Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/05/2024, 01:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5.exe
-
Size
186KB
-
MD5
eb9d6283cc4f647c098a1a9abdf70916
-
SHA1
ad3f2c3e5d32c4251968d62103dec7c175049f81
-
SHA256
a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5
-
SHA512
2f914e3842e8119c0a9a27d99ad28bef6177aac3380c752400277ac1737aca2901d6a98fb8f4e43dc6426a465743757dc6c2a611f465e6c10a3e581469f7ac72
-
SSDEEP
3072:YJnI0igCv6ELQ53Fv+Y4H1vkF3VOMC4uMhZpMdoVBRDI+Vvlg3vG:Y5igCvM3F+Jk/4AcgHuv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mohbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohibdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafidiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgdmmgpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmfgjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enakbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijoeji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgdjnofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apcfahio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkmbgdfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boqbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hknach32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aemkjiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gheimogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojieip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbgmbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mepnpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocomlemo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nceclqan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgplkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abmbhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cafecmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eibbcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnieom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmafennb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacgdhlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdpjlajk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqmmpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmdjdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjdfmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ongnonkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbcnhjnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkeimlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfbccp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeqdep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llfifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdkqqa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkqecnkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjmhdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgcabqic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnnln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pciifc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbkknojp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofbfdmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epieghdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Incpoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbfeimng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndgggf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aibajhdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgqcmlgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfkke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpkbdiqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbkknojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gikopfih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cckace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqlafm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhlmgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojcecjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpjfba32.exe -
Executes dropped EXE 64 IoCs
pid Process 2956 Gheimogo.exe 2664 Giffeg32.exe 2884 Gmabeeef.exe 2772 Glgofbjn.exe 2468 Gglcdkjd.exe 2972 Gikopfih.exe 1180 Gliklahk.exe 2120 Ggopijha.exe 2744 Gimlefge.exe 2520 Gllhaa32.exe 1656 Gojdnm32.exe 2820 Hedmkgmi.exe 1528 Hhbigblm.exe 1760 Hkqecnkq.exe 3048 Hakmph32.exe 540 Hdijlc32.exe 1140 Hlpamq32.exe 1680 Hnandi32.exe 2368 Hdkfacpo.exe 1780 Hkeonm32.exe 2164 Hoakolod.exe 1788 Haogkgoh.exe 1916 Hdncgbnl.exe 1236 Hglocnmp.exe 500 Hkhkcm32.exe 1628 Hgolhn32.exe 2728 Hjmhdi32.exe 3056 Inhdehbj.exe 2476 Iqgqacam.exe 2708 Icemmopa.exe 2592 Ijoeji32.exe 2856 Inkakhpg.exe 2568 Iolmbpfe.exe 2976 Ichico32.exe 2748 Iffeoj32.exe 2760 Iidbke32.exe 1564 Ioojhpdb.exe 1608 Ibmfdkcf.exe 3052 Imbkadcl.exe 804 Ioagno32.exe 644 Ibocjk32.exe 1720 Ifkojiim.exe 1976 Imeggc32.exe 2024 Ioccco32.exe 2316 Ibapoj32.exe 1360 Jeplkf32.exe 960 Jgnhga32.exe 488 Joepio32.exe 448 Jbdlejmn.exe 2616 Jebiaelb.exe 2504 Jgqemakf.exe 2500 Jjoailji.exe 1052 Jnkmjk32.exe 2548 Jaiiff32.exe 1464 Jedefejo.exe 760 Jgcabqic.exe 2436 Jjanolhg.exe 1384 Jnmjok32.exe 3028 Jakfkfpc.exe 712 Jegble32.exe 1712 Jgenhp32.exe 1908 Jfhocmnk.exe 2900 Jnofejom.exe 2064 Jmbgpg32.exe -
Loads dropped DLL 64 IoCs
pid Process 2400 a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5.exe 2400 a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5.exe 2956 Gheimogo.exe 2956 Gheimogo.exe 2664 Giffeg32.exe 2664 Giffeg32.exe 2884 Gmabeeef.exe 2884 Gmabeeef.exe 2772 Glgofbjn.exe 2772 Glgofbjn.exe 2468 Gglcdkjd.exe 2468 Gglcdkjd.exe 2972 Gikopfih.exe 2972 Gikopfih.exe 1180 Gliklahk.exe 1180 Gliklahk.exe 2120 Ggopijha.exe 2120 Ggopijha.exe 2744 Gimlefge.exe 2744 Gimlefge.exe 2520 Gllhaa32.exe 2520 Gllhaa32.exe 1656 Gojdnm32.exe 1656 Gojdnm32.exe 2820 Hedmkgmi.exe 2820 Hedmkgmi.exe 1528 Hhbigblm.exe 1528 Hhbigblm.exe 1760 Hkqecnkq.exe 1760 Hkqecnkq.exe 3048 Hakmph32.exe 3048 Hakmph32.exe 540 Hdijlc32.exe 540 Hdijlc32.exe 1140 Hlpamq32.exe 1140 Hlpamq32.exe 1680 Hnandi32.exe 1680 Hnandi32.exe 2368 Hdkfacpo.exe 2368 Hdkfacpo.exe 1780 Hkeonm32.exe 1780 Hkeonm32.exe 2164 Hoakolod.exe 2164 Hoakolod.exe 1788 Haogkgoh.exe 1788 Haogkgoh.exe 1916 Hdncgbnl.exe 1916 Hdncgbnl.exe 1236 Hglocnmp.exe 1236 Hglocnmp.exe 500 Hkhkcm32.exe 500 Hkhkcm32.exe 1628 Hgolhn32.exe 1628 Hgolhn32.exe 2728 Hjmhdi32.exe 2728 Hjmhdi32.exe 3056 Inhdehbj.exe 3056 Inhdehbj.exe 2476 Iqgqacam.exe 2476 Iqgqacam.exe 2708 Icemmopa.exe 2708 Icemmopa.exe 2592 Ijoeji32.exe 2592 Ijoeji32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lfnbefhd.dll Njlockkm.exe File opened for modification C:\Windows\SysWOW64\Dbbkja32.exe Dodonf32.exe File created C:\Windows\SysWOW64\Polebcgg.dll Hpapln32.exe File created C:\Windows\SysWOW64\Oddpfc32.exe Olmhdf32.exe File created C:\Windows\SysWOW64\Bbhela32.exe Bdeeqehb.exe File opened for modification C:\Windows\SysWOW64\Bemgilhh.exe Bbokmqie.exe File created C:\Windows\SysWOW64\Eibbcm32.exe Efcfga32.exe File opened for modification C:\Windows\SysWOW64\Qljkhe32.exe Qaefjm32.exe File opened for modification C:\Windows\SysWOW64\Baqbenep.exe Bhhnli32.exe File opened for modification C:\Windows\SysWOW64\Ebpkce32.exe Epaogi32.exe File created C:\Windows\SysWOW64\Pggbla32.exe Pclfkc32.exe File created C:\Windows\SysWOW64\Fnnkng32.dll Biamilfj.exe File created C:\Windows\SysWOW64\Giffeg32.exe Gheimogo.exe File created C:\Windows\SysWOW64\Maphdl32.exe Mpolmdkg.exe File opened for modification C:\Windows\SysWOW64\Kmopod32.exe Kiccofna.exe File created C:\Windows\SysWOW64\Gkkemh32.exe Ggpimica.exe File created C:\Windows\SysWOW64\Kcfkfo32.exe Kpkofpgq.exe File created C:\Windows\SysWOW64\Hgmhlp32.dll Ddcdkl32.exe File opened for modification C:\Windows\SysWOW64\Lbqabkql.exe Llfifq32.exe File opened for modification C:\Windows\SysWOW64\Pimkpfeh.exe Pfoocjfd.exe File created C:\Windows\SysWOW64\Dolnad32.exe Dlnbeh32.exe File opened for modification C:\Windows\SysWOW64\Jfhocmnk.exe Jgenhp32.exe File created C:\Windows\SysWOW64\Acjgoa32.dll Lhlqhb32.exe File opened for modification C:\Windows\SysWOW64\Jnqphi32.exe Jonplmcb.exe File created C:\Windows\SysWOW64\Monhhk32.exe Mkclhl32.exe File created C:\Windows\SysWOW64\Oopnlacm.exe Oqmmpd32.exe File created C:\Windows\SysWOW64\Pfoocjfd.exe Obcccl32.exe File created C:\Windows\SysWOW64\Njabih32.dll Boqbfb32.exe File created C:\Windows\SysWOW64\Mgcgmb32.exe Mhqfbebj.exe File opened for modification C:\Windows\SysWOW64\Dkmmhf32.exe Dgaqgh32.exe File created C:\Windows\SysWOW64\Nolhan32.exe Mpigfa32.exe File opened for modification C:\Windows\SysWOW64\Okgnab32.exe Ohibdf32.exe File created C:\Windows\SysWOW64\Ofmbnkhg.exe Obafnlpn.exe File opened for modification C:\Windows\SysWOW64\Dfffnn32.exe Dbkknojp.exe File created C:\Windows\SysWOW64\Ehgeib32.dll Kbalnnam.exe File opened for modification C:\Windows\SysWOW64\Pipopl32.exe Pfbccp32.exe File created C:\Windows\SysWOW64\Lnfhlh32.dll Cjdfmo32.exe File opened for modification C:\Windows\SysWOW64\Mgcgmb32.exe Mhqfbebj.exe File created C:\Windows\SysWOW64\Kjcpii32.exe Kfgdhjmk.exe File created C:\Windows\SysWOW64\Njcbaa32.dll Dbbkja32.exe File created C:\Windows\SysWOW64\Hejodhmc.dll Olpdjf32.exe File created C:\Windows\SysWOW64\Cpkbdiqb.exe Cnmehnan.exe File created C:\Windows\SysWOW64\Lkhpnnej.exe Ldnhad32.exe File created C:\Windows\SysWOW64\Fqpjbf32.dll Cjndop32.exe File created C:\Windows\SysWOW64\Lcoich32.dll Nacgdhlp.exe File opened for modification C:\Windows\SysWOW64\Ajhgmpfg.exe Alegac32.exe File created C:\Windows\SysWOW64\Ceodnl32.exe Ccahbp32.exe File created C:\Windows\SysWOW64\Endaal32.dll Ibocjk32.exe File created C:\Windows\SysWOW64\Dglhipbb.dll Keoapb32.exe File created C:\Windows\SysWOW64\Kpbbidem.dll Ndkmpe32.exe File opened for modification C:\Windows\SysWOW64\Bfenbpec.exe Bbjbaa32.exe File created C:\Windows\SysWOW64\Haobqm32.dll Mohbip32.exe File created C:\Windows\SysWOW64\Jnemdecl.exe Ifnechbj.exe File opened for modification C:\Windows\SysWOW64\Ladeqhjd.exe Limmokib.exe File opened for modification C:\Windows\SysWOW64\Nnbhek32.exe Nfkpdn32.exe File created C:\Windows\SysWOW64\Jfojbj32.dll Icpigm32.exe File created C:\Windows\SysWOW64\Ilpedi32.dll Blgpef32.exe File created C:\Windows\SysWOW64\Dfamcogo.exe Dccagcgk.exe File opened for modification C:\Windows\SysWOW64\Ifkojiim.exe Ibocjk32.exe File created C:\Windows\SysWOW64\Jfkkimlh.exe Jclomamd.exe File created C:\Windows\SysWOW64\Gfhemi32.dll Ailkjmpo.exe File created C:\Windows\SysWOW64\Mdqmicng.dll Najdnj32.exe File opened for modification C:\Windows\SysWOW64\Djnpnc32.exe Dkkpbgli.exe File created C:\Windows\SysWOW64\Kkgklabn.dll Qfahhm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6160 7144 WerFault.exe 682 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhlmgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebodiofk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqfffqpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nceclqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nanbpedg.dll" Cafecmlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejpdgffb.dll" Jnmjok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmafennb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkeonm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keikqhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maodqp32.dll" Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nondgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lggiipie.dll" Kfaajlfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofdcjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aadloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajlmdcf.dll" Kikdkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll" Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nolcnd32.dll" Ihdkao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdbdjhmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kebepion.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhlhki32.dll" Kjqccigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njdfjjia.dll" Ocomlemo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ailkjmpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjdbp32.dll" Qbcpbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhofcjea.dll" Dfffnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgqemakf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klqfhbbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgcmlcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ealffeej.dll" Pbmmcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndpfkdmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmjfdejp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idceea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iajcde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ladeqhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jngohf32.dll" Aalmklfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gojdnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecghfh32.dll" Ibmfdkcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldcamcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iopodh32.dll" Mpbaebdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbpnanch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kllmmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kibjkgca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkcofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lekhfgfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiaeoang.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofdcjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfbccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnbjopoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdmei32.dll" Gpmjak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkeimlfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfokbnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnieom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fonfbi32.dll" Ngfcca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjmhdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npfpmgon.dll" Kphimanc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ennaieib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpmlkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gliklahk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghhfge32.dll" Hkhkcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkemkhcd.dll" Pqkmjh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2956 2400 a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5.exe 28 PID 2400 wrote to memory of 2956 2400 a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5.exe 28 PID 2400 wrote to memory of 2956 2400 a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5.exe 28 PID 2400 wrote to memory of 2956 2400 a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5.exe 28 PID 2956 wrote to memory of 2664 2956 Gheimogo.exe 29 PID 2956 wrote to memory of 2664 2956 Gheimogo.exe 29 PID 2956 wrote to memory of 2664 2956 Gheimogo.exe 29 PID 2956 wrote to memory of 2664 2956 Gheimogo.exe 29 PID 2664 wrote to memory of 2884 2664 Giffeg32.exe 30 PID 2664 wrote to memory of 2884 2664 Giffeg32.exe 30 PID 2664 wrote to memory of 2884 2664 Giffeg32.exe 30 PID 2664 wrote to memory of 2884 2664 Giffeg32.exe 30 PID 2884 wrote to memory of 2772 2884 Gmabeeef.exe 31 PID 2884 wrote to memory of 2772 2884 Gmabeeef.exe 31 PID 2884 wrote to memory of 2772 2884 Gmabeeef.exe 31 PID 2884 wrote to memory of 2772 2884 Gmabeeef.exe 31 PID 2772 wrote to memory of 2468 2772 Glgofbjn.exe 32 PID 2772 wrote to memory of 2468 2772 Glgofbjn.exe 32 PID 2772 wrote to memory of 2468 2772 Glgofbjn.exe 32 PID 2772 wrote to memory of 2468 2772 Glgofbjn.exe 32 PID 2468 wrote to memory of 2972 2468 Gglcdkjd.exe 33 PID 2468 wrote to memory of 2972 2468 Gglcdkjd.exe 33 PID 2468 wrote to memory of 2972 2468 Gglcdkjd.exe 33 PID 2468 wrote to memory of 2972 2468 Gglcdkjd.exe 33 PID 2972 wrote to memory of 1180 2972 Gikopfih.exe 34 PID 2972 wrote to memory of 1180 2972 Gikopfih.exe 34 PID 2972 wrote to memory of 1180 2972 Gikopfih.exe 34 PID 2972 wrote to memory of 1180 2972 Gikopfih.exe 34 PID 1180 wrote to memory of 2120 1180 Gliklahk.exe 35 PID 1180 wrote to memory of 2120 1180 Gliklahk.exe 35 PID 1180 wrote to memory of 2120 1180 Gliklahk.exe 35 PID 1180 wrote to memory of 2120 1180 Gliklahk.exe 35 PID 2120 wrote to memory of 2744 2120 Ggopijha.exe 36 PID 2120 wrote to memory of 2744 2120 Ggopijha.exe 36 PID 2120 wrote to memory of 2744 2120 Ggopijha.exe 36 PID 2120 wrote to memory of 2744 2120 Ggopijha.exe 36 PID 2744 wrote to memory of 2520 2744 Gimlefge.exe 37 PID 2744 wrote to memory of 2520 2744 Gimlefge.exe 37 PID 2744 wrote to memory of 2520 2744 Gimlefge.exe 37 PID 2744 wrote to memory of 2520 2744 Gimlefge.exe 37 PID 2520 wrote to memory of 1656 2520 Gllhaa32.exe 38 PID 2520 wrote to memory of 1656 2520 Gllhaa32.exe 38 PID 2520 wrote to memory of 1656 2520 Gllhaa32.exe 38 PID 2520 wrote to memory of 1656 2520 Gllhaa32.exe 38 PID 1656 wrote to memory of 2820 1656 Gojdnm32.exe 39 PID 1656 wrote to memory of 2820 1656 Gojdnm32.exe 39 PID 1656 wrote to memory of 2820 1656 Gojdnm32.exe 39 PID 1656 wrote to memory of 2820 1656 Gojdnm32.exe 39 PID 2820 wrote to memory of 1528 2820 Hedmkgmi.exe 40 PID 2820 wrote to memory of 1528 2820 Hedmkgmi.exe 40 PID 2820 wrote to memory of 1528 2820 Hedmkgmi.exe 40 PID 2820 wrote to memory of 1528 2820 Hedmkgmi.exe 40 PID 1528 wrote to memory of 1760 1528 Hhbigblm.exe 41 PID 1528 wrote to memory of 1760 1528 Hhbigblm.exe 41 PID 1528 wrote to memory of 1760 1528 Hhbigblm.exe 41 PID 1528 wrote to memory of 1760 1528 Hhbigblm.exe 41 PID 1760 wrote to memory of 3048 1760 Hkqecnkq.exe 42 PID 1760 wrote to memory of 3048 1760 Hkqecnkq.exe 42 PID 1760 wrote to memory of 3048 1760 Hkqecnkq.exe 42 PID 1760 wrote to memory of 3048 1760 Hkqecnkq.exe 42 PID 3048 wrote to memory of 540 3048 Hakmph32.exe 43 PID 3048 wrote to memory of 540 3048 Hakmph32.exe 43 PID 3048 wrote to memory of 540 3048 Hakmph32.exe 43 PID 3048 wrote to memory of 540 3048 Hakmph32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5.exe"C:\Users\Admin\AppData\Local\Temp\a3a9b47636891e7b8526b964c85cd6ddb6bb818a1a71575126d34e8a21d36ba5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Gheimogo.exeC:\Windows\system32\Gheimogo.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Giffeg32.exeC:\Windows\system32\Giffeg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Gmabeeef.exeC:\Windows\system32\Gmabeeef.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Glgofbjn.exeC:\Windows\system32\Glgofbjn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Gglcdkjd.exeC:\Windows\system32\Gglcdkjd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Gikopfih.exeC:\Windows\system32\Gikopfih.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Gliklahk.exeC:\Windows\system32\Gliklahk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Ggopijha.exeC:\Windows\system32\Ggopijha.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Gimlefge.exeC:\Windows\system32\Gimlefge.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Gllhaa32.exeC:\Windows\system32\Gllhaa32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Gojdnm32.exeC:\Windows\system32\Gojdnm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Hedmkgmi.exeC:\Windows\system32\Hedmkgmi.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Hhbigblm.exeC:\Windows\system32\Hhbigblm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Hkqecnkq.exeC:\Windows\system32\Hkqecnkq.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Hakmph32.exeC:\Windows\system32\Hakmph32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Hdijlc32.exeC:\Windows\system32\Hdijlc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:540 -
C:\Windows\SysWOW64\Hlpamq32.exeC:\Windows\system32\Hlpamq32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1140 -
C:\Windows\SysWOW64\Hnandi32.exeC:\Windows\system32\Hnandi32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Hdkfacpo.exeC:\Windows\system32\Hdkfacpo.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Hkeonm32.exeC:\Windows\system32\Hkeonm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Hoakolod.exeC:\Windows\system32\Hoakolod.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Haogkgoh.exeC:\Windows\system32\Haogkgoh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1788 -
C:\Windows\SysWOW64\Hdncgbnl.exeC:\Windows\system32\Hdncgbnl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1916 -
C:\Windows\SysWOW64\Hglocnmp.exeC:\Windows\system32\Hglocnmp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1236 -
C:\Windows\SysWOW64\Hkhkcm32.exeC:\Windows\system32\Hkhkcm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:500 -
C:\Windows\SysWOW64\Hgolhn32.exeC:\Windows\system32\Hgolhn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Hjmhdi32.exeC:\Windows\system32\Hjmhdi32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Inhdehbj.exeC:\Windows\system32\Inhdehbj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Iqgqacam.exeC:\Windows\system32\Iqgqacam.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Icemmopa.exeC:\Windows\system32\Icemmopa.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Ijoeji32.exeC:\Windows\system32\Ijoeji32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Inkakhpg.exeC:\Windows\system32\Inkakhpg.exe33⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Iolmbpfe.exeC:\Windows\system32\Iolmbpfe.exe34⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Ichico32.exeC:\Windows\system32\Ichico32.exe35⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Iffeoj32.exeC:\Windows\system32\Iffeoj32.exe36⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Iidbke32.exeC:\Windows\system32\Iidbke32.exe37⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Ioojhpdb.exeC:\Windows\system32\Ioojhpdb.exe38⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Ibmfdkcf.exeC:\Windows\system32\Ibmfdkcf.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Imbkadcl.exeC:\Windows\system32\Imbkadcl.exe40⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Ioagno32.exeC:\Windows\system32\Ioagno32.exe41⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Ibocjk32.exeC:\Windows\system32\Ibocjk32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:644 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe43⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Imeggc32.exeC:\Windows\system32\Imeggc32.exe44⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Ioccco32.exeC:\Windows\system32\Ioccco32.exe45⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Ibapoj32.exeC:\Windows\system32\Ibapoj32.exe46⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Jeplkf32.exeC:\Windows\system32\Jeplkf32.exe47⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Jgnhga32.exeC:\Windows\system32\Jgnhga32.exe48⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Joepio32.exeC:\Windows\system32\Joepio32.exe49⤵
- Executes dropped EXE
PID:488 -
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe50⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe51⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Jjoailji.exeC:\Windows\system32\Jjoailji.exe53⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Jnkmjk32.exeC:\Windows\system32\Jnkmjk32.exe54⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe55⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Jedefejo.exeC:\Windows\system32\Jedefejo.exe56⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Jgcabqic.exeC:\Windows\system32\Jgcabqic.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Jjanolhg.exeC:\Windows\system32\Jjanolhg.exe58⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Jnmjok32.exeC:\Windows\system32\Jnmjok32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1384 -
C:\Windows\SysWOW64\Jakfkfpc.exeC:\Windows\system32\Jakfkfpc.exe60⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Jegble32.exeC:\Windows\system32\Jegble32.exe61⤵
- Executes dropped EXE
PID:712 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Jfhocmnk.exeC:\Windows\system32\Jfhocmnk.exe63⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Jnofejom.exeC:\Windows\system32\Jnofejom.exe64⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe65⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe66⤵PID:2828
-
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe67⤵
- Drops file in System32 directory
PID:1904 -
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe68⤵PID:2944
-
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe69⤵PID:2564
-
C:\Windows\SysWOW64\Kpcpbb32.exeC:\Windows\system32\Kpcpbb32.exe70⤵PID:2028
-
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe71⤵PID:2892
-
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe72⤵
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe73⤵PID:2528
-
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe74⤵
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe75⤵PID:888
-
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe76⤵PID:2020
-
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe77⤵PID:608
-
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe78⤵
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe79⤵PID:1472
-
C:\Windows\SysWOW64\Kllmmc32.exeC:\Windows\system32\Kllmmc32.exe80⤵
- Modifies registry class
PID:1172 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe81⤵
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1508 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe83⤵
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe84⤵PID:2148
-
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe85⤵PID:2964
-
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe86⤵PID:2952
-
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1620 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe88⤵PID:2740
-
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe89⤵PID:1036
-
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe90⤵
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe91⤵
- Modifies registry class
PID:1200 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe92⤵PID:2260
-
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe93⤵PID:872
-
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe94⤵PID:1356
-
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe95⤵
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe96⤵PID:2308
-
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe97⤵PID:2632
-
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe98⤵PID:676
-
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe99⤵PID:2168
-
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe100⤵
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe101⤵
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe102⤵PID:1232
-
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe103⤵PID:764
-
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe104⤵PID:2620
-
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe105⤵
- Drops file in System32 directory
PID:1428 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe106⤵
- Drops file in System32 directory
PID:1224 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe107⤵
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe108⤵
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe109⤵PID:2084
-
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe110⤵PID:2644
-
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe111⤵PID:2076
-
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe112⤵PID:2516
-
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe113⤵PID:1556
-
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2764 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe115⤵PID:2480
-
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe116⤵PID:2724
-
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe117⤵PID:2844
-
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe118⤵PID:964
-
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe119⤵PID:924
-
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe120⤵
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe121⤵PID:384
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-