Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
01/07/2024, 04:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fb1c2d5922145befea1dbbf4448da435b1ab107c3b04373368b7e0622a5cd5e7.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
fb1c2d5922145befea1dbbf4448da435b1ab107c3b04373368b7e0622a5cd5e7.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
fb1c2d5922145befea1dbbf4448da435b1ab107c3b04373368b7e0622a5cd5e7.exe
-
Size
55KB
-
MD5
8f61bf92d94468da34699e6a13a3e6ea
-
SHA1
25cfac8559a5156b42914294c87721195b6db3d2
-
SHA256
fb1c2d5922145befea1dbbf4448da435b1ab107c3b04373368b7e0622a5cd5e7
-
SHA512
f7bafed95f76e4ef3509bdf062848d79b1a26a037733ddb65d8a9903e68d99689d2866c8f251d69343c976d1841cfd90d01cbdf171d215f96457c344746550e7
-
SSDEEP
1536:CkghcXlgEBZgE4EBY4Z8fpI9jRT6iuHul2LkS:CLsBY9iGuWZ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmdpejfq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mochnppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkaocp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enihne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbbcpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjmhdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbpjiphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fedplc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdimmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aigaon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmjok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Midcpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chemfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffhmjhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pphjgfqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alhjai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbnbobin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppjglfon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcfcmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgmglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfefiemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdijlc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifhbdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klnjbbdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Komfnnck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehljhmmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfoedl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfflopdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cckace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hchmdklc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgfbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balijo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cllpkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbeojgga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhncmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jclomamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baqbenep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onbddoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcfdgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paejki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpnink32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkqecnkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imeggc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnkbdlbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnfjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbbkja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnfjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkaqmeah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gheimogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgfgdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcmhiojk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekklaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcaomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flgbho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaiiff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdejaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfkpdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phjelg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gddifnbk.exe -
Executes dropped EXE 64 IoCs
pid Process 2172 Doefhl32.exe 2040 Djjjee32.exe 2648 Dqdbboac.exe 2784 Dbeojgga.exe 1580 Dipgfa32.exe 2604 Dkncbm32.exe 1660 Dbhlogeo.exe 3068 Defhkbdb.exe 2584 Dmmplpdd.exe 2792 Dnoldh32.exe 1096 Deidab32.exe 2880 Dggamm32.exe 1424 Dpnink32.exe 1136 Daoefcgd.exe 2380 Eginbm32.exe 2312 Ejhjoh32.exe 356 Eabbkbea.exe 2004 Eemnlanj.exe 1740 Ehljhmmn.exe 860 Ejjfdhlb.exe 1088 Emhbpcke.exe 1552 Eepkaalh.exe 548 Ehngnlkk.exe 2060 Ejlcjhjo.exe 888 Emkofcic.exe 1604 Epilbohf.exe 2036 Eiapkdog.exe 2636 Eplhgn32.exe 2972 Edgdhmom.exe 2776 Eidmqdmd.exe 2664 Elbimplh.exe 2508 Fdianmmj.exe 2448 Ffhmjhln.exe 320 Fmbefbck.exe 2684 Flefbo32.exe 1940 Fbonoiab.exe 2900 Flgbho32.exe 2872 Foeodj32.exe 1140 Fepgqdnc.exe 1132 Fikcacgl.exe 856 Fhncmp32.exe 564 Fliomnfp.exe 1644 Febcfd32.exe 1868 Fhppbp32.exe 472 Fkolnk32.exe 1540 Fedplc32.exe 1688 Gomedi32.exe 1684 Gakaqd32.exe 904 Gdimmp32.exe 1572 Gheimogo.exe 2068 Gghjil32.exe 2596 Giffeg32.exe 1792 Gmabeeef.exe 2764 Gamnfd32.exe 2544 Gdljbp32.exe 2676 Gcojnmdn.exe 2804 Ggjfnk32.exe 1352 Gkeboj32.exe 2840 Gkeboj32.exe 1980 Gmdoke32.exe 2124 Glgofbjn.exe 1272 Gpbkgq32.exe 784 Gdnghpkq.exe 1492 Gglcdkjd.exe -
Loads dropped DLL 64 IoCs
pid Process 944 fb1c2d5922145befea1dbbf4448da435b1ab107c3b04373368b7e0622a5cd5e7.exe 944 fb1c2d5922145befea1dbbf4448da435b1ab107c3b04373368b7e0622a5cd5e7.exe 2172 Doefhl32.exe 2172 Doefhl32.exe 2040 Djjjee32.exe 2040 Djjjee32.exe 2648 Dqdbboac.exe 2648 Dqdbboac.exe 2784 Dbeojgga.exe 2784 Dbeojgga.exe 1580 Dipgfa32.exe 1580 Dipgfa32.exe 2604 Dkncbm32.exe 2604 Dkncbm32.exe 1660 Dbhlogeo.exe 1660 Dbhlogeo.exe 3068 Defhkbdb.exe 3068 Defhkbdb.exe 2584 Dmmplpdd.exe 2584 Dmmplpdd.exe 2792 Dnoldh32.exe 2792 Dnoldh32.exe 1096 Deidab32.exe 1096 Deidab32.exe 2880 Dggamm32.exe 2880 Dggamm32.exe 1424 Dpnink32.exe 1424 Dpnink32.exe 1136 Daoefcgd.exe 1136 Daoefcgd.exe 2380 Eginbm32.exe 2380 Eginbm32.exe 2312 Ejhjoh32.exe 2312 Ejhjoh32.exe 356 Eabbkbea.exe 356 Eabbkbea.exe 2004 Eemnlanj.exe 2004 Eemnlanj.exe 1740 Ehljhmmn.exe 1740 Ehljhmmn.exe 860 Ejjfdhlb.exe 860 Ejjfdhlb.exe 1088 Emhbpcke.exe 1088 Emhbpcke.exe 1552 Eepkaalh.exe 1552 Eepkaalh.exe 548 Ehngnlkk.exe 548 Ehngnlkk.exe 2060 Ejlcjhjo.exe 2060 Ejlcjhjo.exe 888 Emkofcic.exe 888 Emkofcic.exe 1604 Epilbohf.exe 1604 Epilbohf.exe 2036 Eiapkdog.exe 2036 Eiapkdog.exe 2636 Eplhgn32.exe 2636 Eplhgn32.exe 2972 Edgdhmom.exe 2972 Edgdhmom.exe 2776 Eidmqdmd.exe 2776 Eidmqdmd.exe 2664 Elbimplh.exe 2664 Elbimplh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eliele32.dll Mepnpj32.exe File created C:\Windows\SysWOW64\Baqbenep.exe Bnefdp32.exe File created C:\Windows\SysWOW64\Epilbohf.exe Emkofcic.exe File opened for modification C:\Windows\SysWOW64\Ibmfdkcf.exe Icjfhn32.exe File created C:\Windows\SysWOW64\Hiqbndpb.exe Hknach32.exe File created C:\Windows\SysWOW64\Djjjee32.exe Doefhl32.exe File created C:\Windows\SysWOW64\Ocajbekl.exe Oenifh32.exe File created C:\Windows\SysWOW64\Iamhijgb.dll Eidmqdmd.exe File opened for modification C:\Windows\SysWOW64\Giffeg32.exe Gghjil32.exe File opened for modification C:\Windows\SysWOW64\Gglcdkjd.exe Gdnghpkq.exe File created C:\Windows\SysWOW64\Lmnbkinf.exe Libgjj32.exe File opened for modification C:\Windows\SysWOW64\Nleiqhcg.exe Nnbhek32.exe File created C:\Windows\SysWOW64\Mefagn32.dll Qlhnbf32.exe File created C:\Windows\SysWOW64\Ejhjoh32.exe Eginbm32.exe File created C:\Windows\SysWOW64\Nfedkhje.dll Eepkaalh.exe File created C:\Windows\SysWOW64\Hcnpbi32.exe Hpocfncj.exe File created C:\Windows\SysWOW64\Bdooajdc.exe Baqbenep.exe File opened for modification C:\Windows\SysWOW64\Fioija32.exe Fjlhneio.exe File created C:\Windows\SysWOW64\Hkfeblka.dll Mhgclfje.exe File opened for modification C:\Windows\SysWOW64\Dnilobkm.exe Djnpnc32.exe File opened for modification C:\Windows\SysWOW64\Enihne32.exe Ekklaj32.exe File created C:\Windows\SysWOW64\Hgilchkf.exe Hcnpbi32.exe File created C:\Windows\SysWOW64\Kllpojlj.dll Ehljhmmn.exe File created C:\Windows\SysWOW64\Giffeg32.exe Gghjil32.exe File created C:\Windows\SysWOW64\Nmnhpdkg.dll Haogkgoh.exe File created C:\Windows\SysWOW64\Iffeoj32.exe Igcecmfg.exe File created C:\Windows\SysWOW64\Bogjdl32.dll Jklanp32.exe File opened for modification C:\Windows\SysWOW64\Mhnjle32.exe Mepnpj32.exe File created C:\Windows\SysWOW64\Dnelgk32.dll Ojieip32.exe File created C:\Windows\SysWOW64\Dnlidb32.exe Dkmmhf32.exe File created C:\Windows\SysWOW64\Dbhlogeo.exe Dkncbm32.exe File created C:\Windows\SysWOW64\Hkeonm32.exe Hgjbmoob.exe File created C:\Windows\SysWOW64\Lpdhmlbj.dll Egamfkdh.exe File created C:\Windows\SysWOW64\Cgpgce32.exe Cdakgibq.exe File opened for modification C:\Windows\SysWOW64\Comimg32.exe Clomqk32.exe File created C:\Windows\SysWOW64\Fikcacgl.exe Fepgqdnc.exe File created C:\Windows\SysWOW64\Bnebmi32.dll Nqcagfim.exe File created C:\Windows\SysWOW64\Gomjhjmm.dll Jnhqdkde.exe File created C:\Windows\SysWOW64\Mpkibc32.dll Jmbgpg32.exe File opened for modification C:\Windows\SysWOW64\Blmdlhmp.exe Bingpmnl.exe File created C:\Windows\SysWOW64\Gaemjbcg.exe Gmjaic32.exe File opened for modification C:\Windows\SysWOW64\Hoakolod.exe Hkeonm32.exe File created C:\Windows\SysWOW64\Imnafd32.exe Inkakhpg.exe File opened for modification C:\Windows\SysWOW64\Bebkpn32.exe Bbdocc32.exe File opened for modification C:\Windows\SysWOW64\Hcifgjgc.exe Hpkjko32.exe File created C:\Windows\SysWOW64\Oqqapjnk.exe Onbddoog.exe File opened for modification C:\Windows\SysWOW64\Alhjai32.exe Aiinen32.exe File created C:\Windows\SysWOW64\Nbipbe32.dll Kfoedl32.exe File opened for modification C:\Windows\SysWOW64\Kpjfba32.exe Klnjbbdh.exe File created C:\Windows\SysWOW64\Mgajhbkg.exe Mhnjle32.exe File opened for modification C:\Windows\SysWOW64\Nbdnoo32.exe Ncancbha.exe File created C:\Windows\SysWOW64\Clomqk32.exe Chcqpmep.exe File opened for modification C:\Windows\SysWOW64\Emcbkn32.exe Djefobmk.exe File created C:\Windows\SysWOW64\Ehngnlkk.exe Eepkaalh.exe File opened for modification C:\Windows\SysWOW64\Hbbcpg32.exe Hjkkojlc.exe File opened for modification C:\Windows\SysWOW64\Nfmmin32.exe Ngkmnacm.exe File created C:\Windows\SysWOW64\Oghlgdgk.exe Oiellh32.exe File created C:\Windows\SysWOW64\Kedlancd.dll Ohqbqhde.exe File opened for modification C:\Windows\SysWOW64\Oicpfh32.exe Ofdcjm32.exe File opened for modification C:\Windows\SysWOW64\Phjelg32.exe Pigeqkai.exe File created C:\Windows\SysWOW64\Hdhbam32.exe Hlakpp32.exe File created C:\Windows\SysWOW64\Gakaqd32.exe Gomedi32.exe File created C:\Windows\SysWOW64\Gheimogo.exe Gdimmp32.exe File created C:\Windows\SysWOW64\Onphoo32.exe Oomhcbjp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5628 5580 WerFault.exe 528 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnfjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjecnop.dll" Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiaiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll" Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aodnnc32.dll" Maphdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngfcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ankdiqih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmoipopd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ealnephf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fikcacgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmmplpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eginbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmbefbck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijaapifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmekfeeo.dll" Icjfhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnmjok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbalnnam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doefhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgoiebg.dll" Ppoqge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofbfdmeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hheelbjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpjfba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amndem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boiccdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekholjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllpojlj.dll" Ehljhmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll" Gkihhhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiiekj32.dll" Hkcbhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhioga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Midcpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhnjle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fepgqdnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgqemakf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eakjok32.dll" Nkmbgdfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojficpfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aheocend.dll" Gmabeeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkhkcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemeeh32.dll" Loooca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlhnbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffbicfoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dipgfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oekngadg.dll" Jgqemakf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neeeodef.dll" Ofdcjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkmmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddlnib32.dll" Gllhaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hefipfkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqeihfll.dll" Nhlifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flmefm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdljbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imeggc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpjfba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okoomd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojkboo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aljgfioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmeohn32.dll" Bdooajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqhhknjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfedkhje.dll" Eepkaalh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gimlefge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 944 wrote to memory of 2172 944 fb1c2d5922145befea1dbbf4448da435b1ab107c3b04373368b7e0622a5cd5e7.exe 28 PID 944 wrote to memory of 2172 944 fb1c2d5922145befea1dbbf4448da435b1ab107c3b04373368b7e0622a5cd5e7.exe 28 PID 944 wrote to memory of 2172 944 fb1c2d5922145befea1dbbf4448da435b1ab107c3b04373368b7e0622a5cd5e7.exe 28 PID 944 wrote to memory of 2172 944 fb1c2d5922145befea1dbbf4448da435b1ab107c3b04373368b7e0622a5cd5e7.exe 28 PID 2172 wrote to memory of 2040 2172 Doefhl32.exe 29 PID 2172 wrote to memory of 2040 2172 Doefhl32.exe 29 PID 2172 wrote to memory of 2040 2172 Doefhl32.exe 29 PID 2172 wrote to memory of 2040 2172 Doefhl32.exe 29 PID 2040 wrote to memory of 2648 2040 Djjjee32.exe 30 PID 2040 wrote to memory of 2648 2040 Djjjee32.exe 30 PID 2040 wrote to memory of 2648 2040 Djjjee32.exe 30 PID 2040 wrote to memory of 2648 2040 Djjjee32.exe 30 PID 2648 wrote to memory of 2784 2648 Dqdbboac.exe 31 PID 2648 wrote to memory of 2784 2648 Dqdbboac.exe 31 PID 2648 wrote to memory of 2784 2648 Dqdbboac.exe 31 PID 2648 wrote to memory of 2784 2648 Dqdbboac.exe 31 PID 2784 wrote to memory of 1580 2784 Dbeojgga.exe 32 PID 2784 wrote to memory of 1580 2784 Dbeojgga.exe 32 PID 2784 wrote to memory of 1580 2784 Dbeojgga.exe 32 PID 2784 wrote to memory of 1580 2784 Dbeojgga.exe 32 PID 1580 wrote to memory of 2604 1580 Dipgfa32.exe 33 PID 1580 wrote to memory of 2604 1580 Dipgfa32.exe 33 PID 1580 wrote to memory of 2604 1580 Dipgfa32.exe 33 PID 1580 wrote to memory of 2604 1580 Dipgfa32.exe 33 PID 2604 wrote to memory of 1660 2604 Dkncbm32.exe 34 PID 2604 wrote to memory of 1660 2604 Dkncbm32.exe 34 PID 2604 wrote to memory of 1660 2604 Dkncbm32.exe 34 PID 2604 wrote to memory of 1660 2604 Dkncbm32.exe 34 PID 1660 wrote to memory of 3068 1660 Dbhlogeo.exe 35 PID 1660 wrote to memory of 3068 1660 Dbhlogeo.exe 35 PID 1660 wrote to memory of 3068 1660 Dbhlogeo.exe 35 PID 1660 wrote to memory of 3068 1660 Dbhlogeo.exe 35 PID 3068 wrote to memory of 2584 3068 Defhkbdb.exe 36 PID 3068 wrote to memory of 2584 3068 Defhkbdb.exe 36 PID 3068 wrote to memory of 2584 3068 Defhkbdb.exe 36 PID 3068 wrote to memory of 2584 3068 Defhkbdb.exe 36 PID 2584 wrote to memory of 2792 2584 Dmmplpdd.exe 37 PID 2584 wrote to memory of 2792 2584 Dmmplpdd.exe 37 PID 2584 wrote to memory of 2792 2584 Dmmplpdd.exe 37 PID 2584 wrote to memory of 2792 2584 Dmmplpdd.exe 37 PID 2792 wrote to memory of 1096 2792 Dnoldh32.exe 38 PID 2792 wrote to memory of 1096 2792 Dnoldh32.exe 38 PID 2792 wrote to memory of 1096 2792 Dnoldh32.exe 38 PID 2792 wrote to memory of 1096 2792 Dnoldh32.exe 38 PID 1096 wrote to memory of 2880 1096 Deidab32.exe 39 PID 1096 wrote to memory of 2880 1096 Deidab32.exe 39 PID 1096 wrote to memory of 2880 1096 Deidab32.exe 39 PID 1096 wrote to memory of 2880 1096 Deidab32.exe 39 PID 2880 wrote to memory of 1424 2880 Dggamm32.exe 40 PID 2880 wrote to memory of 1424 2880 Dggamm32.exe 40 PID 2880 wrote to memory of 1424 2880 Dggamm32.exe 40 PID 2880 wrote to memory of 1424 2880 Dggamm32.exe 40 PID 1424 wrote to memory of 1136 1424 Dpnink32.exe 41 PID 1424 wrote to memory of 1136 1424 Dpnink32.exe 41 PID 1424 wrote to memory of 1136 1424 Dpnink32.exe 41 PID 1424 wrote to memory of 1136 1424 Dpnink32.exe 41 PID 1136 wrote to memory of 2380 1136 Daoefcgd.exe 42 PID 1136 wrote to memory of 2380 1136 Daoefcgd.exe 42 PID 1136 wrote to memory of 2380 1136 Daoefcgd.exe 42 PID 1136 wrote to memory of 2380 1136 Daoefcgd.exe 42 PID 2380 wrote to memory of 2312 2380 Eginbm32.exe 43 PID 2380 wrote to memory of 2312 2380 Eginbm32.exe 43 PID 2380 wrote to memory of 2312 2380 Eginbm32.exe 43 PID 2380 wrote to memory of 2312 2380 Eginbm32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb1c2d5922145befea1dbbf4448da435b1ab107c3b04373368b7e0622a5cd5e7.exe"C:\Users\Admin\AppData\Local\Temp\fb1c2d5922145befea1dbbf4448da435b1ab107c3b04373368b7e0622a5cd5e7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Doefhl32.exeC:\Windows\system32\Doefhl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Djjjee32.exeC:\Windows\system32\Djjjee32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Dqdbboac.exeC:\Windows\system32\Dqdbboac.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Dbeojgga.exeC:\Windows\system32\Dbeojgga.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Dipgfa32.exeC:\Windows\system32\Dipgfa32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Dkncbm32.exeC:\Windows\system32\Dkncbm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Dbhlogeo.exeC:\Windows\system32\Dbhlogeo.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Defhkbdb.exeC:\Windows\system32\Defhkbdb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Dmmplpdd.exeC:\Windows\system32\Dmmplpdd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Dnoldh32.exeC:\Windows\system32\Dnoldh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Deidab32.exeC:\Windows\system32\Deidab32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Dggamm32.exeC:\Windows\system32\Dggamm32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Dpnink32.exeC:\Windows\system32\Dpnink32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Daoefcgd.exeC:\Windows\system32\Daoefcgd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Eginbm32.exeC:\Windows\system32\Eginbm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Ejhjoh32.exeC:\Windows\system32\Ejhjoh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Eabbkbea.exeC:\Windows\system32\Eabbkbea.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:356 -
C:\Windows\SysWOW64\Eemnlanj.exeC:\Windows\system32\Eemnlanj.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\Ehljhmmn.exeC:\Windows\system32\Ehljhmmn.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Ejjfdhlb.exeC:\Windows\system32\Ejjfdhlb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:860 -
C:\Windows\SysWOW64\Emhbpcke.exeC:\Windows\system32\Emhbpcke.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088 -
C:\Windows\SysWOW64\Eepkaalh.exeC:\Windows\system32\Eepkaalh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Ehngnlkk.exeC:\Windows\system32\Ehngnlkk.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:548 -
C:\Windows\SysWOW64\Ejlcjhjo.exeC:\Windows\system32\Ejlcjhjo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Emkofcic.exeC:\Windows\system32\Emkofcic.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:888 -
C:\Windows\SysWOW64\Epilbohf.exeC:\Windows\system32\Epilbohf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Eiapkdog.exeC:\Windows\system32\Eiapkdog.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Eplhgn32.exeC:\Windows\system32\Eplhgn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Edgdhmom.exeC:\Windows\system32\Edgdhmom.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Eidmqdmd.exeC:\Windows\system32\Eidmqdmd.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Elbimplh.exeC:\Windows\system32\Elbimplh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Fdianmmj.exeC:\Windows\system32\Fdianmmj.exe33⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Ffhmjhln.exeC:\Windows\system32\Ffhmjhln.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Fmbefbck.exeC:\Windows\system32\Fmbefbck.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\Flefbo32.exeC:\Windows\system32\Flefbo32.exe36⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Fbonoiab.exeC:\Windows\system32\Fbonoiab.exe37⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Flgbho32.exeC:\Windows\system32\Flgbho32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Foeodj32.exeC:\Windows\system32\Foeodj32.exe39⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Fepgqdnc.exeC:\Windows\system32\Fepgqdnc.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Fikcacgl.exeC:\Windows\system32\Fikcacgl.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1132 -
C:\Windows\SysWOW64\Fhncmp32.exeC:\Windows\system32\Fhncmp32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Fliomnfp.exeC:\Windows\system32\Fliomnfp.exe43⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Febcfd32.exeC:\Windows\system32\Febcfd32.exe44⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Fhppbp32.exeC:\Windows\system32\Fhppbp32.exe45⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Fkolnk32.exeC:\Windows\system32\Fkolnk32.exe46⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Fedplc32.exeC:\Windows\system32\Fedplc32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Gomedi32.exeC:\Windows\system32\Gomedi32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Gakaqd32.exeC:\Windows\system32\Gakaqd32.exe49⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Gdimmp32.exeC:\Windows\system32\Gdimmp32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:904 -
C:\Windows\SysWOW64\Gheimogo.exeC:\Windows\system32\Gheimogo.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Gghjil32.exeC:\Windows\system32\Gghjil32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Giffeg32.exeC:\Windows\system32\Giffeg32.exe53⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Gmabeeef.exeC:\Windows\system32\Gmabeeef.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Gamnfd32.exeC:\Windows\system32\Gamnfd32.exe55⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Gdljbp32.exeC:\Windows\system32\Gdljbp32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Gcojnmdn.exeC:\Windows\system32\Gcojnmdn.exe57⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Ggjfnk32.exeC:\Windows\system32\Ggjfnk32.exe58⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Gkeboj32.exeC:\Windows\system32\Gkeboj32.exe59⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Gkeboj32.exeC:\Windows\system32\Gkeboj32.exe60⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Gmdoke32.exeC:\Windows\system32\Gmdoke32.exe61⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Glgofbjn.exeC:\Windows\system32\Glgofbjn.exe62⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Gpbkgq32.exeC:\Windows\system32\Gpbkgq32.exe63⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Gdnghpkq.exeC:\Windows\system32\Gdnghpkq.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:784 -
C:\Windows\SysWOW64\Gglcdkjd.exeC:\Windows\system32\Gglcdkjd.exe65⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Gikopfih.exeC:\Windows\system32\Gikopfih.exe66⤵PID:1968
-
C:\Windows\SysWOW64\Gikopfih.exeC:\Windows\system32\Gikopfih.exe67⤵PID:1048
-
C:\Windows\SysWOW64\Gnfkqe32.exeC:\Windows\system32\Gnfkqe32.exe68⤵PID:1872
-
C:\Windows\SysWOW64\Gliklahk.exeC:\Windows\system32\Gliklahk.exe69⤵PID:352
-
C:\Windows\SysWOW64\Gohhhmgo.exeC:\Windows\system32\Gohhhmgo.exe70⤵PID:908
-
C:\Windows\SysWOW64\Gimlefge.exeC:\Windows\system32\Gimlefge.exe71⤵
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Ghplac32.exeC:\Windows\system32\Ghplac32.exe72⤵PID:2588
-
C:\Windows\SysWOW64\Gllhaa32.exeC:\Windows\system32\Gllhaa32.exe73⤵
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Gojdnm32.exeC:\Windows\system32\Gojdnm32.exe74⤵PID:2780
-
C:\Windows\SysWOW64\Hceqnlnf.exeC:\Windows\system32\Hceqnlnf.exe75⤵PID:3060
-
C:\Windows\SysWOW64\Hahqjh32.exeC:\Windows\system32\Hahqjh32.exe76⤵PID:1476
-
C:\Windows\SysWOW64\Hhbigblm.exeC:\Windows\system32\Hhbigblm.exe77⤵PID:1428
-
C:\Windows\SysWOW64\Hlnega32.exeC:\Windows\system32\Hlnega32.exe78⤵PID:2932
-
C:\Windows\SysWOW64\Hkqecnkq.exeC:\Windows\system32\Hkqecnkq.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1988 -
C:\Windows\SysWOW64\Hchmdklc.exeC:\Windows\system32\Hchmdklc.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:324 -
C:\Windows\SysWOW64\Hakmph32.exeC:\Windows\system32\Hakmph32.exe81⤵PID:1992
-
C:\Windows\SysWOW64\Hefipfkg.exeC:\Windows\system32\Hefipfkg.exe82⤵
- Modifies registry class
PID:1144 -
C:\Windows\SysWOW64\Hdijlc32.exeC:\Windows\system32\Hdijlc32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1452 -
C:\Windows\SysWOW64\Hheelbjj.exeC:\Windows\system32\Hheelbjj.exe84⤵
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Hlpamq32.exeC:\Windows\system32\Hlpamq32.exe85⤵PID:1708
-
C:\Windows\SysWOW64\Hkcbhn32.exeC:\Windows\system32\Hkcbhn32.exe86⤵
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Hnandi32.exeC:\Windows\system32\Hnandi32.exe87⤵PID:2532
-
C:\Windows\SysWOW64\Hdkfacpo.exeC:\Windows\system32\Hdkfacpo.exe88⤵PID:2552
-
C:\Windows\SysWOW64\Hgjbmoob.exeC:\Windows\system32\Hgjbmoob.exe89⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Hkeonm32.exeC:\Windows\system32\Hkeonm32.exe90⤵
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Hoakolod.exeC:\Windows\system32\Hoakolod.exe91⤵PID:864
-
C:\Windows\SysWOW64\Haogkgoh.exeC:\Windows\system32\Haogkgoh.exe92⤵
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Hhioga32.exeC:\Windows\system32\Hhioga32.exe93⤵
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Hglocnmp.exeC:\Windows\system32\Hglocnmp.exe94⤵PID:1488
-
C:\Windows\SysWOW64\Hkhkcm32.exeC:\Windows\system32\Hkhkcm32.exe95⤵
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Hjkkojlc.exeC:\Windows\system32\Hjkkojlc.exe96⤵
- Drops file in System32 directory
PID:1116 -
C:\Windows\SysWOW64\Hbbcpg32.exeC:\Windows\system32\Hbbcpg32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1524 -
C:\Windows\SysWOW64\Hgolhn32.exeC:\Windows\system32\Hgolhn32.exe98⤵PID:2632
-
C:\Windows\SysWOW64\Hjmhdi32.exeC:\Windows\system32\Hjmhdi32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2644 -
C:\Windows\SysWOW64\Imkdqe32.exeC:\Windows\system32\Imkdqe32.exe100⤵PID:2524
-
C:\Windows\SysWOW64\Idblbb32.exeC:\Windows\system32\Idblbb32.exe101⤵PID:1632
-
C:\Windows\SysWOW64\Icemmopa.exeC:\Windows\system32\Icemmopa.exe102⤵PID:2000
-
C:\Windows\SysWOW64\Inkakhpg.exeC:\Windows\system32\Inkakhpg.exe103⤵
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Imnafd32.exeC:\Windows\system32\Imnafd32.exe104⤵PID:1412
-
C:\Windows\SysWOW64\Iolmbpfe.exeC:\Windows\system32\Iolmbpfe.exe105⤵PID:2132
-
C:\Windows\SysWOW64\Igcecmfg.exeC:\Windows\system32\Igcecmfg.exe106⤵
- Drops file in System32 directory
PID:1060 -
C:\Windows\SysWOW64\Iffeoj32.exeC:\Windows\system32\Iffeoj32.exe107⤵PID:452
-
C:\Windows\SysWOW64\Ijaapifk.exeC:\Windows\system32\Ijaapifk.exe108⤵
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Impnldeo.exeC:\Windows\system32\Impnldeo.exe109⤵PID:2408
-
C:\Windows\SysWOW64\Icjfhn32.exeC:\Windows\system32\Icjfhn32.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Ibmfdkcf.exeC:\Windows\system32\Ibmfdkcf.exe111⤵PID:2600
-
C:\Windows\SysWOW64\Ifhbdj32.exeC:\Windows\system32\Ifhbdj32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2656 -
C:\Windows\SysWOW64\Iigoqe32.exeC:\Windows\system32\Iigoqe32.exe113⤵PID:2112
-
C:\Windows\SysWOW64\Imbkadcl.exeC:\Windows\system32\Imbkadcl.exe114⤵PID:2732
-
C:\Windows\SysWOW64\Ikekmq32.exeC:\Windows\system32\Ikekmq32.exe115⤵PID:2876
-
C:\Windows\SysWOW64\Ioagno32.exeC:\Windows\system32\Ioagno32.exe116⤵PID:3048
-
C:\Windows\SysWOW64\Ibocjk32.exeC:\Windows\system32\Ibocjk32.exe117⤵PID:392
-
C:\Windows\SysWOW64\Ienoff32.exeC:\Windows\system32\Ienoff32.exe118⤵PID:1884
-
C:\Windows\SysWOW64\Imeggc32.exeC:\Windows\system32\Imeggc32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Ikggbpgd.exeC:\Windows\system32\Ikggbpgd.exe120⤵PID:2640
-
C:\Windows\SysWOW64\Ioccco32.exeC:\Windows\system32\Ioccco32.exe121⤵PID:2504
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-