Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
05/04/2024, 19:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
20dbbecf27afdab1e05e24b179d3b0ab007d58b5d5deeb1c867cb3a794d010e6.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
20dbbecf27afdab1e05e24b179d3b0ab007d58b5d5deeb1c867cb3a794d010e6.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
20dbbecf27afdab1e05e24b179d3b0ab007d58b5d5deeb1c867cb3a794d010e6.exe
-
Size
704KB
-
MD5
38455fba1a18bfef7e8ca0d14f9a52da
-
SHA1
9471ba0a0f631b942a023dc1f94a72148e1d5902
-
SHA256
20dbbecf27afdab1e05e24b179d3b0ab007d58b5d5deeb1c867cb3a794d010e6
-
SHA512
5b2e6802a116fd87264ad253a088ea76116b55da21c21318040e9dba2453a662613a243e833ff06e7f3714b6f2e97e5e4bd0c2c6108abe031870847b0200da51
-
SSDEEP
12288:xEyxd44wrQg5W/+zrWAI5KFum/+zrWAIAqWim/+zrWAI5KFHTP7rXFr/+zrWAI5b:xhD1wrQg5Wm0BmmvFimm0MTP7hm0b
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifcbodli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccngld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbiommg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jghmfhmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfflopdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcnpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epaogi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lplogdmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gangic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apomfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abhimnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aamfnkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cclkfdnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imeggc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aljgfioc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdllkhdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdlhjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bopicc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okikfagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gangic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pedleg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbopgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcfqkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjijdadm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpfdalii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnfhlin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgjclbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmpgio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppoqge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlapp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caknol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igainn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncgdbmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aplifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdgafdfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gopkmhjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gelppaof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikekmq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefkjkmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lahkigca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgeefbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egdilkbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfcampgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijbdha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbdocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gopkmhjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghkllmoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bocolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldcamcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfflopdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enakbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnkmjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpigfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdmmfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahikqd32.exe -
Executes dropped EXE 64 IoCs
pid Process 2892 Flgbho32.exe 2632 Fepgqdnc.exe 2912 Flllcndm.exe 2608 Fhbmho32.exe 2424 Gamnfd32.exe 2824 Gihbjfkj.exe 1576 Ggopijha.exe 1044 Gpgdbpob.exe 2340 Hakmph32.exe 1612 Hamjehqk.exe 1028 Hhgbba32.exe 1616 Hdpplb32.exe 2512 Igainn32.exe 704 Impnldeo.exe 1808 Iqljlb32.exe 2380 Icjfhn32.exe 852 Ifhbdj32.exe 3056 Iigoqe32.exe 1720 Ikekmq32.exe 1628 Iclcnnji.exe 276 Ifkojiim.exe 864 Imeggc32.exe 2280 Ioccco32.exe 2100 Ibapoj32.exe 332 Jeplkf32.exe 896 Jgnhga32.exe 2012 Jnhqdkde.exe 1540 Jagmpg32.exe 2508 Jebiaelb.exe 2680 Jklanp32.exe 2576 Jnkmjk32.exe 2688 Jaiiff32.exe 2656 Jgcabqic.exe 2624 Jkonco32.exe 2828 Jmpjkggj.exe 1968 Jegble32.exe 2160 Jgenhp32.exe 2856 Jjdkdl32.exe 2332 Jmbgpg32.exe 1752 Jpqclb32.exe 1580 Jghknp32.exe 472 Jiigehkl.exe 1772 Kappfeln.exe 2604 Kbalnnam.exe 2732 Kjhdokbo.exe 2020 Kikdkh32.exe 336 Kljqgc32.exe 592 Kbcicmpj.exe 2884 Kinaqg32.exe 2952 Kmimafop.exe 2324 Kphimanc.exe 1820 Knjiin32.exe 588 Kfaajlfp.exe 1956 Kipnfged.exe 564 Klnjbbdh.exe 1440 Kbhbom32.exe 2600 Kegnkh32.exe 1420 Kibjkgca.exe 2612 Klqfhbbe.exe 2616 Koocdnai.exe 2752 Kanopipl.exe 748 Lhggmchi.exe 2152 Loapim32.exe 2408 Lekhfgfc.exe -
Loads dropped DLL 64 IoCs
pid Process 2204 20dbbecf27afdab1e05e24b179d3b0ab007d58b5d5deeb1c867cb3a794d010e6.exe 2204 20dbbecf27afdab1e05e24b179d3b0ab007d58b5d5deeb1c867cb3a794d010e6.exe 2892 Flgbho32.exe 2892 Flgbho32.exe 2632 Fepgqdnc.exe 2632 Fepgqdnc.exe 2912 Flllcndm.exe 2912 Flllcndm.exe 2608 Fhbmho32.exe 2608 Fhbmho32.exe 2424 Gamnfd32.exe 2424 Gamnfd32.exe 2824 Gihbjfkj.exe 2824 Gihbjfkj.exe 1576 Ggopijha.exe 1576 Ggopijha.exe 1044 Gpgdbpob.exe 1044 Gpgdbpob.exe 2340 Hakmph32.exe 2340 Hakmph32.exe 1612 Hamjehqk.exe 1612 Hamjehqk.exe 1028 Hhgbba32.exe 1028 Hhgbba32.exe 1616 Hdpplb32.exe 1616 Hdpplb32.exe 2512 Igainn32.exe 2512 Igainn32.exe 704 Impnldeo.exe 704 Impnldeo.exe 1808 Iqljlb32.exe 1808 Iqljlb32.exe 2380 Icjfhn32.exe 2380 Icjfhn32.exe 852 Ifhbdj32.exe 852 Ifhbdj32.exe 3056 Iigoqe32.exe 3056 Iigoqe32.exe 1720 Ikekmq32.exe 1720 Ikekmq32.exe 1628 Iclcnnji.exe 1628 Iclcnnji.exe 276 Ifkojiim.exe 276 Ifkojiim.exe 864 Imeggc32.exe 864 Imeggc32.exe 2280 Ioccco32.exe 2280 Ioccco32.exe 2100 Ibapoj32.exe 2100 Ibapoj32.exe 332 Jeplkf32.exe 332 Jeplkf32.exe 896 Jgnhga32.exe 896 Jgnhga32.exe 2012 Jnhqdkde.exe 2012 Jnhqdkde.exe 1540 Jagmpg32.exe 1540 Jagmpg32.exe 2508 Jebiaelb.exe 2508 Jebiaelb.exe 2680 Jklanp32.exe 2680 Jklanp32.exe 2576 Jnkmjk32.exe 2576 Jnkmjk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gljilnja.dll Pgeefbhm.exe File opened for modification C:\Windows\SysWOW64\Peiepfgg.exe Pmanoifd.exe File created C:\Windows\SysWOW64\Pmbdhi32.dll Bdgafdfp.exe File opened for modification C:\Windows\SysWOW64\Cklmgb32.exe Chnqkg32.exe File created C:\Windows\SysWOW64\Fmlapp32.exe Ffbicfoc.exe File created C:\Windows\SysWOW64\Oqkqkdne.exe Olpdjf32.exe File created C:\Windows\SysWOW64\Apmabnaj.dll Papfegmk.exe File created C:\Windows\SysWOW64\Nmnlfg32.dll Cnmehnan.exe File created C:\Windows\SysWOW64\Jqilooij.exe Jgagfi32.exe File created C:\Windows\SysWOW64\Gangic32.exe Gopkmhjk.exe File created C:\Windows\SysWOW64\Fakndl32.dll Jghknp32.exe File created C:\Windows\SysWOW64\Nehmdhja.exe Nondgn32.exe File opened for modification C:\Windows\SysWOW64\Qcpofbjl.exe Qabcjgkh.exe File created C:\Windows\SysWOW64\Bihebmne.dll Ikekmq32.exe File created C:\Windows\SysWOW64\Hhehek32.exe Hakphqja.exe File opened for modification C:\Windows\SysWOW64\Jehkodcm.exe Jfekcg32.exe File created C:\Windows\SysWOW64\Dkcofe32.exe Dggcffhg.exe File created C:\Windows\SysWOW64\Cngcjo32.exe Bcaomf32.exe File created C:\Windows\SysWOW64\Gjlegpjp.dll Ncgdbmmp.exe File created C:\Windows\SysWOW64\Ohbepi32.dll Fjilieka.exe File created C:\Windows\SysWOW64\Oomkin32.dll Ppjglfon.exe File created C:\Windows\SysWOW64\Ilknfn32.exe Iaeiieeb.exe File created C:\Windows\SysWOW64\Pjmodopf.exe Pphjgfqq.exe File opened for modification C:\Windows\SysWOW64\Lpjdjmfp.exe Liplnc32.exe File created C:\Windows\SysWOW64\Nenobfak.exe Ncpcfkbg.exe File created C:\Windows\SysWOW64\Mqeihfll.dll Ncoamb32.exe File created C:\Windows\SysWOW64\Fhqbkhch.exe Fcefji32.exe File created C:\Windows\SysWOW64\Hoamgd32.exe Hkfagfop.exe File created C:\Windows\SysWOW64\Jfiilbkl.dll Dkqbaecc.exe File created C:\Windows\SysWOW64\Hljdna32.dll Nckjkl32.exe File opened for modification C:\Windows\SysWOW64\Eqdajkkb.exe Enfenplo.exe File created C:\Windows\SysWOW64\Dhcebp32.dll Igkdgk32.exe File created C:\Windows\SysWOW64\Pnajilng.exe Pfjbgnme.exe File created C:\Windows\SysWOW64\Ncfnmo32.dll Bfcampgf.exe File created C:\Windows\SysWOW64\Ffklhqao.exe Fbopgb32.exe File created C:\Windows\SysWOW64\Ngbkba32.dll Inifnq32.exe File created C:\Windows\SysWOW64\Ghkllmoi.exe Gelppaof.exe File opened for modification C:\Windows\SysWOW64\Affhncfc.exe Ahchbf32.exe File opened for modification C:\Windows\SysWOW64\Nlcnda32.exe Ngfflj32.exe File created C:\Windows\SysWOW64\Abmmmm32.dll Hakmph32.exe File created C:\Windows\SysWOW64\Pogclp32.exe Pgplkb32.exe File created C:\Windows\SysWOW64\Jkjecnop.dll Bhcdaibd.exe File opened for modification C:\Windows\SysWOW64\Hdpplb32.exe Hhgbba32.exe File opened for modification C:\Windows\SysWOW64\Ahlgfdeq.exe Adpkee32.exe File opened for modification C:\Windows\SysWOW64\Pkpagq32.exe Pgeefbhm.exe File opened for modification C:\Windows\SysWOW64\Mcegmm32.exe Mpfkqb32.exe File created C:\Windows\SysWOW64\Geiiogja.dll Bfadgq32.exe File opened for modification C:\Windows\SysWOW64\Gfmemc32.exe Gdniqh32.exe File created C:\Windows\SysWOW64\Pikhak32.dll Lnbbbffj.exe File created C:\Windows\SysWOW64\Lhbcfa32.exe Lecgje32.exe File created C:\Windows\SysWOW64\Imehcohk.dll Eqdajkkb.exe File created C:\Windows\SysWOW64\Mhhfdo32.exe Mffimglk.exe File created C:\Windows\SysWOW64\Bdjefj32.exe Bnpmipql.exe File created C:\Windows\SysWOW64\Lndipl32.dll Lekhfgfc.exe File created C:\Windows\SysWOW64\Pdpfph32.dll Iaeiieeb.exe File created C:\Windows\SysWOW64\Ncgdbmmp.exe Mpigfa32.exe File opened for modification C:\Windows\SysWOW64\Cnobnmpl.exe Cgejac32.exe File opened for modification C:\Windows\SysWOW64\Ecejkf32.exe Eqgnokip.exe File created C:\Windows\SysWOW64\Dlnqnenm.dll Kjhdokbo.exe File created C:\Windows\SysWOW64\Kigbna32.dll Jnffgd32.exe File created C:\Windows\SysWOW64\Fddmgjpo.exe Fjlhneio.exe File opened for modification C:\Windows\SysWOW64\Nceclqan.exe Nacgdhlp.exe File opened for modification C:\Windows\SysWOW64\Ocnfbo32.exe Oobjaqaj.exe File created C:\Windows\SysWOW64\Imeggc32.exe Ifkojiim.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6840 6816 WerFault.exe 607 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bafidiio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cclkfdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kemedbfd.dll" Mbpnanch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flabbihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhkpmjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldahol32.dll" Gangic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gapiomln.dll" Jfqahgpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfghif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jghknp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmimafop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmcqoe32.dll" Pchpbded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhmapcq.dll" Lcfqkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgnhga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nadddkfi.dll" Oqideepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dccagcgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdniqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgmkloid.dll" Nacgdhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amaipodm.dll" Pikkiijf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kegqdqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibapoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojjljknn.dll" Kbhbom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chemfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bghjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeghkck.dll" Mkklljmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifiacd32.dll" Flehkhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fglipi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgjfkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okchhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqdipqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nehmdhja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlhfbqi.dll" Bghjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alenki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqilooij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negpnjgm.dll" Mooaljkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjlnif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgnfhlin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjidgghp.dll" Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jebiaelb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akigbbni.dll" Cldooj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkcofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdjcnn32.dll" Hhgbba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knlafm32.dll" Omdneebf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbopgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibmmd32.dll" Hhckpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncjgbcoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfkpdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgknheej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elmigj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fehofegb.dll" Apimacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Endaal32.dll" Iclcnnji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qagcpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhfbdd32.dll" Adjigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihdkao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fikejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obopfpji.dll" Ogmfbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdgafdfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlngpjlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcfqkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfaajlfp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2892 2204 20dbbecf27afdab1e05e24b179d3b0ab007d58b5d5deeb1c867cb3a794d010e6.exe 28 PID 2204 wrote to memory of 2892 2204 20dbbecf27afdab1e05e24b179d3b0ab007d58b5d5deeb1c867cb3a794d010e6.exe 28 PID 2204 wrote to memory of 2892 2204 20dbbecf27afdab1e05e24b179d3b0ab007d58b5d5deeb1c867cb3a794d010e6.exe 28 PID 2204 wrote to memory of 2892 2204 20dbbecf27afdab1e05e24b179d3b0ab007d58b5d5deeb1c867cb3a794d010e6.exe 28 PID 2892 wrote to memory of 2632 2892 Flgbho32.exe 29 PID 2892 wrote to memory of 2632 2892 Flgbho32.exe 29 PID 2892 wrote to memory of 2632 2892 Flgbho32.exe 29 PID 2892 wrote to memory of 2632 2892 Flgbho32.exe 29 PID 2632 wrote to memory of 2912 2632 Fepgqdnc.exe 30 PID 2632 wrote to memory of 2912 2632 Fepgqdnc.exe 30 PID 2632 wrote to memory of 2912 2632 Fepgqdnc.exe 30 PID 2632 wrote to memory of 2912 2632 Fepgqdnc.exe 30 PID 2912 wrote to memory of 2608 2912 Flllcndm.exe 31 PID 2912 wrote to memory of 2608 2912 Flllcndm.exe 31 PID 2912 wrote to memory of 2608 2912 Flllcndm.exe 31 PID 2912 wrote to memory of 2608 2912 Flllcndm.exe 31 PID 2608 wrote to memory of 2424 2608 Fhbmho32.exe 32 PID 2608 wrote to memory of 2424 2608 Fhbmho32.exe 32 PID 2608 wrote to memory of 2424 2608 Fhbmho32.exe 32 PID 2608 wrote to memory of 2424 2608 Fhbmho32.exe 32 PID 2424 wrote to memory of 2824 2424 Gamnfd32.exe 33 PID 2424 wrote to memory of 2824 2424 Gamnfd32.exe 33 PID 2424 wrote to memory of 2824 2424 Gamnfd32.exe 33 PID 2424 wrote to memory of 2824 2424 Gamnfd32.exe 33 PID 2824 wrote to memory of 1576 2824 Gihbjfkj.exe 34 PID 2824 wrote to memory of 1576 2824 Gihbjfkj.exe 34 PID 2824 wrote to memory of 1576 2824 Gihbjfkj.exe 34 PID 2824 wrote to memory of 1576 2824 Gihbjfkj.exe 34 PID 1576 wrote to memory of 1044 1576 Ggopijha.exe 35 PID 1576 wrote to memory of 1044 1576 Ggopijha.exe 35 PID 1576 wrote to memory of 1044 1576 Ggopijha.exe 35 PID 1576 wrote to memory of 1044 1576 Ggopijha.exe 35 PID 1044 wrote to memory of 2340 1044 Gpgdbpob.exe 36 PID 1044 wrote to memory of 2340 1044 Gpgdbpob.exe 36 PID 1044 wrote to memory of 2340 1044 Gpgdbpob.exe 36 PID 1044 wrote to memory of 2340 1044 Gpgdbpob.exe 36 PID 2340 wrote to memory of 1612 2340 Hakmph32.exe 37 PID 2340 wrote to memory of 1612 2340 Hakmph32.exe 37 PID 2340 wrote to memory of 1612 2340 Hakmph32.exe 37 PID 2340 wrote to memory of 1612 2340 Hakmph32.exe 37 PID 1612 wrote to memory of 1028 1612 Hamjehqk.exe 38 PID 1612 wrote to memory of 1028 1612 Hamjehqk.exe 38 PID 1612 wrote to memory of 1028 1612 Hamjehqk.exe 38 PID 1612 wrote to memory of 1028 1612 Hamjehqk.exe 38 PID 1028 wrote to memory of 1616 1028 Hhgbba32.exe 39 PID 1028 wrote to memory of 1616 1028 Hhgbba32.exe 39 PID 1028 wrote to memory of 1616 1028 Hhgbba32.exe 39 PID 1028 wrote to memory of 1616 1028 Hhgbba32.exe 39 PID 1616 wrote to memory of 2512 1616 Hdpplb32.exe 40 PID 1616 wrote to memory of 2512 1616 Hdpplb32.exe 40 PID 1616 wrote to memory of 2512 1616 Hdpplb32.exe 40 PID 1616 wrote to memory of 2512 1616 Hdpplb32.exe 40 PID 2512 wrote to memory of 704 2512 Igainn32.exe 41 PID 2512 wrote to memory of 704 2512 Igainn32.exe 41 PID 2512 wrote to memory of 704 2512 Igainn32.exe 41 PID 2512 wrote to memory of 704 2512 Igainn32.exe 41 PID 704 wrote to memory of 1808 704 Impnldeo.exe 42 PID 704 wrote to memory of 1808 704 Impnldeo.exe 42 PID 704 wrote to memory of 1808 704 Impnldeo.exe 42 PID 704 wrote to memory of 1808 704 Impnldeo.exe 42 PID 1808 wrote to memory of 2380 1808 Iqljlb32.exe 43 PID 1808 wrote to memory of 2380 1808 Iqljlb32.exe 43 PID 1808 wrote to memory of 2380 1808 Iqljlb32.exe 43 PID 1808 wrote to memory of 2380 1808 Iqljlb32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\20dbbecf27afdab1e05e24b179d3b0ab007d58b5d5deeb1c867cb3a794d010e6.exe"C:\Users\Admin\AppData\Local\Temp\20dbbecf27afdab1e05e24b179d3b0ab007d58b5d5deeb1c867cb3a794d010e6.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Flgbho32.exeC:\Windows\system32\Flgbho32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Fepgqdnc.exeC:\Windows\system32\Fepgqdnc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Flllcndm.exeC:\Windows\system32\Flllcndm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Fhbmho32.exeC:\Windows\system32\Fhbmho32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Gamnfd32.exeC:\Windows\system32\Gamnfd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Gihbjfkj.exeC:\Windows\system32\Gihbjfkj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Ggopijha.exeC:\Windows\system32\Ggopijha.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Gpgdbpob.exeC:\Windows\system32\Gpgdbpob.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Hakmph32.exeC:\Windows\system32\Hakmph32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Hamjehqk.exeC:\Windows\system32\Hamjehqk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Hhgbba32.exeC:\Windows\system32\Hhgbba32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Hdpplb32.exeC:\Windows\system32\Hdpplb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Igainn32.exeC:\Windows\system32\Igainn32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Impnldeo.exeC:\Windows\system32\Impnldeo.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\Iqljlb32.exeC:\Windows\system32\Iqljlb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Icjfhn32.exeC:\Windows\system32\Icjfhn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Ifhbdj32.exeC:\Windows\system32\Ifhbdj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Iigoqe32.exeC:\Windows\system32\Iigoqe32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Ikekmq32.exeC:\Windows\system32\Ikekmq32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Iclcnnji.exeC:\Windows\system32\Iclcnnji.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:276 -
C:\Windows\SysWOW64\Imeggc32.exeC:\Windows\system32\Imeggc32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\Ioccco32.exeC:\Windows\system32\Ioccco32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Ibapoj32.exeC:\Windows\system32\Ibapoj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Jeplkf32.exeC:\Windows\system32\Jeplkf32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:332 -
C:\Windows\SysWOW64\Jgnhga32.exeC:\Windows\system32\Jgnhga32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Jnhqdkde.exeC:\Windows\system32\Jnhqdkde.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Jagmpg32.exeC:\Windows\system32\Jagmpg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Jklanp32.exeC:\Windows\system32\Jklanp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Jnkmjk32.exeC:\Windows\system32\Jnkmjk32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe33⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Jgcabqic.exeC:\Windows\system32\Jgcabqic.exe34⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Jkonco32.exeC:\Windows\system32\Jkonco32.exe35⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Jmpjkggj.exeC:\Windows\system32\Jmpjkggj.exe36⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Jegble32.exeC:\Windows\system32\Jegble32.exe37⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe38⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Jjdkdl32.exeC:\Windows\system32\Jjdkdl32.exe39⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe40⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe41⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Jghknp32.exeC:\Windows\system32\Jghknp32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe43⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe44⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe45⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe47⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe48⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe49⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe50⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe52⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe53⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:588 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe55⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe56⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1440 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe58⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe59⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe60⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe61⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe62⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe63⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe64⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe66⤵PID:2312
-
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe67⤵PID:644
-
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:280 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe69⤵PID:2956
-
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe70⤵PID:1568
-
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe71⤵PID:1868
-
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2524 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1052 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe74⤵PID:2416
-
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe75⤵PID:1864
-
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe76⤵PID:1716
-
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe77⤵PID:2328
-
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe78⤵PID:1672
-
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe79⤵PID:1928
-
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe80⤵PID:2572
-
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe81⤵
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe82⤵PID:2664
-
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe83⤵
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe84⤵PID:1448
-
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe85⤵
- Drops file in System32 directory
PID:320 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe86⤵PID:836
-
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe87⤵PID:2000
-
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe88⤵PID:692
-
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe89⤵PID:1196
-
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe90⤵PID:1516
-
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe91⤵
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe92⤵PID:2308
-
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe93⤵PID:2136
-
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe94⤵
- Modifies registry class
PID:800 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe95⤵
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe96⤵PID:2240
-
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe97⤵PID:2124
-
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe98⤵
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe99⤵PID:2352
-
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe100⤵PID:1388
-
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe101⤵PID:2172
-
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe102⤵
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2644 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2028 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe105⤵PID:796
-
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe106⤵PID:312
-
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe107⤵PID:2112
-
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe108⤵PID:2932
-
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe109⤵PID:996
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe110⤵PID:2960
-
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe111⤵PID:888
-
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe112⤵PID:2776
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe113⤵PID:2740
-
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe114⤵PID:2748
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe115⤵PID:2660
-
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe116⤵
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe117⤵PID:1004
-
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe118⤵PID:1264
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe119⤵PID:1456
-
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe120⤵
- Drops file in System32 directory
PID:1260 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe121⤵PID:1768
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-