Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
28/06/2024, 22:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
604e5afb7f0813880896a685cdc0478f1642a0fa4527c01760562317d9bda26c.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
604e5afb7f0813880896a685cdc0478f1642a0fa4527c01760562317d9bda26c.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
604e5afb7f0813880896a685cdc0478f1642a0fa4527c01760562317d9bda26c.exe
-
Size
96KB
-
MD5
823704f6ecc1931095d7c5a7e2b7b30a
-
SHA1
a79642a9f47711e6d3ba347ae5e572c07af10198
-
SHA256
604e5afb7f0813880896a685cdc0478f1642a0fa4527c01760562317d9bda26c
-
SHA512
250bcb7ce4e1668f3ba4b1490432bda2e4cef6aaed6a0db692b3642d1eb470c374068b928487472c1389682ddd6c46290c9858d49e89cf9e000e4df3e7b7cb90
-
SSDEEP
1536:RfFbuUTS1OgMmUoJ1CLZ2LnsBMu/HCmiDcg3MZRP3cEW3AE:zjsHvJ1bna6miEo
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jofiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mamddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhfipcid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlgpgef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbgbni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjqccigf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbpnanch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnjdhmdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baildokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmgdddmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maoajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlcgeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hacmcfge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inljnfkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncjqhmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Effcma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbjopoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnlidb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhkpmjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikddbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joplbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfbkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbpnanch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oclilp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Papfegmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enfenplo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecmkghcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdamqndn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmocpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnomcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bommnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgpgce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbqecg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaceodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeempocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpocfncj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igihbknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfcnngnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfjbgnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pflomnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckoilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igkdgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejhlgaeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqgnokip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhmepp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkafo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkncmmle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgqcmlgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogeigofa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amejeljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqopea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmjfdejp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnajilng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdeeqehb.exe -
Executes dropped EXE 64 IoCs
pid Process 2160 Afiecb32.exe 2676 Admemg32.exe 2828 Amejeljk.exe 2684 Apcfahio.exe 2484 Abbbnchb.exe 2912 Aepojo32.exe 1572 Ahokfj32.exe 2540 Bpfcgg32.exe 2372 Bbdocc32.exe 544 Bebkpn32.exe 1860 Bhahlj32.exe 2152 Bkodhe32.exe 1252 Bbflib32.exe 2812 Baildokg.exe 2244 Bdhhqk32.exe 680 Bkaqmeah.exe 1040 Bommnc32.exe 996 Balijo32.exe 640 Begeknan.exe 2008 Bdjefj32.exe 2972 Bghabf32.exe 1932 Bkdmcdoe.exe 3004 Bnbjopoi.exe 1556 Bpafkknm.exe 1104 Bdlblj32.exe 2004 Bgknheej.exe 2084 Bkfjhd32.exe 2580 Bnefdp32.exe 2328 Baqbenep.exe 2696 Bdooajdc.exe 2916 Cgmkmecg.exe 1568 Ckignd32.exe 2776 Cjlgiqbk.exe 1868 Ccdlbf32.exe 1896 Cgpgce32.exe 2932 Cfbhnaho.exe 1376 Cllpkl32.exe 2376 Coklgg32.exe 1848 Ccfhhffh.exe 696 Cjpqdp32.exe 816 Clomqk32.exe 1172 Cciemedf.exe 1952 Cbkeib32.exe 2204 Claifkkf.exe 1604 Ckdjbh32.exe 340 Cckace32.exe 768 Cfinoq32.exe 900 Chhjkl32.exe 1644 Cobbhfhg.exe 2600 Cndbcc32.exe 2544 Dbpodagk.exe 2356 Dflkdp32.exe 1452 Ddokpmfo.exe 2192 Dhjgal32.exe 920 Dkhcmgnl.exe 1384 Dodonf32.exe 2888 Dngoibmo.exe 1088 Dbbkja32.exe 1000 Ddagfm32.exe 2856 Dhmcfkme.exe 1956 Dgodbh32.exe 2784 Dkkpbgli.exe 1284 Djnpnc32.exe 1716 Dnilobkm.exe -
Loads dropped DLL 64 IoCs
pid Process 1760 604e5afb7f0813880896a685cdc0478f1642a0fa4527c01760562317d9bda26c.exe 1760 604e5afb7f0813880896a685cdc0478f1642a0fa4527c01760562317d9bda26c.exe 2160 Afiecb32.exe 2160 Afiecb32.exe 2676 Admemg32.exe 2676 Admemg32.exe 2828 Amejeljk.exe 2828 Amejeljk.exe 2684 Apcfahio.exe 2684 Apcfahio.exe 2484 Abbbnchb.exe 2484 Abbbnchb.exe 2912 Aepojo32.exe 2912 Aepojo32.exe 1572 Ahokfj32.exe 1572 Ahokfj32.exe 2540 Bpfcgg32.exe 2540 Bpfcgg32.exe 2372 Bbdocc32.exe 2372 Bbdocc32.exe 544 Bebkpn32.exe 544 Bebkpn32.exe 1860 Bhahlj32.exe 1860 Bhahlj32.exe 2152 Bkodhe32.exe 2152 Bkodhe32.exe 1252 Bbflib32.exe 1252 Bbflib32.exe 2812 Baildokg.exe 2812 Baildokg.exe 2244 Bdhhqk32.exe 2244 Bdhhqk32.exe 680 Bkaqmeah.exe 680 Bkaqmeah.exe 1040 Bommnc32.exe 1040 Bommnc32.exe 996 Balijo32.exe 996 Balijo32.exe 640 Begeknan.exe 640 Begeknan.exe 2008 Bdjefj32.exe 2008 Bdjefj32.exe 2972 Bghabf32.exe 2972 Bghabf32.exe 1932 Bkdmcdoe.exe 1932 Bkdmcdoe.exe 3004 Bnbjopoi.exe 3004 Bnbjopoi.exe 1556 Bpafkknm.exe 1556 Bpafkknm.exe 1104 Bdlblj32.exe 1104 Bdlblj32.exe 2004 Bgknheej.exe 2004 Bgknheej.exe 2084 Bkfjhd32.exe 2084 Bkfjhd32.exe 2580 Bnefdp32.exe 2580 Bnefdp32.exe 2328 Baqbenep.exe 2328 Baqbenep.exe 2696 Bdooajdc.exe 2696 Bdooajdc.exe 2916 Cgmkmecg.exe 2916 Cgmkmecg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fiaeoang.exe Feeiob32.exe File created C:\Windows\SysWOW64\Hlakpp32.exe Hnojdcfi.exe File opened for modification C:\Windows\SysWOW64\Llfifq32.exe Lmcijcbe.exe File opened for modification C:\Windows\SysWOW64\Oopnlacm.exe Oqmmpd32.exe File opened for modification C:\Windows\SysWOW64\Lbcnhjnj.exe Logbhl32.exe File opened for modification C:\Windows\SysWOW64\Pqkmjh32.exe Pbhmnkjf.exe File created C:\Windows\SysWOW64\Gddifnbk.exe Gphmeo32.exe File created C:\Windows\SysWOW64\Lmolnh32.exe Lollckbk.exe File opened for modification C:\Windows\SysWOW64\Mhgmapfi.exe Mdkqqa32.exe File opened for modification C:\Windows\SysWOW64\Ajjcbpdd.exe Ahlgfdeq.exe File opened for modification C:\Windows\SysWOW64\Jjlnif32.exe Jfqahgpg.exe File created C:\Windows\SysWOW64\Baoohhdn.dll Kkijmm32.exe File created C:\Windows\SysWOW64\Mmhodf32.exe Mmhodf32.exe File opened for modification C:\Windows\SysWOW64\Ndkmpe32.exe Nehmdhja.exe File created C:\Windows\SysWOW64\Dpajdp32.dll Odobjg32.exe File created C:\Windows\SysWOW64\Kgnnln32.exe Kcbakpdo.exe File opened for modification C:\Windows\SysWOW64\Pjenhm32.exe Pfjbgnme.exe File created C:\Windows\SysWOW64\Dqlcpbbm.dll Lckdanld.exe File created C:\Windows\SysWOW64\Mmjale32.dll Ekhhadmk.exe File opened for modification C:\Windows\SysWOW64\Eccmffjf.exe Edpmjj32.exe File created C:\Windows\SysWOW64\Cndbcc32.exe Cobbhfhg.exe File created C:\Windows\SysWOW64\Cfeoofge.dll Emcbkn32.exe File created C:\Windows\SysWOW64\Eplkpgnh.exe Eqijej32.exe File created C:\Windows\SysWOW64\Fioija32.exe Ffpmnf32.exe File opened for modification C:\Windows\SysWOW64\Jcbellac.exe Jofiln32.exe File created C:\Windows\SysWOW64\Kmmcjehm.exe Knjbnh32.exe File created C:\Windows\SysWOW64\Egjbkk32.dll Lollckbk.exe File created C:\Windows\SysWOW64\Nocnbmoo.exe Nkgbbo32.exe File created C:\Windows\SysWOW64\Cahail32.exe Cahail32.exe File created C:\Windows\SysWOW64\Cmeabq32.dll Okikfagn.exe File created C:\Windows\SysWOW64\Dinhacjp.dll Ednpej32.exe File opened for modification C:\Windows\SysWOW64\Cjlgiqbk.exe Ckignd32.exe File created C:\Windows\SysWOW64\Cobbhfhg.exe Chhjkl32.exe File created C:\Windows\SysWOW64\Gfedefbi.dll Dgdmmgpj.exe File created C:\Windows\SysWOW64\Hllopfgo.dll Gkkemh32.exe File opened for modification C:\Windows\SysWOW64\Joplbl32.exe Jkdpanhg.exe File created C:\Windows\SysWOW64\Heldepab.dll Ofjfhk32.exe File created C:\Windows\SysWOW64\Glfhll32.exe Ghkllmoi.exe File created C:\Windows\SysWOW64\Ijgdngmf.exe Ikddbj32.exe File created C:\Windows\SysWOW64\Pmdjdh32.exe Pnajilng.exe File opened for modification C:\Windows\SysWOW64\Hacmcfge.exe Hcplhi32.exe File created C:\Windows\SysWOW64\Jmhmpb32.exe Jnemdecl.exe File created C:\Windows\SysWOW64\Jmjjea32.exe Jiondcpk.exe File opened for modification C:\Windows\SysWOW64\Nhkbkc32.exe Ndpfkdmf.exe File opened for modification C:\Windows\SysWOW64\Ihoafpmp.exe Idceea32.exe File opened for modification C:\Windows\SysWOW64\Cahail32.exe Ckoilb32.exe File opened for modification C:\Windows\SysWOW64\Epdkli32.exe Ekholjqg.exe File created C:\Windows\SysWOW64\Mncnkh32.dll Gbkgnfbd.exe File opened for modification C:\Windows\SysWOW64\Kemejc32.exe Kaaijdgn.exe File created C:\Windows\SysWOW64\Dhhlgc32.dll Ekelld32.exe File created C:\Windows\SysWOW64\Hpocfncj.exe Hlcgeo32.exe File opened for modification C:\Windows\SysWOW64\Maoajf32.exe Mmceigep.exe File created C:\Windows\SysWOW64\Gjodeppm.dll Monhhk32.exe File opened for modification C:\Windows\SysWOW64\Mppepcfg.exe Mamddf32.exe File created C:\Windows\SysWOW64\Bbdocc32.exe Bpfcgg32.exe File created C:\Windows\SysWOW64\Icplghmh.dll Bbdocc32.exe File created C:\Windows\SysWOW64\Djpmccqq.exe Dkmmhf32.exe File created C:\Windows\SysWOW64\Dnlidb32.exe Djpmccqq.exe File created C:\Windows\SysWOW64\Mdnfbe32.dll Kgnnln32.exe File opened for modification C:\Windows\SysWOW64\Lefdpe32.exe Lajhofao.exe File opened for modification C:\Windows\SysWOW64\Anojbobe.exe Aefeijle.exe File created C:\Windows\SysWOW64\Hjjddchg.exe Henidd32.exe File opened for modification C:\Windows\SysWOW64\Ehgppi32.exe Edkcojga.exe File created C:\Windows\SysWOW64\Fkckeh32.exe Fmpkjkma.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6848 6992 WerFault.exe 681 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afiecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmafennb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkijmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejobhppq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaklpcoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dolnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjale32.dll" Ekhhadmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbkeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadkgl32.dll" Fckjalhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnjmhe32.dll" Inqcif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgmkdbj.dll" Kiccofna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhmjkaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inlepd32.dll" Oqkqkdne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dobkmdfq.dll" Bpfcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdeeqehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cahail32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egoife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjdbnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kblhgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcpofbjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kblhgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfnfdcqd.dll" Mcegmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oddpfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekklaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnekf32.dll" Jgidao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjpbahga.dll" Kjjmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbqecg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajjcbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffmipmp.dll" Emieil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dliijipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpmjak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhpfqama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Monhhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhgmapfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ionkallc.dll" Obojhlbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebbgid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkdaf32.dll" Pbfpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcbllb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baqbenep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckignd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lliflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmloladn.dll" Fjdbnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lckdanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbmfll32.dll" Lkppbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofelmloo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pefijfii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbcpgjj.dll" Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkabadei.dll" Enihne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbepi32.dll" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll" Hpocfncj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbdqmghm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfcnngnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naajoinb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqideepg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkfjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopekk32.dll" Efppoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndpfkdmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndbcpd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1760 wrote to memory of 2160 1760 604e5afb7f0813880896a685cdc0478f1642a0fa4527c01760562317d9bda26c.exe 28 PID 1760 wrote to memory of 2160 1760 604e5afb7f0813880896a685cdc0478f1642a0fa4527c01760562317d9bda26c.exe 28 PID 1760 wrote to memory of 2160 1760 604e5afb7f0813880896a685cdc0478f1642a0fa4527c01760562317d9bda26c.exe 28 PID 1760 wrote to memory of 2160 1760 604e5afb7f0813880896a685cdc0478f1642a0fa4527c01760562317d9bda26c.exe 28 PID 2160 wrote to memory of 2676 2160 Afiecb32.exe 29 PID 2160 wrote to memory of 2676 2160 Afiecb32.exe 29 PID 2160 wrote to memory of 2676 2160 Afiecb32.exe 29 PID 2160 wrote to memory of 2676 2160 Afiecb32.exe 29 PID 2676 wrote to memory of 2828 2676 Admemg32.exe 30 PID 2676 wrote to memory of 2828 2676 Admemg32.exe 30 PID 2676 wrote to memory of 2828 2676 Admemg32.exe 30 PID 2676 wrote to memory of 2828 2676 Admemg32.exe 30 PID 2828 wrote to memory of 2684 2828 Amejeljk.exe 31 PID 2828 wrote to memory of 2684 2828 Amejeljk.exe 31 PID 2828 wrote to memory of 2684 2828 Amejeljk.exe 31 PID 2828 wrote to memory of 2684 2828 Amejeljk.exe 31 PID 2684 wrote to memory of 2484 2684 Apcfahio.exe 32 PID 2684 wrote to memory of 2484 2684 Apcfahio.exe 32 PID 2684 wrote to memory of 2484 2684 Apcfahio.exe 32 PID 2684 wrote to memory of 2484 2684 Apcfahio.exe 32 PID 2484 wrote to memory of 2912 2484 Abbbnchb.exe 33 PID 2484 wrote to memory of 2912 2484 Abbbnchb.exe 33 PID 2484 wrote to memory of 2912 2484 Abbbnchb.exe 33 PID 2484 wrote to memory of 2912 2484 Abbbnchb.exe 33 PID 2912 wrote to memory of 1572 2912 Aepojo32.exe 34 PID 2912 wrote to memory of 1572 2912 Aepojo32.exe 34 PID 2912 wrote to memory of 1572 2912 Aepojo32.exe 34 PID 2912 wrote to memory of 1572 2912 Aepojo32.exe 34 PID 1572 wrote to memory of 2540 1572 Ahokfj32.exe 35 PID 1572 wrote to memory of 2540 1572 Ahokfj32.exe 35 PID 1572 wrote to memory of 2540 1572 Ahokfj32.exe 35 PID 1572 wrote to memory of 2540 1572 Ahokfj32.exe 35 PID 2540 wrote to memory of 2372 2540 Bpfcgg32.exe 36 PID 2540 wrote to memory of 2372 2540 Bpfcgg32.exe 36 PID 2540 wrote to memory of 2372 2540 Bpfcgg32.exe 36 PID 2540 wrote to memory of 2372 2540 Bpfcgg32.exe 36 PID 2372 wrote to memory of 544 2372 Bbdocc32.exe 37 PID 2372 wrote to memory of 544 2372 Bbdocc32.exe 37 PID 2372 wrote to memory of 544 2372 Bbdocc32.exe 37 PID 2372 wrote to memory of 544 2372 Bbdocc32.exe 37 PID 544 wrote to memory of 1860 544 Bebkpn32.exe 38 PID 544 wrote to memory of 1860 544 Bebkpn32.exe 38 PID 544 wrote to memory of 1860 544 Bebkpn32.exe 38 PID 544 wrote to memory of 1860 544 Bebkpn32.exe 38 PID 1860 wrote to memory of 2152 1860 Bhahlj32.exe 39 PID 1860 wrote to memory of 2152 1860 Bhahlj32.exe 39 PID 1860 wrote to memory of 2152 1860 Bhahlj32.exe 39 PID 1860 wrote to memory of 2152 1860 Bhahlj32.exe 39 PID 2152 wrote to memory of 1252 2152 Bkodhe32.exe 40 PID 2152 wrote to memory of 1252 2152 Bkodhe32.exe 40 PID 2152 wrote to memory of 1252 2152 Bkodhe32.exe 40 PID 2152 wrote to memory of 1252 2152 Bkodhe32.exe 40 PID 1252 wrote to memory of 2812 1252 Bbflib32.exe 41 PID 1252 wrote to memory of 2812 1252 Bbflib32.exe 41 PID 1252 wrote to memory of 2812 1252 Bbflib32.exe 41 PID 1252 wrote to memory of 2812 1252 Bbflib32.exe 41 PID 2812 wrote to memory of 2244 2812 Baildokg.exe 42 PID 2812 wrote to memory of 2244 2812 Baildokg.exe 42 PID 2812 wrote to memory of 2244 2812 Baildokg.exe 42 PID 2812 wrote to memory of 2244 2812 Baildokg.exe 42 PID 2244 wrote to memory of 680 2244 Bdhhqk32.exe 43 PID 2244 wrote to memory of 680 2244 Bdhhqk32.exe 43 PID 2244 wrote to memory of 680 2244 Bdhhqk32.exe 43 PID 2244 wrote to memory of 680 2244 Bdhhqk32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\604e5afb7f0813880896a685cdc0478f1642a0fa4527c01760562317d9bda26c.exe"C:\Users\Admin\AppData\Local\Temp\604e5afb7f0813880896a685cdc0478f1642a0fa4527c01760562317d9bda26c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:680 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:996 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:640 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1104 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1568 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe34⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe35⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe38⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe40⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe41⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe42⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe43⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe45⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe46⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe47⤵
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe48⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe51⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe52⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe53⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe54⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe55⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe56⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe57⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe58⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe59⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe60⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe61⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe62⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe63⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe64⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe65⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe66⤵PID:644
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe67⤵PID:2056
-
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe68⤵PID:2892
-
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe69⤵PID:2864
-
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe70⤵
- Drops file in System32 directory
PID:796 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe71⤵
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1496 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe73⤵PID:1532
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe74⤵PID:2800
-
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe75⤵PID:2624
-
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe76⤵
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe77⤵PID:1988
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe78⤵PID:1748
-
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe79⤵PID:2264
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe80⤵
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe81⤵PID:1476
-
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe82⤵PID:2416
-
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe83⤵PID:1764
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe84⤵PID:2668
-
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe85⤵PID:2468
-
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe86⤵
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe87⤵PID:1236
-
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe88⤵PID:236
-
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2572 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe90⤵PID:3016
-
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe91⤵PID:2288
-
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe92⤵PID:2860
-
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe93⤵
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe94⤵PID:2124
-
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe95⤵PID:1096
-
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe96⤵
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe97⤵PID:3000
-
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe98⤵PID:2792
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe99⤵PID:2392
-
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe100⤵
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe101⤵
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe102⤵PID:1724
-
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe103⤵
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe104⤵PID:444
-
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe105⤵PID:3024
-
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe106⤵PID:2148
-
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe107⤵PID:572
-
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe108⤵PID:2096
-
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe109⤵PID:2772
-
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:556 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe111⤵PID:1592
-
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe112⤵PID:1552
-
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe113⤵PID:1732
-
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe114⤵PID:2492
-
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe115⤵PID:2420
-
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe116⤵
- Modifies registry class
PID:108 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe117⤵
- Modifies registry class
PID:1116 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe118⤵
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe119⤵PID:2960
-
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe120⤵PID:2516
-
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1092
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-