Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/06/2024, 19:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1a583cdaddb1f5ec814dcec0d4f55c15f674c25142612504beffe6bb9df98891.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1a583cdaddb1f5ec814dcec0d4f55c15f674c25142612504beffe6bb9df98891.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
1a583cdaddb1f5ec814dcec0d4f55c15f674c25142612504beffe6bb9df98891.exe
-
Size
67KB
-
MD5
0de5c36a2c8104242bc16e0902476795
-
SHA1
26b3c26843904efbc4723142628aa751431789c3
-
SHA256
1a583cdaddb1f5ec814dcec0d4f55c15f674c25142612504beffe6bb9df98891
-
SHA512
e913af127254842b6eeeda058157b339a16840e2f506ab72de0f07731f84cdd0c932fb18dc5f9d7335cc79ed0ce9f5bc2b739b4dbb4421126ac69fa70599c500
-
SSDEEP
1536:CPssguWI93NMswhrejMiXC7+jY1cgCe8uC:ossvWI93NMVwjMiXTjYugCe8uC
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egafleqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnfamcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moanaiie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idceea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhigphio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faigdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkklljmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcnda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naimccpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niikceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hahjpbad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngnbgplj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmlhchd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngdifkpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mencccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcbakpdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbokmqie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpngfgle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lihmjejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahgnke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhgmpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecqqpgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hobcak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqdipqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmjfdejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiihdlpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoamgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckoilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikfmfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdgdempa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keednado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faagpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gogangdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mamddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlkopcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddigjkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ileiplhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbiipml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfmffhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjqccigf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohfeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omdneebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpjqiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giieco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qabcjgkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbcpbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfdjhndl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niebhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmmiij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjqiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkncmmle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjenhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlkdkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bioqclil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gffoldhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meagci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaobdjof.exe -
Executes dropped EXE 64 IoCs
pid Process 1752 Cobbhfhg.exe 2556 Dgmglh32.exe 2568 Dkhcmgnl.exe 2396 Dbbkja32.exe 2408 Ddagfm32.exe 2440 Dkkpbgli.exe 2336 Dnilobkm.exe 1280 Ddcdkl32.exe 1232 Dgaqgh32.exe 2152 Dnlidb32.exe 312 Dqjepm32.exe 1612 Dchali32.exe 2280 Djbiicon.exe 840 Dqlafm32.exe 1128 Doobajme.exe 2460 Dcknbh32.exe 1576 Emcbkn32.exe 2596 Eqonkmdh.exe 1456 Ecmkghcl.exe 712 Ebpkce32.exe 2620 Ejgcdb32.exe 552 Eijcpoac.exe 768 Emeopn32.exe 960 Ebbgid32.exe 2928 Emhlfmgj.exe 1532 Enihne32.exe 2872 Efppoc32.exe 2616 Epieghdk.exe 2588 Enkece32.exe 2384 Eloemi32.exe 2360 Ejbfhfaj.exe 2412 Fhffaj32.exe 1244 Fjdbnf32.exe 2608 Fnpnndgp.exe 2148 Fcmgfkeg.exe 376 Fhhcgj32.exe 1596 Faagpp32.exe 688 Fdoclk32.exe 2040 Fjilieka.exe 1844 Filldb32.exe 1720 Facdeo32.exe 1952 Fjlhneio.exe 2680 Fioija32.exe 2732 Fddmgjpo.exe 2736 Ffbicfoc.exe 1496 Feeiob32.exe 1660 Gpknlk32.exe 2992 Gonnhhln.exe 1984 Gfefiemq.exe 1544 Gegfdb32.exe 2512 Ghfbqn32.exe 2520 Gpmjak32.exe 2836 Gopkmhjk.exe 2640 Gbkgnfbd.exe 2816 Gangic32.exe 2348 Ghhofmql.exe 2600 Gkgkbipp.exe 300 Gobgcg32.exe 1792 Gbnccfpb.exe 540 Gelppaof.exe 2024 Glfhll32.exe 1204 Gkihhhnm.exe 1616 Gmgdddmq.exe 836 Gacpdbej.exe -
Loads dropped DLL 64 IoCs
pid Process 1040 1a583cdaddb1f5ec814dcec0d4f55c15f674c25142612504beffe6bb9df98891.exe 1040 1a583cdaddb1f5ec814dcec0d4f55c15f674c25142612504beffe6bb9df98891.exe 1752 Cobbhfhg.exe 1752 Cobbhfhg.exe 2556 Dgmglh32.exe 2556 Dgmglh32.exe 2568 Dkhcmgnl.exe 2568 Dkhcmgnl.exe 2396 Dbbkja32.exe 2396 Dbbkja32.exe 2408 Ddagfm32.exe 2408 Ddagfm32.exe 2440 Dkkpbgli.exe 2440 Dkkpbgli.exe 2336 Dnilobkm.exe 2336 Dnilobkm.exe 1280 Ddcdkl32.exe 1280 Ddcdkl32.exe 1232 Dgaqgh32.exe 1232 Dgaqgh32.exe 2152 Dnlidb32.exe 2152 Dnlidb32.exe 312 Dqjepm32.exe 312 Dqjepm32.exe 1612 Dchali32.exe 1612 Dchali32.exe 2280 Djbiicon.exe 2280 Djbiicon.exe 840 Dqlafm32.exe 840 Dqlafm32.exe 1128 Doobajme.exe 1128 Doobajme.exe 2460 Dcknbh32.exe 2460 Dcknbh32.exe 1576 Emcbkn32.exe 1576 Emcbkn32.exe 2596 Eqonkmdh.exe 2596 Eqonkmdh.exe 1456 Ecmkghcl.exe 1456 Ecmkghcl.exe 712 Ebpkce32.exe 712 Ebpkce32.exe 2620 Ejgcdb32.exe 2620 Ejgcdb32.exe 552 Eijcpoac.exe 552 Eijcpoac.exe 768 Emeopn32.exe 768 Emeopn32.exe 960 Ebbgid32.exe 960 Ebbgid32.exe 2928 Emhlfmgj.exe 2928 Emhlfmgj.exe 1532 Enihne32.exe 1532 Enihne32.exe 2872 Efppoc32.exe 2872 Efppoc32.exe 2616 Epieghdk.exe 2616 Epieghdk.exe 2588 Enkece32.exe 2588 Enkece32.exe 2384 Eloemi32.exe 2384 Eloemi32.exe 2360 Ejbfhfaj.exe 2360 Ejbfhfaj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hogmmjfo.exe Hkkalk32.exe File created C:\Windows\SysWOW64\Jdgdempa.exe Jqlhdo32.exe File opened for modification C:\Windows\SysWOW64\Nigome32.exe Nekbmgcn.exe File created C:\Windows\SysWOW64\Mpigfa32.exe Mlmlecec.exe File opened for modification C:\Windows\SysWOW64\Pqhpdhcc.exe Pnjdhmdo.exe File opened for modification C:\Windows\SysWOW64\Anojbobe.exe Aplifb32.exe File opened for modification C:\Windows\SysWOW64\Kfmjgeaj.exe Kconkibf.exe File created C:\Windows\SysWOW64\Lmikibio.exe Linphc32.exe File created C:\Windows\SysWOW64\Idcokkak.exe Illgimph.exe File created C:\Windows\SysWOW64\Jcjbelmp.dll Kofopj32.exe File created C:\Windows\SysWOW64\Lemaif32.exe Lfjqnjkh.exe File created C:\Windows\SysWOW64\Kijmee32.dll Nkgbbo32.exe File opened for modification C:\Windows\SysWOW64\Pimkpfeh.exe Pdaoog32.exe File created C:\Windows\SysWOW64\Amaipodm.dll Qmfgjh32.exe File created C:\Windows\SysWOW64\Efhhaddp.dll Dliijipn.exe File opened for modification C:\Windows\SysWOW64\Gangic32.exe Gbkgnfbd.exe File created C:\Windows\SysWOW64\Lnjmhe32.dll Inqcif32.exe File created C:\Windows\SysWOW64\Fgefik32.dll Ohfeog32.exe File created C:\Windows\SysWOW64\Qimhoi32.exe Qbcpbo32.exe File created C:\Windows\SysWOW64\Melfncqb.exe Mapjmehi.exe File created C:\Windows\SysWOW64\Dlkaflan.dll Dfoqmo32.exe File created C:\Windows\SysWOW64\Jpajnpao.dll Ghoegl32.exe File opened for modification C:\Windows\SysWOW64\Hellne32.exe Hgilchkf.exe File created C:\Windows\SysWOW64\Mclgfa32.dll Bbjbaa32.exe File created C:\Windows\SysWOW64\Pbkafj32.dll Ceodnl32.exe File created C:\Windows\SysWOW64\Qfjnod32.dll Chpmpg32.exe File opened for modification C:\Windows\SysWOW64\Inngcfid.exe Ikpjgkjq.exe File created C:\Windows\SysWOW64\Gmndnn32.dll Miooigfo.exe File opened for modification C:\Windows\SysWOW64\Ebjglbml.exe Eplkpgnh.exe File opened for modification C:\Windows\SysWOW64\Jqfffqpm.exe Jmjjea32.exe File created C:\Windows\SysWOW64\Bppoqeja.exe Bldcpf32.exe File opened for modification C:\Windows\SysWOW64\Ckoilb32.exe Cgcmlcja.exe File created C:\Windows\SysWOW64\Dempblao.dll Iimjmbae.exe File created C:\Windows\SysWOW64\Hebpjd32.dll Jcmafj32.exe File created C:\Windows\SysWOW64\Padajbnl.dll Kohkfj32.exe File opened for modification C:\Windows\SysWOW64\Mdmmfa32.exe Maoajf32.exe File created C:\Windows\SysWOW64\Bafidiio.exe Bioqclil.exe File created C:\Windows\SysWOW64\Biicik32.exe Bemgilhh.exe File opened for modification C:\Windows\SysWOW64\Djmicm32.exe Dbfabp32.exe File created C:\Windows\SysWOW64\Egafleqm.exe Ecejkf32.exe File created C:\Windows\SysWOW64\Fhffaj32.exe Ejbfhfaj.exe File opened for modification C:\Windows\SysWOW64\Fmbhok32.exe Figlolbf.exe File created C:\Windows\SysWOW64\Hcodhoaf.dll Hipkdnmf.exe File created C:\Windows\SysWOW64\Epieghdk.exe Efppoc32.exe File created C:\Windows\SysWOW64\Ofelmloo.exe Ogblbo32.exe File opened for modification C:\Windows\SysWOW64\Qmfgjh32.exe Pjhknm32.exe File created C:\Windows\SysWOW64\Ffdiejho.dll Biicik32.exe File opened for modification C:\Windows\SysWOW64\Kmefooki.exe Kjfjbdle.exe File created C:\Windows\SysWOW64\Ihoafpmp.exe Idceea32.exe File created C:\Windows\SysWOW64\Jbgbni32.exe Jcdbbloa.exe File created C:\Windows\SysWOW64\Kcbakpdo.exe Keoapb32.exe File created C:\Windows\SysWOW64\Nacgdhlp.exe Njlockkm.exe File opened for modification C:\Windows\SysWOW64\Incpoe32.exe Ikddbj32.exe File opened for modification C:\Windows\SysWOW64\Ekelld32.exe Egjpkffe.exe File created C:\Windows\SysWOW64\Mdcpdp32.exe Maedhd32.exe File created C:\Windows\SysWOW64\Gkgkbipp.exe Ghhofmql.exe File created C:\Windows\SysWOW64\Ebmgcohn.exe Dookgcij.exe File created C:\Windows\SysWOW64\Cpinomjo.dll Fglipi32.exe File created C:\Windows\SysWOW64\Iemkjqde.dll Lijjoe32.exe File created C:\Windows\SysWOW64\Jdmqokqf.dll Pjhknm32.exe File created C:\Windows\SysWOW64\Bebpkk32.dll Cpnojioo.exe File opened for modification C:\Windows\SysWOW64\Ejobhppq.exe Egafleqm.exe File opened for modification C:\Windows\SysWOW64\Mhhfdo32.exe Meijhc32.exe File opened for modification C:\Windows\SysWOW64\Bblogakg.exe Bpnbkeld.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6180 6368 WerFault.exe 688 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nneloe32.dll" Ngpolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omdneebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogilika.dll" Ccngld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfpgmdog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nacgdhlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkcggqfg.dll" Hapicp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkkpbgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nceclqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bemgilhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Linphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gapiomln.dll" Jfqahgpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjqccigf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obcccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimpgolj.dll" Pnajilng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohmol32.dll" Fpngfgle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgphd32.dll" Flgeqgog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gljnej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hipkdnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jchhkjhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imfegi32.dll" Jbgkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpinomjo.dll" Fglipi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpehocqo.dll" Heglio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdlhjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejgcdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikpjgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jooclokl.dll" Kmmcjehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdchio32.dll" Maoajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpjfeia.dll" Djbiicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eppmppld.dll" Mlkopcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpcmpijk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinekb32.dll" Iedkbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmnace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdiejho.dll" Biicik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqgoiokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbddikd.dll" Kfbcbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nckjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncnkh32.dll" Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll" Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lemaif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lajhofao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apimacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gebbnpfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnhijl32.dll" Aemkjiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clialdph.dll" Dookgcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cehkbgdf.dll" Gbcfadgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jejinjob.dll" Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlgldibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcjcfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmabnaj.dll" Pgioaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chpmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddgjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijdkh32.dll" Fmpkjkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeaceffc.dll" Maedhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohfeog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmpfojmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfbei32.dll" Ddgjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gepehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkmcfhkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjfjbdle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1040 wrote to memory of 1752 1040 1a583cdaddb1f5ec814dcec0d4f55c15f674c25142612504beffe6bb9df98891.exe 28 PID 1040 wrote to memory of 1752 1040 1a583cdaddb1f5ec814dcec0d4f55c15f674c25142612504beffe6bb9df98891.exe 28 PID 1040 wrote to memory of 1752 1040 1a583cdaddb1f5ec814dcec0d4f55c15f674c25142612504beffe6bb9df98891.exe 28 PID 1040 wrote to memory of 1752 1040 1a583cdaddb1f5ec814dcec0d4f55c15f674c25142612504beffe6bb9df98891.exe 28 PID 1752 wrote to memory of 2556 1752 Cobbhfhg.exe 29 PID 1752 wrote to memory of 2556 1752 Cobbhfhg.exe 29 PID 1752 wrote to memory of 2556 1752 Cobbhfhg.exe 29 PID 1752 wrote to memory of 2556 1752 Cobbhfhg.exe 29 PID 2556 wrote to memory of 2568 2556 Dgmglh32.exe 30 PID 2556 wrote to memory of 2568 2556 Dgmglh32.exe 30 PID 2556 wrote to memory of 2568 2556 Dgmglh32.exe 30 PID 2556 wrote to memory of 2568 2556 Dgmglh32.exe 30 PID 2568 wrote to memory of 2396 2568 Dkhcmgnl.exe 31 PID 2568 wrote to memory of 2396 2568 Dkhcmgnl.exe 31 PID 2568 wrote to memory of 2396 2568 Dkhcmgnl.exe 31 PID 2568 wrote to memory of 2396 2568 Dkhcmgnl.exe 31 PID 2396 wrote to memory of 2408 2396 Dbbkja32.exe 32 PID 2396 wrote to memory of 2408 2396 Dbbkja32.exe 32 PID 2396 wrote to memory of 2408 2396 Dbbkja32.exe 32 PID 2396 wrote to memory of 2408 2396 Dbbkja32.exe 32 PID 2408 wrote to memory of 2440 2408 Ddagfm32.exe 33 PID 2408 wrote to memory of 2440 2408 Ddagfm32.exe 33 PID 2408 wrote to memory of 2440 2408 Ddagfm32.exe 33 PID 2408 wrote to memory of 2440 2408 Ddagfm32.exe 33 PID 2440 wrote to memory of 2336 2440 Dkkpbgli.exe 34 PID 2440 wrote to memory of 2336 2440 Dkkpbgli.exe 34 PID 2440 wrote to memory of 2336 2440 Dkkpbgli.exe 34 PID 2440 wrote to memory of 2336 2440 Dkkpbgli.exe 34 PID 2336 wrote to memory of 1280 2336 Dnilobkm.exe 35 PID 2336 wrote to memory of 1280 2336 Dnilobkm.exe 35 PID 2336 wrote to memory of 1280 2336 Dnilobkm.exe 35 PID 2336 wrote to memory of 1280 2336 Dnilobkm.exe 35 PID 1280 wrote to memory of 1232 1280 Ddcdkl32.exe 36 PID 1280 wrote to memory of 1232 1280 Ddcdkl32.exe 36 PID 1280 wrote to memory of 1232 1280 Ddcdkl32.exe 36 PID 1280 wrote to memory of 1232 1280 Ddcdkl32.exe 36 PID 1232 wrote to memory of 2152 1232 Dgaqgh32.exe 37 PID 1232 wrote to memory of 2152 1232 Dgaqgh32.exe 37 PID 1232 wrote to memory of 2152 1232 Dgaqgh32.exe 37 PID 1232 wrote to memory of 2152 1232 Dgaqgh32.exe 37 PID 2152 wrote to memory of 312 2152 Dnlidb32.exe 38 PID 2152 wrote to memory of 312 2152 Dnlidb32.exe 38 PID 2152 wrote to memory of 312 2152 Dnlidb32.exe 38 PID 2152 wrote to memory of 312 2152 Dnlidb32.exe 38 PID 312 wrote to memory of 1612 312 Dqjepm32.exe 39 PID 312 wrote to memory of 1612 312 Dqjepm32.exe 39 PID 312 wrote to memory of 1612 312 Dqjepm32.exe 39 PID 312 wrote to memory of 1612 312 Dqjepm32.exe 39 PID 1612 wrote to memory of 2280 1612 Dchali32.exe 40 PID 1612 wrote to memory of 2280 1612 Dchali32.exe 40 PID 1612 wrote to memory of 2280 1612 Dchali32.exe 40 PID 1612 wrote to memory of 2280 1612 Dchali32.exe 40 PID 2280 wrote to memory of 840 2280 Djbiicon.exe 41 PID 2280 wrote to memory of 840 2280 Djbiicon.exe 41 PID 2280 wrote to memory of 840 2280 Djbiicon.exe 41 PID 2280 wrote to memory of 840 2280 Djbiicon.exe 41 PID 840 wrote to memory of 1128 840 Dqlafm32.exe 42 PID 840 wrote to memory of 1128 840 Dqlafm32.exe 42 PID 840 wrote to memory of 1128 840 Dqlafm32.exe 42 PID 840 wrote to memory of 1128 840 Dqlafm32.exe 42 PID 1128 wrote to memory of 2460 1128 Doobajme.exe 43 PID 1128 wrote to memory of 2460 1128 Doobajme.exe 43 PID 1128 wrote to memory of 2460 1128 Doobajme.exe 43 PID 1128 wrote to memory of 2460 1128 Doobajme.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a583cdaddb1f5ec814dcec0d4f55c15f674c25142612504beffe6bb9df98891.exe"C:\Users\Admin\AppData\Local\Temp\1a583cdaddb1f5ec814dcec0d4f55c15f674c25142612504beffe6bb9df98891.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1456 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:712 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:552 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:768 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:960 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe33⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe34⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe35⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe36⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe37⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe39⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe40⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe41⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe42⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe43⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe44⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe45⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe46⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe47⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe48⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe49⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe50⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe51⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe52⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe53⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe54⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe56⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe58⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe59⤵
- Executes dropped EXE
PID:300 -
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe60⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:540 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe62⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe63⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe64⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe65⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1480 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe67⤵PID:2192
-
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1796 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe69⤵PID:620
-
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe70⤵PID:2832
-
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe71⤵
- Drops file in System32 directory
PID:1436 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe72⤵PID:2368
-
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe73⤵PID:2720
-
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1692 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe75⤵PID:1240
-
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe76⤵PID:2248
-
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe77⤵PID:1564
-
C:\Windows\SysWOW64\Hlakpp32.exeC:\Windows\system32\Hlakpp32.exe78⤵PID:780
-
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe79⤵PID:2912
-
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe80⤵PID:2036
-
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe81⤵PID:2320
-
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe82⤵PID:3000
-
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe83⤵PID:356
-
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1712 -
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1940 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe86⤵
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe87⤵PID:2540
-
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe88⤵PID:2404
-
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe89⤵PID:856
-
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe90⤵PID:1324
-
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe91⤵PID:764
-
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe92⤵PID:2284
-
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe93⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe94⤵PID:2308
-
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe95⤵PID:772
-
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe97⤵PID:1960
-
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe98⤵PID:1920
-
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe99⤵PID:2536
-
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe100⤵PID:2628
-
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe101⤵PID:1512
-
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe102⤵PID:1516
-
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe104⤵PID:1036
-
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe105⤵PID:3064
-
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe106⤵PID:2316
-
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe107⤵PID:592
-
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe108⤵PID:2260
-
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe109⤵
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe110⤵PID:1628
-
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe111⤵PID:2724
-
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe112⤵PID:2472
-
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe113⤵
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe114⤵PID:2852
-
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe115⤵PID:1228
-
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe116⤵PID:324
-
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe117⤵PID:2812
-
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe118⤵PID:1408
-
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe119⤵PID:2064
-
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe120⤵PID:496
-
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2236
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-