Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 21:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4b0517438eed289a3003570ab961ed62a8058a9ea737a5f735a2b3159db21cb5.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
4b0517438eed289a3003570ab961ed62a8058a9ea737a5f735a2b3159db21cb5.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
4b0517438eed289a3003570ab961ed62a8058a9ea737a5f735a2b3159db21cb5.exe
-
Size
224KB
-
MD5
24d4679645bf07dd533ce29788c5f103
-
SHA1
45c5a4c0d773990b1ef5a14ed76f1048e0c7fd13
-
SHA256
4b0517438eed289a3003570ab961ed62a8058a9ea737a5f735a2b3159db21cb5
-
SHA512
988d77c04dc4a3bb8d11ea86ae3ac7c2b551808864f1087cdd81e40d097561580e20f019b8a6f8e5153c27e7799bce380222ae715829318c42c9ed65a4ea14db
-
SSDEEP
3072:cJQ7FgAi9uFR1XeURER9DWvYc6J42B1xdLm102VZjuajDMyap9jCyFsWteYCWS3:cJQ73bFR1Xf43J42B1xBm102VQlter
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idmhkpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaklpcoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgnke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppkph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ealnephf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpknlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiccofna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjbmjplb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Facdeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmoipopd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdoclk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjojofgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfefiemq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alegac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebinic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncgdbmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccdlbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anccmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndbcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afohaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oobjaqaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pikkiijf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edkcojga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enihne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oklkmnbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfjbgnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boqbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clilkfnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjdhmdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pamiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qedhdjnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqpgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnefdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckdjbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lliflp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efcfga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggkllpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefdpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mppepcfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfcampgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cadhnmnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhdcji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaklpcoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgmapfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlqnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpdnkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noqamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pogclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pclfkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjlhneio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Globlmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpmjak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afohaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dccagcgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Endhhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oikojfgk.exe -
Executes dropped EXE 64 IoCs
pid Process 3012 Afmonbqk.exe 2724 Aljgfioc.exe 3024 Bbdocc32.exe 2156 Bhahlj32.exe 2492 Bbflib32.exe 2284 Beehencq.exe 2728 Bkaqmeah.exe 2916 Bhfagipa.exe 2384 Bkdmcdoe.exe 1896 Banepo32.exe 1368 Bgknheej.exe 856 Bnefdp32.exe 2340 Cgmkmecg.exe 2884 Cjlgiqbk.exe 676 Ccdlbf32.exe 1404 Cfbhnaho.exe 2424 Cgbdhd32.exe 2064 Cfeddafl.exe 2024 Cpjiajeb.exe 1240 Cciemedf.exe 1796 Cbkeib32.exe 744 Cjbmjplb.exe 2852 Claifkkf.exe 2980 Ckdjbh32.exe 1656 Cndbcc32.exe 2700 Dflkdp32.exe 2588 Dgmglh32.exe 2968 Ddagfm32.exe 2744 Dcfdgiid.exe 2776 Dmoipopd.exe 2828 Dnneja32.exe 2760 Doobajme.exe 1452 Emcbkn32.exe 2928 Epaogi32.exe 2768 Ejgcdb32.exe 1472 Eijcpoac.exe 1860 Epdkli32.exe 2204 Efncicpm.exe 1584 Ekklaj32.exe 1108 Enihne32.exe 2268 Eiomkn32.exe 2088 Egamfkdh.exe 660 Epieghdk.exe 1316 Ebgacddo.exe 1932 Eeempocb.exe 1464 Eiaiqn32.exe 2432 Eloemi32.exe 1548 Ejbfhfaj.exe 3040 Ebinic32.exe 2688 Ealnephf.exe 2272 Fckjalhj.exe 2628 Fhffaj32.exe 2708 Fjdbnf32.exe 2592 Fmcoja32.exe 2780 Faokjpfd.exe 2840 Fejgko32.exe 340 Fhhcgj32.exe 2460 Ffkcbgek.exe 2044 Fnbkddem.exe 1256 Fmekoalh.exe 2312 Fpdhklkl.exe 1864 Fdoclk32.exe 1700 Fhkpmjln.exe 2320 Fjilieka.exe -
Loads dropped DLL 64 IoCs
pid Process 2656 4b0517438eed289a3003570ab961ed62a8058a9ea737a5f735a2b3159db21cb5.exe 2656 4b0517438eed289a3003570ab961ed62a8058a9ea737a5f735a2b3159db21cb5.exe 3012 Afmonbqk.exe 3012 Afmonbqk.exe 2724 Aljgfioc.exe 2724 Aljgfioc.exe 3024 Bbdocc32.exe 3024 Bbdocc32.exe 2156 Bhahlj32.exe 2156 Bhahlj32.exe 2492 Bbflib32.exe 2492 Bbflib32.exe 2284 Beehencq.exe 2284 Beehencq.exe 2728 Bkaqmeah.exe 2728 Bkaqmeah.exe 2916 Bhfagipa.exe 2916 Bhfagipa.exe 2384 Bkdmcdoe.exe 2384 Bkdmcdoe.exe 1896 Banepo32.exe 1896 Banepo32.exe 1368 Bgknheej.exe 1368 Bgknheej.exe 856 Bnefdp32.exe 856 Bnefdp32.exe 2340 Cgmkmecg.exe 2340 Cgmkmecg.exe 2884 Cjlgiqbk.exe 2884 Cjlgiqbk.exe 676 Ccdlbf32.exe 676 Ccdlbf32.exe 1404 Cfbhnaho.exe 1404 Cfbhnaho.exe 2424 Cgbdhd32.exe 2424 Cgbdhd32.exe 2064 Cfeddafl.exe 2064 Cfeddafl.exe 2024 Cpjiajeb.exe 2024 Cpjiajeb.exe 1240 Cciemedf.exe 1240 Cciemedf.exe 1796 Cbkeib32.exe 1796 Cbkeib32.exe 744 Cjbmjplb.exe 744 Cjbmjplb.exe 2852 Claifkkf.exe 2852 Claifkkf.exe 2980 Ckdjbh32.exe 2980 Ckdjbh32.exe 1656 Cndbcc32.exe 1656 Cndbcc32.exe 2700 Dflkdp32.exe 2700 Dflkdp32.exe 2588 Dgmglh32.exe 2588 Dgmglh32.exe 2968 Ddagfm32.exe 2968 Ddagfm32.exe 2744 Dcfdgiid.exe 2744 Dcfdgiid.exe 2776 Dmoipopd.exe 2776 Dmoipopd.exe 2828 Dnneja32.exe 2828 Dnneja32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ikkbnm32.dll Fdoclk32.exe File opened for modification C:\Windows\SysWOW64\Hnagjbdf.exe Hckcmjep.exe File created C:\Windows\SysWOW64\Konojnki.dll Kaklpcoc.exe File opened for modification C:\Windows\SysWOW64\Qfahhm32.exe Qpgpkcpp.exe File opened for modification C:\Windows\SysWOW64\Dfamcogo.exe Dccagcgk.exe File created C:\Windows\SysWOW64\Dojald32.exe Dknekeef.exe File created C:\Windows\SysWOW64\Efncicpm.exe Epdkli32.exe File created C:\Windows\SysWOW64\Kkgmgmfd.exe Kaaijdgn.exe File created C:\Windows\SysWOW64\Nhlhki32.dll Kgbggnhc.exe File created C:\Windows\SysWOW64\Coelaaoi.exe Blgpef32.exe File opened for modification C:\Windows\SysWOW64\Idmhkpml.exe Imfqjbli.exe File created C:\Windows\SysWOW64\Lanfmb32.dll Enihne32.exe File created C:\Windows\SysWOW64\Gmjaic32.exe Gogangdc.exe File created C:\Windows\SysWOW64\Iknnbklc.exe Ilknfn32.exe File created C:\Windows\SysWOW64\Mlmlecec.exe Miooigfo.exe File opened for modification C:\Windows\SysWOW64\Enakbp32.exe Dookgcij.exe File created C:\Windows\SysWOW64\Fmpkjkma.exe Fjaonpnn.exe File created C:\Windows\SysWOW64\Imhjppim.dll Ccdlbf32.exe File opened for modification C:\Windows\SysWOW64\Kfbkmk32.exe Keanebkb.exe File created C:\Windows\SysWOW64\Gjodeppm.dll Mkclhl32.exe File created C:\Windows\SysWOW64\Dfdjhndl.exe Dbhnhp32.exe File created C:\Windows\SysWOW64\Abqjpn32.dll Jokcgmee.exe File created C:\Windows\SysWOW64\Pnjdhmdo.exe Pogclp32.exe File created C:\Windows\SysWOW64\Adnopfoj.exe Anafhopc.exe File created C:\Windows\SysWOW64\Giaekk32.dll Bmmiij32.exe File opened for modification C:\Windows\SysWOW64\Claifkkf.exe Cjbmjplb.exe File opened for modification C:\Windows\SysWOW64\Dccagcgk.exe Dpeekh32.exe File opened for modification C:\Windows\SysWOW64\Fnbkddem.exe Ffkcbgek.exe File created C:\Windows\SysWOW64\Lednakhd.dll Dookgcij.exe File created C:\Windows\SysWOW64\Fhffaj32.exe Fckjalhj.exe File opened for modification C:\Windows\SysWOW64\Jkbcln32.exe Jfekcg32.exe File created C:\Windows\SysWOW64\Bccnbmal.dll Fmekoalh.exe File created C:\Windows\SysWOW64\Iifjjk32.dll Dpeekh32.exe File created C:\Windows\SysWOW64\Idmhkpml.exe Imfqjbli.exe File created C:\Windows\SysWOW64\Cgcmlcja.exe Cddaphkn.exe File created C:\Windows\SysWOW64\Piphee32.exe Pedleg32.exe File created C:\Windows\SysWOW64\Bekkcljk.exe Bghjhp32.exe File created C:\Windows\SysWOW64\Egqdeaqb.dll Dhpiojfb.exe File created C:\Windows\SysWOW64\Kncphpjl.dll Ddigjkid.exe File created C:\Windows\SysWOW64\Eqpofkjo.dll Ilknfn32.exe File created C:\Windows\SysWOW64\Pnlqnl32.exe Pjadmnic.exe File opened for modification C:\Windows\SysWOW64\Coelaaoi.exe Blgpef32.exe File opened for modification C:\Windows\SysWOW64\Cgcmlcja.exe Cddaphkn.exe File created C:\Windows\SysWOW64\Oclilp32.exe Oopnlacm.exe File created C:\Windows\SysWOW64\Hdihmjpf.dll Alegac32.exe File created C:\Windows\SysWOW64\Abkphdmd.dll Ehgppi32.exe File created C:\Windows\SysWOW64\Lpdhmlbj.dll Egamfkdh.exe File created C:\Windows\SysWOW64\Aagancdj.dll Lmcijcbe.exe File created C:\Windows\SysWOW64\Oikojfgk.exe Odobjg32.exe File created C:\Windows\SysWOW64\Codpklfq.dll Hiqbndpb.exe File opened for modification C:\Windows\SysWOW64\Cfbhnaho.exe Ccdlbf32.exe File created C:\Windows\SysWOW64\Ckdjbh32.exe Claifkkf.exe File opened for modification C:\Windows\SysWOW64\Icmlam32.exe Ijeghgoh.exe File created C:\Windows\SysWOW64\Jonpde32.dll Pjcabmga.exe File created C:\Windows\SysWOW64\Cfbhnaho.exe Ccdlbf32.exe File created C:\Windows\SysWOW64\Obdkcckg.dll Mlibjc32.exe File created C:\Windows\SysWOW64\Nehmdhja.exe Nondgn32.exe File created C:\Windows\SysWOW64\Ebbgbdkh.dll Ohfeog32.exe File opened for modification C:\Windows\SysWOW64\Qmicohqm.exe Qjjgclai.exe File created C:\Windows\SysWOW64\Hgpdcgoc.dll Hicodd32.exe File created C:\Windows\SysWOW64\Dglhipbb.dll Kbqecg32.exe File created C:\Windows\SysWOW64\Nkemkhcd.dll Pefijfii.exe File opened for modification C:\Windows\SysWOW64\Boqbfb32.exe Blbfjg32.exe File created C:\Windows\SysWOW64\Cddaphkn.exe Ceaadk32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4616 4796 WerFault.exe 383 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dookgcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cillgpen.dll" Dnneja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbcmlc.dll" Fnbkddem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfefiemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll" Gieojq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pefijfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinfim32.dll" Ejbfhfaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lecgje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdoclk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgnnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnomcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpkceld.dll" Bbdocc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nceclqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edekcace.dll" Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncnkh32.dll" Gopkmhjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beehencq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhmepp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgljbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkkgfioo.dll" Noqamn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahdaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfeddafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emcbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epieghdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfbkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leajdfnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhhcgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffpmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Naoniipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hejodhmc.dll" Oonafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaemjbcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkclhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfffnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aljgfioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egadpgfp.dll" Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiqbndpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igdogl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecqqpgli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpeekh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbkeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmjhbal.dll" Ebinic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gicbeald.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kifpdelo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oopnlacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjbmjplb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpmjak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Konojnki.dll" Kaklpcoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgimmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojfaijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcfidhng.dll" Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnpmlfkm.dll" Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpajdp32.dll" Odobjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdgneh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekklaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Facdeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejgcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfdll32.dll" Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emieil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhijaf32.dll" Enakbp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2656 wrote to memory of 3012 2656 4b0517438eed289a3003570ab961ed62a8058a9ea737a5f735a2b3159db21cb5.exe 28 PID 2656 wrote to memory of 3012 2656 4b0517438eed289a3003570ab961ed62a8058a9ea737a5f735a2b3159db21cb5.exe 28 PID 2656 wrote to memory of 3012 2656 4b0517438eed289a3003570ab961ed62a8058a9ea737a5f735a2b3159db21cb5.exe 28 PID 2656 wrote to memory of 3012 2656 4b0517438eed289a3003570ab961ed62a8058a9ea737a5f735a2b3159db21cb5.exe 28 PID 3012 wrote to memory of 2724 3012 Afmonbqk.exe 29 PID 3012 wrote to memory of 2724 3012 Afmonbqk.exe 29 PID 3012 wrote to memory of 2724 3012 Afmonbqk.exe 29 PID 3012 wrote to memory of 2724 3012 Afmonbqk.exe 29 PID 2724 wrote to memory of 3024 2724 Aljgfioc.exe 30 PID 2724 wrote to memory of 3024 2724 Aljgfioc.exe 30 PID 2724 wrote to memory of 3024 2724 Aljgfioc.exe 30 PID 2724 wrote to memory of 3024 2724 Aljgfioc.exe 30 PID 3024 wrote to memory of 2156 3024 Bbdocc32.exe 31 PID 3024 wrote to memory of 2156 3024 Bbdocc32.exe 31 PID 3024 wrote to memory of 2156 3024 Bbdocc32.exe 31 PID 3024 wrote to memory of 2156 3024 Bbdocc32.exe 31 PID 2156 wrote to memory of 2492 2156 Bhahlj32.exe 32 PID 2156 wrote to memory of 2492 2156 Bhahlj32.exe 32 PID 2156 wrote to memory of 2492 2156 Bhahlj32.exe 32 PID 2156 wrote to memory of 2492 2156 Bhahlj32.exe 32 PID 2492 wrote to memory of 2284 2492 Bbflib32.exe 33 PID 2492 wrote to memory of 2284 2492 Bbflib32.exe 33 PID 2492 wrote to memory of 2284 2492 Bbflib32.exe 33 PID 2492 wrote to memory of 2284 2492 Bbflib32.exe 33 PID 2284 wrote to memory of 2728 2284 Beehencq.exe 34 PID 2284 wrote to memory of 2728 2284 Beehencq.exe 34 PID 2284 wrote to memory of 2728 2284 Beehencq.exe 34 PID 2284 wrote to memory of 2728 2284 Beehencq.exe 34 PID 2728 wrote to memory of 2916 2728 Bkaqmeah.exe 35 PID 2728 wrote to memory of 2916 2728 Bkaqmeah.exe 35 PID 2728 wrote to memory of 2916 2728 Bkaqmeah.exe 35 PID 2728 wrote to memory of 2916 2728 Bkaqmeah.exe 35 PID 2916 wrote to memory of 2384 2916 Bhfagipa.exe 36 PID 2916 wrote to memory of 2384 2916 Bhfagipa.exe 36 PID 2916 wrote to memory of 2384 2916 Bhfagipa.exe 36 PID 2916 wrote to memory of 2384 2916 Bhfagipa.exe 36 PID 2384 wrote to memory of 1896 2384 Bkdmcdoe.exe 37 PID 2384 wrote to memory of 1896 2384 Bkdmcdoe.exe 37 PID 2384 wrote to memory of 1896 2384 Bkdmcdoe.exe 37 PID 2384 wrote to memory of 1896 2384 Bkdmcdoe.exe 37 PID 1896 wrote to memory of 1368 1896 Banepo32.exe 38 PID 1896 wrote to memory of 1368 1896 Banepo32.exe 38 PID 1896 wrote to memory of 1368 1896 Banepo32.exe 38 PID 1896 wrote to memory of 1368 1896 Banepo32.exe 38 PID 1368 wrote to memory of 856 1368 Bgknheej.exe 39 PID 1368 wrote to memory of 856 1368 Bgknheej.exe 39 PID 1368 wrote to memory of 856 1368 Bgknheej.exe 39 PID 1368 wrote to memory of 856 1368 Bgknheej.exe 39 PID 856 wrote to memory of 2340 856 Bnefdp32.exe 40 PID 856 wrote to memory of 2340 856 Bnefdp32.exe 40 PID 856 wrote to memory of 2340 856 Bnefdp32.exe 40 PID 856 wrote to memory of 2340 856 Bnefdp32.exe 40 PID 2340 wrote to memory of 2884 2340 Cgmkmecg.exe 41 PID 2340 wrote to memory of 2884 2340 Cgmkmecg.exe 41 PID 2340 wrote to memory of 2884 2340 Cgmkmecg.exe 41 PID 2340 wrote to memory of 2884 2340 Cgmkmecg.exe 41 PID 2884 wrote to memory of 676 2884 Cjlgiqbk.exe 42 PID 2884 wrote to memory of 676 2884 Cjlgiqbk.exe 42 PID 2884 wrote to memory of 676 2884 Cjlgiqbk.exe 42 PID 2884 wrote to memory of 676 2884 Cjlgiqbk.exe 42 PID 676 wrote to memory of 1404 676 Ccdlbf32.exe 43 PID 676 wrote to memory of 1404 676 Ccdlbf32.exe 43 PID 676 wrote to memory of 1404 676 Ccdlbf32.exe 43 PID 676 wrote to memory of 1404 676 Ccdlbf32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b0517438eed289a3003570ab961ed62a8058a9ea737a5f735a2b3159db21cb5.exe"C:\Users\Admin\AppData\Local\Temp\4b0517438eed289a3003570ab961ed62a8058a9ea737a5f735a2b3159db21cb5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1404 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1240 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:744 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe33⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1452 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe35⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe37⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1860 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe39⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:660 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe45⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe46⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe47⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe48⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe53⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe54⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe56⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:340 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1256 -
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe64⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe65⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe66⤵PID:480
-
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe67⤵PID:568
-
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:900 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe69⤵PID:2372
-
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe70⤵
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2232 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe72⤵PID:2352
-
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe73⤵PID:2040
-
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe74⤵PID:2692
-
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe75⤵PID:2468
-
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe76⤵PID:1880
-
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2796 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2532 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe80⤵PID:1688
-
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe81⤵PID:2868
-
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1264 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe83⤵
- Modifies registry class
PID:1060 -
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe84⤵PID:1444
-
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe86⤵
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe87⤵PID:344
-
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe88⤵PID:2900
-
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe89⤵
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe90⤵PID:2564
-
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe91⤵PID:2480
-
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe92⤵PID:2732
-
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe93⤵PID:2808
-
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe94⤵PID:2280
-
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2360 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe96⤵PID:2716
-
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe97⤵PID:1000
-
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe98⤵PID:1944
-
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe99⤵
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe100⤵PID:1756
-
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe101⤵PID:2572
-
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe102⤵
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe103⤵PID:316
-
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe104⤵
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe105⤵PID:620
-
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe106⤵PID:2624
-
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe107⤵PID:1532
-
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe109⤵PID:3028
-
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe110⤵PID:2520
-
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe111⤵
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe112⤵PID:2400
-
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe113⤵
- Drops file in System32 directory
PID:1192 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1412 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe115⤵PID:2792
-
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe116⤵PID:2276
-
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe117⤵PID:1992
-
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe118⤵PID:444
-
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe119⤵
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe120⤵PID:2672
-
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe121⤵PID:2500
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-