe 42 PID 1912 wrote to memory of 1088 1912 Cffljlpc.exe 42 PID 1912 wrote to memory of 1088 1912 Cffljlpc.exe 42 PID 1912 wrote to memory of 1088 1912 Cffljlpc.exe 42 PID 1088 wrote to memory of 2140 1088 Cheido32.exe 43 PID 1088 wrote to memory of 2140 1088 Cheido32.exe 43 PID 1088 wrote to memory of 2140 1088 Cheido32.exe 43 PID 1088 wrote to memory of 2140 1088 Cheido32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\41e92de3ba3aaff85e9929088e16124385c92be5a5dd1aa4982a2edf0438da66.exe"C:\Users\Admin\AppData\Local\Temp\41e92de3ba3aaff85e9929088e16124385c92be5a5dd1aa4982a2edf0438da66.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Aggpdnpj.exeC:\Windows\system32\Aggpdnpj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Aigmnqgm.exeC:\Windows\system32\Aigmnqgm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Aababceh.exeC:\Windows\system32\Aababceh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Bcegin32.exeC:\Windows\system32\Bcegin32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Danmmd32.exeC:\Windows\system32\Danmmd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Windows\SysWOW64\Dljkcb32.exeC:\Windows\system32\Dljkcb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1160 -
C:\Windows\SysWOW64\Debplg32.exeC:\Windows\system32\Debplg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:688 -
C:\Windows\SysWOW64\Dojddmec.exeC:\Windows\system32\Dojddmec.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1364 -
C:\Windows\SysWOW64\Dkadjn32.exeC:\Windows\system32\Dkadjn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1428 -
C:\Windows\SysWOW64\Dakmfh32.exeC:\Windows\system32\Dakmfh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Eniclh32.exeC:\Windows\system32\Eniclh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Fhgnge32.exeC:\Windows\system32\Fhgnge32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Fbpbpkpj.exeC:\Windows\system32\Fbpbpkpj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe34⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe36⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Gfkkpmko.exeC:\Windows\system32\Gfkkpmko.exe39⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe41⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe42⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe43⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:588 -
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe45⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Hlccdboi.exeC:\Windows\system32\Hlccdboi.exe46⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe47⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe48⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe49⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe51⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe52⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Iapgkl32.exeC:\Windows\system32\Iapgkl32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe55⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe56⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe57⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe59⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe60⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe62⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe64⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe65⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe66⤵PID:1804
-
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe67⤵PID:2952
-
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe68⤵
- Drops file in System32 directory
PID:796 -
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe69⤵PID:1568
-
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe70⤵PID:2300
-
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1344 -
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe72⤵PID:2280
-
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe73⤵PID:1772
-
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe74⤵PID:1768
-
C:\Windows\SysWOW64\Lbicoamh.exeC:\Windows\system32\Lbicoamh.exe75⤵PID:2648
-
C:\Windows\SysWOW64\Mchoid32.exeC:\Windows\system32\Mchoid32.exe76⤵PID:2812
-
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe77⤵PID:2636
-
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe78⤵PID:2620
-
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe79⤵PID:2428
-
C:\Windows\SysWOW64\Mijamjnm.exeC:\Windows\system32\Mijamjnm.exe80⤵
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe81⤵PID:2872
-
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe82⤵PID:1968
-
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe83⤵PID:1272
-
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe84⤵PID:1996
-
C:\Windows\SysWOW64\Niedqnen.exeC:\Windows\system32\Niedqnen.exe85⤵
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe86⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe87⤵PID:1624
-
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe88⤵PID:1424
-
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe89⤵PID:632
-
C:\Windows\SysWOW64\Olmcchlg.exeC:\Windows\system32\Olmcchlg.exe90⤵PID:2820
-
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe91⤵PID:1756
-
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe92⤵
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe93⤵PID:2596
-
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe95⤵PID:840
-
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe96⤵PID:2332
-
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe97⤵PID:2368
-
C:\Windows\SysWOW64\Pgbdodnh.exeC:\Windows\system32\Pgbdodnh.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:1276 -
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Panaeb32.exeC:\Windows\system32\Panaeb32.exe100⤵
- Drops file in System32 directory
PID:704 -
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe101⤵PID:2044
-
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe102⤵PID:2968
-
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe103⤵PID:2240
-
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe104⤵PID:1988
-
C:\Windows\SysWOW64\Anjlebjc.exeC:\Windows\system32\Anjlebjc.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1404 -
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe106⤵PID:2844
-
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe107⤵PID:2780
-
C:\Windows\SysWOW64\Ajgbkbjp.exeC:\Windows\system32\Ajgbkbjp.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3052 -
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe109⤵PID:1640
-
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe110⤵PID:884
-
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe111⤵PID:3024
-
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe112⤵PID:1440
-
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe113⤵PID:2932
-
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe114⤵PID:1216
-
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe115⤵PID:624
-
C:\Windows\SysWOW64\Baojapfj.exeC:\Windows\system32\Baojapfj.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe117⤵PID:2052
-
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:804 -
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe119⤵
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe120⤵PID:2716
-
C:\Windows\SysWOW64\Cfcijf32.exeC:\Windows\system32\Cfcijf32.exe121⤵PID:2424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-