Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 01:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
21401bbd7682f99be2a89cbaf57677d0.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
21401bbd7682f99be2a89cbaf57677d0.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
21401bbd7682f99be2a89cbaf57677d0.exe
-
Size
82KB
-
MD5
21401bbd7682f99be2a89cbaf57677d0
-
SHA1
8ee947a05ceee57ef0750376798c4609b81c8584
-
SHA256
33022b4b4adddaaeb8cc640804aafcbe924a61f5d42b58adb5c5be6f8bdb4561
-
SHA512
0d3fe145f2e66ccde9bff23ac3b2c7dea3f7b299653d2ac01174a027f014d361520ced88449b9d411d40fc92ba7e2fbdf1c1525839ec675d36bd937f19324236
-
SSDEEP
1536:WVjVXVa3j+1BBQjduBrhV415GAcIt2L7Rpm6+wDSmQFN6TiN1sJtvQu:GVa3j+1BBQhlGAcI+Npm6tm7N6TO1SpD
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dphfbiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppinkcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjleflod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oioggmmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfpldf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldkmlhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbllnlfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnkakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adnpkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olbogqoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfanmogq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Copjdhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnaiol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgnokgcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfoch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgamdef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffmkfifa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iigpli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jofejpmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdhgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppinkcnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daaenlng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Picojhcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkojbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjfgqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odhhgkib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnpkjde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkhbgbkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjcaha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bchfhfeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfphcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmkplgnq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooabmbbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoqjqhjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kapohbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgfoie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njpihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oecmogln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pldebkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deollamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeagimdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dipjkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omckoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmfmojcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdonhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jabponba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaagcpdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibacbcgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmcnqama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecnoijbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkcilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pejmfqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omioekbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgoime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bniajoic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emdeok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqqpgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqhhanig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Debadpeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aclpaali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epeoaffo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfljkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eejopecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eegkpo32.exe -
Executes dropped EXE 64 IoCs
pid Process 2824 Fcjeon32.exe 2612 Fmcjhdbc.exe 2572 Fdnolfon.exe 2624 Ffmkfifa.exe 2620 Fkjdopeh.exe 2468 Fdbhge32.exe 2200 Geeemeif.exe 1916 Gjdjklek.exe 2616 Gjfgqk32.exe 1648 Gjicfk32.exe 2352 Gpelnb32.exe 2016 Hebdfind.exe 1912 Heealhla.exe 2284 Hloiib32.exe 776 Hhejnc32.exe 2608 Hbknkl32.exe 2252 Hmeolj32.exe 2044 Hhjcic32.exe 604 Iabhah32.exe 2392 Imiigiab.exe 1020 Ilofhffj.exe 2184 Ilabmedg.exe 572 Ihhcbf32.exe 1744 Iigpli32.exe 1688 Jkhldafl.exe 1612 Jenpajfb.exe 2936 Jofejpmc.exe 2812 Jnkakl32.exe 2636 Jnnnalph.exe 1888 Jdhgnf32.exe 2756 Jnpkflne.exe 2876 Kcmcoblm.exe 840 Koddccaa.exe 884 Kfnmpn32.exe 1276 Kofaicon.exe 1640 Kjleflod.exe 1672 Kljabgnh.exe 1936 Kcdjoaee.exe 1716 Kdefgj32.exe 1516 Kokjdb32.exe 1836 Kfebambf.exe 432 Kgfoie32.exe 1804 Lnpgeopa.exe 2132 Lhelbh32.exe 1036 Lqqpgj32.exe 1776 Lkfddc32.exe 904 Lmgalkcf.exe 2296 Lfpeeqig.exe 1732 Lqejbiim.exe 3040 Lgoboc32.exe 2908 Lmljgj32.exe 2532 Mpamde32.exe 2580 Mlhnifmq.exe 2372 Maefamlh.exe 2496 Mjnjjbbh.exe 2120 Nmlgfnal.exe 2840 Ncfoch32.exe 2212 Njpgpbpf.exe 2340 Npmphinm.exe 2732 Nhdhif32.exe 1272 Niedqnen.exe 1968 Npolmh32.exe 2124 Nfidjbdg.exe 704 Nmcmgm32.exe -
Loads dropped DLL 64 IoCs
pid Process 2784 21401bbd7682f99be2a89cbaf57677d0.exe 2784 21401bbd7682f99be2a89cbaf57677d0.exe 2824 Fcjeon32.exe 2824 Fcjeon32.exe 2612 Fmcjhdbc.exe 2612 Fmcjhdbc.exe 2572 Fdnolfon.exe 2572 Fdnolfon.exe 2624 Ffmkfifa.exe 2624 Ffmkfifa.exe 2620 Fkjdopeh.exe 2620 Fkjdopeh.exe 2468 Fdbhge32.exe 2468 Fdbhge32.exe 2200 Geeemeif.exe 2200 Geeemeif.exe 1916 Gjdjklek.exe 1916 Gjdjklek.exe 2616 Gjfgqk32.exe 2616 Gjfgqk32.exe 1648 Gjicfk32.exe 1648 Gjicfk32.exe 2352 Gpelnb32.exe 2352 Gpelnb32.exe 2016 Hebdfind.exe 2016 Hebdfind.exe 1912 Heealhla.exe 1912 Heealhla.exe 2284 Hloiib32.exe 2284 Hloiib32.exe 776 Hhejnc32.exe 776 Hhejnc32.exe 2608 Hbknkl32.exe 2608 Hbknkl32.exe 2252 Hmeolj32.exe 2252 Hmeolj32.exe 2044 Hhjcic32.exe 2044 Hhjcic32.exe 604 Iabhah32.exe 604 Iabhah32.exe 2392 Imiigiab.exe 2392 Imiigiab.exe 1020 Ilofhffj.exe 1020 Ilofhffj.exe 2184 Ilabmedg.exe 2184 Ilabmedg.exe 572 Ihhcbf32.exe 572 Ihhcbf32.exe 1744 Iigpli32.exe 1744 Iigpli32.exe 1688 Jkhldafl.exe 1688 Jkhldafl.exe 1612 Jenpajfb.exe 1612 Jenpajfb.exe 2936 Jofejpmc.exe 2936 Jofejpmc.exe 2812 Jnkakl32.exe 2812 Jnkakl32.exe 2636 Jnnnalph.exe 2636 Jnnnalph.exe 1888 Jdhgnf32.exe 1888 Jdhgnf32.exe 2756 Jnpkflne.exe 2756 Jnpkflne.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ikgkei32.exe Hoqjqhjf.exe File created C:\Windows\SysWOW64\Pkjphcff.exe Phlclgfc.exe File opened for modification C:\Windows\SysWOW64\Cgaaah32.exe Cebeem32.exe File created C:\Windows\SysWOW64\Aacmij32.exe Qlfdac32.exe File created C:\Windows\SysWOW64\Addfkeid.exe Aklabp32.exe File opened for modification C:\Windows\SysWOW64\Pkifdd32.exe Pdonhj32.exe File created C:\Windows\SysWOW64\Gfikmo32.dll Bchfhfeh.exe File created C:\Windows\SysWOW64\Khoqme32.dll Allefimb.exe File opened for modification C:\Windows\SysWOW64\Aacmij32.exe Qlfdac32.exe File opened for modification C:\Windows\SysWOW64\Nhdhif32.exe Npmphinm.exe File created C:\Windows\SysWOW64\Obkefk32.dll Dhkkbmnp.exe File created C:\Windows\SysWOW64\Gaagcpdl.exe Gockgdeh.exe File created C:\Windows\SysWOW64\Hgnokgcc.exe Gaagcpdl.exe File created C:\Windows\SysWOW64\Pgbdodnh.exe Pphkbj32.exe File opened for modification C:\Windows\SysWOW64\Dhkkbmnp.exe Dbncjf32.exe File created C:\Windows\SysWOW64\Mhhigm32.dll Bnnaoe32.exe File opened for modification C:\Windows\SysWOW64\Dejbqb32.exe Copjdhib.exe File created C:\Windows\SysWOW64\Cdfddadf.dll Eppcmncq.exe File created C:\Windows\SysWOW64\Nmkplgnq.exe Nfahomfd.exe File created C:\Windows\SysWOW64\Bdoaqh32.dll Ajmijmnn.exe File created C:\Windows\SysWOW64\Gmkame32.dll Bmnnkl32.exe File opened for modification C:\Windows\SysWOW64\Ihhcbf32.exe Ilabmedg.exe File created C:\Windows\SysWOW64\Hnlfhkoa.dll Oajlkojn.exe File created C:\Windows\SysWOW64\Hmpaom32.exe Hgciff32.exe File created C:\Windows\SysWOW64\Gbnbjo32.dll Bjbndpmd.exe File created C:\Windows\SysWOW64\Nedmma32.dll Aclpaali.exe File opened for modification C:\Windows\SysWOW64\Gjfgqk32.exe Gjdjklek.exe File opened for modification C:\Windows\SysWOW64\Neknki32.exe Nbmaon32.exe File opened for modification C:\Windows\SysWOW64\Pghfnc32.exe Ppnnai32.exe File opened for modification C:\Windows\SysWOW64\Oijjka32.exe Odmabj32.exe File opened for modification C:\Windows\SysWOW64\Aqmamm32.exe Ajcipc32.exe File created C:\Windows\SysWOW64\Omckoi32.exe Olbogqoe.exe File opened for modification C:\Windows\SysWOW64\Cmmcpi32.exe Coicfd32.exe File opened for modification C:\Windows\SysWOW64\Djocbqpb.exe Dcdkef32.exe File created C:\Windows\SysWOW64\Jpgmpk32.exe Jfohgepi.exe File created C:\Windows\SysWOW64\Niedqnen.exe Nhdhif32.exe File opened for modification C:\Windows\SysWOW64\Pafdjmkq.exe Pkmlmbcd.exe File created C:\Windows\SysWOW64\Qackpado.exe Qkibcg32.exe File opened for modification C:\Windows\SysWOW64\Phklaacg.exe Ppddpd32.exe File created C:\Windows\SysWOW64\Kjkbonmp.dll Npmphinm.exe File created C:\Windows\SysWOW64\Dgkjaa32.dll Amcbankf.exe File opened for modification C:\Windows\SysWOW64\Biolanld.exe Bbeded32.exe File opened for modification C:\Windows\SysWOW64\Gamnhq32.exe Giaidnkf.exe File opened for modification C:\Windows\SysWOW64\Jnpkflne.exe Jdhgnf32.exe File created C:\Windows\SysWOW64\Lkfddc32.exe Lqqpgj32.exe File created C:\Windows\SysWOW64\Oiljam32.exe Nfnneb32.exe File created C:\Windows\SysWOW64\Hneebcff.dll Jpbalb32.exe File created C:\Windows\SysWOW64\Fkaamgeg.dll Ikldqile.exe File opened for modification C:\Windows\SysWOW64\Oehdan32.exe Oonldcih.exe File created C:\Windows\SysWOW64\Eejopecj.exe Edibhmml.exe File opened for modification C:\Windows\SysWOW64\Cgidfcdk.exe Bbllnlfd.exe File created C:\Windows\SysWOW64\Bdqlajbb.exe Bnfddp32.exe File created C:\Windows\SysWOW64\Lifaid32.dll Ppfafcpb.exe File created C:\Windows\SysWOW64\Ilkekm32.dll Lnecigcp.exe File created C:\Windows\SysWOW64\Acfenf32.dll Mhfjjdjf.exe File created C:\Windows\SysWOW64\Fccglehn.exe Fkhbgbkc.exe File created C:\Windows\SysWOW64\Qfljkp32.exe Qobbofgn.exe File opened for modification C:\Windows\SysWOW64\Oeindm32.exe Odgamdef.exe File created C:\Windows\SysWOW64\Pdonhj32.exe Oijjka32.exe File created C:\Windows\SysWOW64\Jncnhl32.dll Mnaiol32.exe File opened for modification C:\Windows\SysWOW64\Oekjjl32.exe Ooabmbbe.exe File created C:\Windows\SysWOW64\Bmamle32.dll Ohdfqbio.exe File opened for modification C:\Windows\SysWOW64\Fkjdopeh.exe Ffmkfifa.exe File created C:\Windows\SysWOW64\Agngji32.dll Kfnmpn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4180 2468 WerFault.exe 427 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajflifmi.dll" Flnlkgjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdmckc32.dll" Gockgdeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inhanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kheoph32.dll" Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll" Bdcifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdpgmhn.dll" Mhjcec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkhbgbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fccglehn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbknkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dddimn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngealejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgefgpha.dll" Qlfdac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heealhla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plaimk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldcinhie.dll" Odedge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajpepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlkfoig.dll" Ojomdoof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkjphcff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dphfbiem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppddpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohncbdbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkbdabog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpgmpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhejnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbknkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npolmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbbgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekhchoj.dll" Epbpbnan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqdfehii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leghmkmk.dll" Dnqlmq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfnmpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aggiigmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hneebcff.dll" Jpbalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abpcooea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgaaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkmqd32.dll" Jnmiag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfebambf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bflbigdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pghfnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agolnbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmjqpdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmamle32.dll" Ohdfqbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iigpli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaccbmie.dll" Koddccaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odohol32.dll" Oagoep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppfafcpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nijnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbfcnc32.dll" Pghfnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qiflohqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmhkin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmeolj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnnnalph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbkkmi32.dll" Cjjkpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhfnel32.dll" Kljabgnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agpcihcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkojbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pafdjmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnafi32.dll" Agjobffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglfmjon.dll" Abpcooea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll" Cgoelh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idppjg32.dll" Dmmmfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfebgn32.dll" Ecnoijbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okmjae32.dll" Ppinkcnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Japciodd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2784 wrote to memory of 2824 2784 21401bbd7682f99be2a89cbaf57677d0.exe 28 PID 2784 wrote to memory of 2824 2784 21401bbd7682f99be2a89cbaf57677d0.exe 28 PID 2784 wrote to memory of 2824 2784 21401bbd7682f99be2a89cbaf57677d0.exe 28 PID 2784 wrote to memory of 2824 2784 21401bbd7682f99be2a89cbaf57677d0.exe 28 PID 2824 wrote to memory of 2612 2824 Fcjeon32.exe 29 PID 2824 wrote to memory of 2612 2824 Fcjeon32.exe 29 PID 2824 wrote to memory of 2612 2824 Fcjeon32.exe 29 PID 2824 wrote to memory of 2612 2824 Fcjeon32.exe 29 PID 2612 wrote to memory of 2572 2612 Fmcjhdbc.exe 30 PID 2612 wrote to memory of 2572 2612 Fmcjhdbc.exe 30 PID 2612 wrote to memory of 2572 2612 Fmcjhdbc.exe 30 PID 2612 wrote to memory of 2572 2612 Fmcjhdbc.exe 30 PID 2572 wrote to memory of 2624 2572 Fdnolfon.exe 31 PID 2572 wrote to memory of 2624 2572 Fdnolfon.exe 31 PID 2572 wrote to memory of 2624 2572 Fdnolfon.exe 31 PID 2572 wrote to memory of 2624 2572 Fdnolfon.exe 31 PID 2624 wrote to memory of 2620 2624 Ffmkfifa.exe 32 PID 2624 wrote to memory of 2620 2624 Ffmkfifa.exe 32 PID 2624 wrote to memory of 2620 2624 Ffmkfifa.exe 32 PID 2624 wrote to memory of 2620 2624 Ffmkfifa.exe 32 PID 2620 wrote to memory of 2468 2620 Fkjdopeh.exe 33 PID 2620 wrote to memory of 2468 2620 Fkjdopeh.exe 33 PID 2620 wrote to memory of 2468 2620 Fkjdopeh.exe 33 PID 2620 wrote to memory of 2468 2620 Fkjdopeh.exe 33 PID 2468 wrote to memory of 2200 2468 Fdbhge32.exe 34 PID 2468 wrote to memory of 2200 2468 Fdbhge32.exe 34 PID 2468 wrote to memory of 2200 2468 Fdbhge32.exe 34 PID 2468 wrote to memory of 2200 2468 Fdbhge32.exe 34 PID 2200 wrote to memory of 1916 2200 Geeemeif.exe 35 PID 2200 wrote to memory of 1916 2200 Geeemeif.exe 35 PID 2200 wrote to memory of 1916 2200 Geeemeif.exe 35 PID 2200 wrote to memory of 1916 2200 Geeemeif.exe 35 PID 1916 wrote to memory of 2616 1916 Gjdjklek.exe 36 PID 1916 wrote to memory of 2616 1916 Gjdjklek.exe 36 PID 1916 wrote to memory of 2616 1916 Gjdjklek.exe 36 PID 1916 wrote to memory of 2616 1916 Gjdjklek.exe 36 PID 2616 wrote to memory of 1648 2616 Gjfgqk32.exe 37 PID 2616 wrote to memory of 1648 2616 Gjfgqk32.exe 37 PID 2616 wrote to memory of 1648 2616 Gjfgqk32.exe 37 PID 2616 wrote to memory of 1648 2616 Gjfgqk32.exe 37 PID 1648 wrote to memory of 2352 1648 Gjicfk32.exe 38 PID 1648 wrote to memory of 2352 1648 Gjicfk32.exe 38 PID 1648 wrote to memory of 2352 1648 Gjicfk32.exe 38 PID 1648 wrote to memory of 2352 1648 Gjicfk32.exe 38 PID 2352 wrote to memory of 2016 2352 Gpelnb32.exe 39 PID 2352 wrote to memory of 2016 2352 Gpelnb32.exe 39 PID 2352 wrote to memory of 2016 2352 Gpelnb32.exe 39 PID 2352 wrote to memory of 2016 2352 Gpelnb32.exe 39 PID 2016 wrote to memory of 1912 2016 Hebdfind.exe 40 PID 2016 wrote to memory of 1912 2016 Hebdfind.exe 40 PID 2016 wrote to memory of 1912 2016 Hebdfind.exe 40 PID 2016 wrote to memory of 1912 2016 Hebdfind.exe 40 PID 1912 wrote to memory of 2284 1912 Heealhla.exe 41 PID 1912 wrote to memory of 2284 1912 Heealhla.exe 41 PID 1912 wrote to memory of 2284 1912 Heealhla.exe 41 PID 1912 wrote to memory of 2284 1912 Heealhla.exe 41 PID 2284 wrote to memory of 776 2284 Hloiib32.exe 42 PID 2284 wrote to memory of 776 2284 Hloiib32.exe 42 PID 2284 wrote to memory of 776 2284 Hloiib32.exe 42 PID 2284 wrote to memory of 776 2284 Hloiib32.exe 42 PID 776 wrote to memory of 2608 776 Hhejnc32.exe 43 PID 776 wrote to memory of 2608 776 Hhejnc32.exe 43 PID 776 wrote to memory of 2608 776 Hhejnc32.exe 43 PID 776 wrote to memory of 2608 776 Hhejnc32.exe 43
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2400
-
C:\Users\Admin\AppData\Local\Temp\21401bbd7682f99be2a89cbaf57677d0.exe"C:\Users\Admin\AppData\Local\Temp\21401bbd7682f99be2a89cbaf57677d0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Geeemeif.exeC:\Windows\system32\Geeemeif.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Gjdjklek.exeC:\Windows\system32\Gjdjklek.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:604 -
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Windows\SysWOW64\Ilabmedg.exeC:\Windows\system32\Ilabmedg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe33⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe36⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe39⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe40⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe41⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Kfebambf.exeC:\Windows\system32\Kfebambf.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe44⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe45⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe47⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe48⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe49⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe50⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe51⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe52⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Mpamde32.exeC:\Windows\system32\Mpamde32.exe53⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Mlhnifmq.exeC:\Windows\system32\Mlhnifmq.exe54⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe55⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe56⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe57⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Njpgpbpf.exeC:\Windows\system32\Njpgpbpf.exe59⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Niedqnen.exeC:\Windows\system32\Niedqnen.exe62⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Npolmh32.exeC:\Windows\system32\Npolmh32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe64⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe65⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe66⤵PID:2032
-
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe67⤵
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe68⤵PID:2716
-
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe69⤵
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe70⤵PID:1392
-
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe71⤵
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2060 -
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe73⤵PID:1984
-
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe74⤵
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1616 -
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe76⤵
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe77⤵PID:2656
-
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe78⤵PID:2516
-
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe79⤵PID:2860
-
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe80⤵
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe81⤵
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe83⤵PID:2324
-
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe84⤵PID:1896
-
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe85⤵PID:588
-
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe86⤵PID:520
-
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe87⤵
- Drops file in System32 directory
PID:268 -
C:\Windows\SysWOW64\Pgbdodnh.exeC:\Windows\system32\Pgbdodnh.exe88⤵PID:1764
-
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe89⤵PID:1840
-
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe90⤵PID:1544
-
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe91⤵PID:2720
-
C:\Windows\SysWOW64\Plaimk32.exeC:\Windows\system32\Plaimk32.exe92⤵
- Modifies registry class
PID:624 -
C:\Windows\SysWOW64\Popeif32.exeC:\Windows\system32\Popeif32.exe93⤵PID:1308
-
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2996 -
C:\Windows\SysWOW64\Pldebkhj.exeC:\Windows\system32\Pldebkhj.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3028 -
C:\Windows\SysWOW64\Qobbofgn.exeC:\Windows\system32\Qobbofgn.exe96⤵
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:972 -
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe98⤵
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe99⤵PID:1184
-
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe100⤵
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe101⤵PID:1652
-
C:\Windows\SysWOW64\Aqhhanig.exeC:\Windows\system32\Aqhhanig.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2136 -
C:\Windows\SysWOW64\Ajqljc32.exeC:\Windows\system32\Ajqljc32.exe103⤵PID:2804
-
C:\Windows\SysWOW64\Aqjdgmgd.exeC:\Windows\system32\Aqjdgmgd.exe104⤵PID:1724
-
C:\Windows\SysWOW64\Agdmdg32.exeC:\Windows\system32\Agdmdg32.exe105⤵PID:2140
-
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe106⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Aqmamm32.exeC:\Windows\system32\Aqmamm32.exe107⤵PID:2972
-
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe108⤵
- Modifies registry class
PID:1892 -
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe109⤵
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe110⤵PID:880
-
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe111⤵PID:2588
-
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe112⤵PID:560
-
C:\Windows\SysWOW64\Bbbgod32.exeC:\Windows\system32\Bbbgod32.exe113⤵
- Modifies registry class
PID:1148 -
C:\Windows\SysWOW64\Bimoloog.exeC:\Windows\system32\Bimoloog.exe114⤵PID:1204
-
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe115⤵
- Drops file in System32 directory
PID:524 -
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe116⤵PID:2080
-
C:\Windows\SysWOW64\Bnldjekl.exeC:\Windows\system32\Bnldjekl.exe117⤵PID:2288
-
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe118⤵PID:940
-
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe119⤵PID:1180
-
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe120⤵
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe121⤵PID:632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-