Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
04/07/2024, 20:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0706d99f83533d99d0981ddec800aad38e208fefb12db6cbf7b43b9127662c2c.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0706d99f83533d99d0981ddec800aad38e208fefb12db6cbf7b43b9127662c2c.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0706d99f83533d99d0981ddec800aad38e208fefb12db6cbf7b43b9127662c2c.exe
-
Size
232KB
-
MD5
ab5f166e0f98ad2eeb30f0ebf9f4c7f0
-
SHA1
2afb17391733d1acea4722d12792ba8f40362b5d
-
SHA256
0706d99f83533d99d0981ddec800aad38e208fefb12db6cbf7b43b9127662c2c
-
SHA512
ab8291cad7f41730d5a776da4f62e557a9298870c3ff66c102daefb24baa747f3331552faa512e6ec8b6cf78dec269c0d6f06d34ab92fe187b2c9664d0fb6d19
-
SSDEEP
3072:fmAJ4ve9KDtC7usluTXp6UF5wzec+tZOnU1/s5HH0AU/yRvS3u121TzlbNRfzPa+:/yve9ktC6s21L7/s50z/Wa3/PNlPX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfkke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooeggp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aplifb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blgpef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niebhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idklfpon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjjacf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhndldcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffklhqao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbngf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lajhofao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdjpeifj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgemplap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gobgcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmocpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oddpfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlhkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjdbnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpcqaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbamma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncpcfkbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cghggc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fehjeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflmci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbdonb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekklaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckccgane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heihnoph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqnejn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcbakpdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndlim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpcbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmihhelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmbknddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pedleg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndbcpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnmehnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ganpomec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naoniipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keednado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikbgmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqalka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpecfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmhgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naimccpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onmdoioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnjdhmdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mabgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngkogj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llfifq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qedhdjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmpfojmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kegqdqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nibebfpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnennj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbfhbeek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meccii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdonb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojfaijcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geolea32.exe -
Executes dropped EXE 64 IoCs
pid Process 1184 Dfijnd32.exe 2608 Ejgcdb32.exe 2776 Ecpgmhai.exe 1148 Ekklaj32.exe 2604 Eecqjpee.exe 2572 Eajaoq32.exe 2956 Eloemi32.exe 348 Fehjeo32.exe 1796 Fjdbnf32.exe 1964 Fjgoce32.exe 1788 Fhkpmjln.exe 1980 Fmhheqje.exe 2412 Fjlhneio.exe 1256 Fddmgjpo.exe 2612 Ffbicfoc.exe 1308 Gegfdb32.exe 1860 Gbkgnfbd.exe 828 Gldkfl32.exe 2388 Gobgcg32.exe 1312 Gelppaof.exe 996 Ghkllmoi.exe 292 Goddhg32.exe 2864 Geolea32.exe 2464 Ghmiam32.exe 3044 Gmjaic32.exe 2284 Gphmeo32.exe 1944 Hgbebiao.exe 1588 Hiqbndpb.exe 3020 Hdfflm32.exe 2660 Hkpnhgge.exe 2648 Hpmgqnfl.exe 2840 Hckcmjep.exe 2564 Hnagjbdf.exe 2568 Hjhhocjj.exe 2852 Hlfdkoin.exe 1620 Hodpgjha.exe 2724 Hkkalk32.exe 352 Iaeiieeb.exe 1252 Ilknfn32.exe 1984 Ifcbodli.exe 1516 Idfbkq32.exe 2416 Iokfhi32.exe 2968 Iqmcpahh.exe 1628 Ikbgmj32.exe 2728 Inqcif32.exe 1804 Idklfpon.exe 824 Igihbknb.exe 1632 Incpoe32.exe 688 Iqalka32.exe 1512 Icpigm32.exe 980 Jjjacf32.exe 1720 Jnemdecl.exe 2384 Jofiln32.exe 2760 Jfqahgpg.exe 3048 Jmjjea32.exe 2696 Joifam32.exe 2680 Jfcnngnd.exe 2512 Jiakjb32.exe 1640 Jokcgmee.exe 340 Jbjochdi.exe 1668 Jfekcg32.exe 1972 Jmocpado.exe 1128 Jkbcln32.exe 2804 Jbllihbf.exe -
Loads dropped DLL 64 IoCs
pid Process 2244 0706d99f83533d99d0981ddec800aad38e208fefb12db6cbf7b43b9127662c2c.exe 2244 0706d99f83533d99d0981ddec800aad38e208fefb12db6cbf7b43b9127662c2c.exe 1184 Dfijnd32.exe 1184 Dfijnd32.exe 2608 Ejgcdb32.exe 2608 Ejgcdb32.exe 2776 Ecpgmhai.exe 2776 Ecpgmhai.exe 1148 Ekklaj32.exe 1148 Ekklaj32.exe 2604 Eecqjpee.exe 2604 Eecqjpee.exe 2572 Eajaoq32.exe 2572 Eajaoq32.exe 2956 Eloemi32.exe 2956 Eloemi32.exe 348 Fehjeo32.exe 348 Fehjeo32.exe 1796 Fjdbnf32.exe 1796 Fjdbnf32.exe 1964 Fjgoce32.exe 1964 Fjgoce32.exe 1788 Fhkpmjln.exe 1788 Fhkpmjln.exe 1980 Fmhheqje.exe 1980 Fmhheqje.exe 2412 Fjlhneio.exe 2412 Fjlhneio.exe 1256 Fddmgjpo.exe 1256 Fddmgjpo.exe 2612 Ffbicfoc.exe 2612 Ffbicfoc.exe 1308 Gegfdb32.exe 1308 Gegfdb32.exe 1860 Gbkgnfbd.exe 1860 Gbkgnfbd.exe 828 Gldkfl32.exe 828 Gldkfl32.exe 2388 Gobgcg32.exe 2388 Gobgcg32.exe 1312 Gelppaof.exe 1312 Gelppaof.exe 996 Ghkllmoi.exe 996 Ghkllmoi.exe 292 Goddhg32.exe 292 Goddhg32.exe 2864 Geolea32.exe 2864 Geolea32.exe 2464 Ghmiam32.exe 2464 Ghmiam32.exe 3044 Gmjaic32.exe 3044 Gmjaic32.exe 2284 Gphmeo32.exe 2284 Gphmeo32.exe 1944 Hgbebiao.exe 1944 Hgbebiao.exe 1588 Hiqbndpb.exe 1588 Hiqbndpb.exe 3020 Hdfflm32.exe 3020 Hdfflm32.exe 2660 Hkpnhgge.exe 2660 Hkpnhgge.exe 2648 Hpmgqnfl.exe 2648 Hpmgqnfl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ghmiam32.exe Geolea32.exe File created C:\Windows\SysWOW64\Kcbakpdo.exe Kneicieh.exe File created C:\Windows\SysWOW64\Cehkbgdf.dll Gbcfadgl.exe File created C:\Windows\SysWOW64\Jkoginch.dll Fjdbnf32.exe File created C:\Windows\SysWOW64\Iaeiieeb.exe Hkkalk32.exe File created C:\Windows\SysWOW64\Oegbkc32.dll Hgmalg32.exe File created C:\Windows\SysWOW64\Iccbqh32.exe Hiknhbcg.exe File opened for modification C:\Windows\SysWOW64\Kkjcplpa.exe Kmgbdo32.exe File created C:\Windows\SysWOW64\Ndjfeo32.exe Npojdpef.exe File created C:\Windows\SysWOW64\Oonafa32.exe Onmdoioa.exe File created C:\Windows\SysWOW64\Aplifb32.exe Aefeijle.exe File created C:\Windows\SysWOW64\Hnhijl32.dll Adpkee32.exe File opened for modification C:\Windows\SysWOW64\Adnopfoj.exe Aekodi32.exe File created C:\Windows\SysWOW64\Galmmc32.dll Ddgjdk32.exe File opened for modification C:\Windows\SysWOW64\Ihjnom32.exe Iapebchh.exe File created C:\Windows\SysWOW64\Aimkgn32.dll Ghmiam32.exe File created C:\Windows\SysWOW64\Lihmjejl.exe Lbnemk32.exe File created C:\Windows\SysWOW64\Ijlhmj32.dll Mcegmm32.exe File opened for modification C:\Windows\SysWOW64\Fekpnn32.exe Fmpkjkma.exe File opened for modification C:\Windows\SysWOW64\Gelppaof.exe Gobgcg32.exe File created C:\Windows\SysWOW64\Pfjbgnme.exe Pclfkc32.exe File created C:\Windows\SysWOW64\Dolnad32.exe Ddgjdk32.exe File created C:\Windows\SysWOW64\Haiccald.exe Hojgfemq.exe File opened for modification C:\Windows\SysWOW64\Mhhfdo32.exe Meijhc32.exe File opened for modification C:\Windows\SysWOW64\Nmpnhdfc.exe Niebhf32.exe File created C:\Windows\SysWOW64\Iqmcpahh.exe Iokfhi32.exe File opened for modification C:\Windows\SysWOW64\Pfjbgnme.exe Pclfkc32.exe File created C:\Windows\SysWOW64\Qbcpbo32.exe Qpecfc32.exe File created C:\Windows\SysWOW64\Gfadgaio.dll Mdkqqa32.exe File created C:\Windows\SysWOW64\Mpmapm32.exe Mmneda32.exe File created C:\Windows\SysWOW64\Lapnnafn.exe Lnbbbffj.exe File created C:\Windows\SysWOW64\Bfjpdigc.dll Ojfaijcc.exe File created C:\Windows\SysWOW64\Aadloj32.exe Aoepcn32.exe File opened for modification C:\Windows\SysWOW64\Jabbhcfe.exe Jnffgd32.exe File created C:\Windows\SysWOW64\Jokcgmee.exe Jiakjb32.exe File created C:\Windows\SysWOW64\Kckmmp32.dll Aehboi32.exe File created C:\Windows\SysWOW64\Mkhofjoj.exe Mlfojn32.exe File opened for modification C:\Windows\SysWOW64\Hoamgd32.exe Hhgdkjol.exe File created C:\Windows\SysWOW64\Bmpfojmp.exe Behnnm32.exe File opened for modification C:\Windows\SysWOW64\Emkaol32.exe Egoife32.exe File opened for modification C:\Windows\SysWOW64\Ghqnjk32.exe Gebbnpfp.exe File created C:\Windows\SysWOW64\Ecfhengk.dll Pcnbablo.exe File created C:\Windows\SysWOW64\Jnbfqn32.dll Ilcmjl32.exe File created C:\Windows\SysWOW64\Bfcampgf.exe Bbhela32.exe File created C:\Windows\SysWOW64\Biddmpnf.dll Hakphqja.exe File created C:\Windows\SysWOW64\Jjjacf32.exe Icpigm32.exe File created C:\Windows\SysWOW64\Jddnncch.dll Meccii32.exe File opened for modification C:\Windows\SysWOW64\Bioqclil.exe Bjlqhoba.exe File opened for modification C:\Windows\SysWOW64\Iamimc32.exe Icjhagdp.exe File opened for modification C:\Windows\SysWOW64\Kincipnk.exe Kebgia32.exe File created C:\Windows\SysWOW64\Fhkpmjln.exe Fjgoce32.exe File created C:\Windows\SysWOW64\Lpphap32.exe Kmaled32.exe File created C:\Windows\SysWOW64\Cdgneh32.exe Cnmehnan.exe File created C:\Windows\SysWOW64\Omkepc32.dll Ndbcpd32.exe File created C:\Windows\SysWOW64\Mjapln32.dll Heihnoph.exe File created C:\Windows\SysWOW64\Lbiqfied.exe Lcfqkl32.exe File opened for modification C:\Windows\SysWOW64\Mdacop32.exe Mabgcd32.exe File created C:\Windows\SysWOW64\Oaajloig.dll Mlhkpm32.exe File created C:\Windows\SysWOW64\Oqideepg.exe Onjgiiad.exe File created C:\Windows\SysWOW64\Inlepd32.dll Onmdoioa.exe File opened for modification C:\Windows\SysWOW64\Ddgjdk32.exe Dknekeef.exe File opened for modification C:\Windows\SysWOW64\Ncjqhmkm.exe Nlphkb32.exe File created C:\Windows\SysWOW64\Mbpgggol.exe Mkhofjoj.exe File opened for modification C:\Windows\SysWOW64\Eojnkg32.exe Emkaol32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4384 4244 WerFault.exe 459 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmocpado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iompkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddgjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfidj32.dll" Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmeelpbm.dll" Jbdonb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mooaljkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egjpkffe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpinomjo.dll" Fenmdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqnejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnbi32.dll" Kocbkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkjcplpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngoohnkj.dll" Nigome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kblhgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijqnib32.dll" Lajhofao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkiogn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agmceh32.dll" Kebgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lafndg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbeknj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moidahcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngdifkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlidlf32.dll" Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll" Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndhipoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjjndgdk.dll" Kgkafo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbeknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbnnqb32.dll" Pnomcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjjgclai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdbdjhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lblqijln.dll" Ncjqhmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaplbi32.dll" Pqhpdhcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqnfen32.dll" Gpcmpijk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmlhnagm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejgcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqlcpbbm.dll" Lpphap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oegjkb32.dll" Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbiaa32.dll" Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilknfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncgdbmmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfjbgnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnjef32.dll" Endhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpncj32.dll" Edpmjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbpgggol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfcijc32.dll" Kiccofna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlkepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoogfn32.dll" Eqijej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Magqncba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhndldcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cklmgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikhjki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nigome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll" Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjnfniii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpphap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnilfo32.dll" Pnajilng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhnmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihjnom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbplnnk.dll" Mapjmehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diceon32.dll" Ndemjoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcpjl32.dll" Gphmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iokfhi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2244 wrote to memory of 1184 2244 0706d99f83533d99d0981ddec800aad38e208fefb12db6cbf7b43b9127662c2c.exe 28 PID 2244 wrote to memory of 1184 2244 0706d99f83533d99d0981ddec800aad38e208fefb12db6cbf7b43b9127662c2c.exe 28 PID 2244 wrote to memory of 1184 2244 0706d99f83533d99d0981ddec800aad38e208fefb12db6cbf7b43b9127662c2c.exe 28 PID 2244 wrote to memory of 1184 2244 0706d99f83533d99d0981ddec800aad38e208fefb12db6cbf7b43b9127662c2c.exe 28 PID 1184 wrote to memory of 2608 1184 Dfijnd32.exe 29 PID 1184 wrote to memory of 2608 1184 Dfijnd32.exe 29 PID 1184 wrote to memory of 2608 1184 Dfijnd32.exe 29 PID 1184 wrote to memory of 2608 1184 Dfijnd32.exe 29 PID 2608 wrote to memory of 2776 2608 Ejgcdb32.exe 30 PID 2608 wrote to memory of 2776 2608 Ejgcdb32.exe 30 PID 2608 wrote to memory of 2776 2608 Ejgcdb32.exe 30 PID 2608 wrote to memory of 2776 2608 Ejgcdb32.exe 30 PID 2776 wrote to memory of 1148 2776 Ecpgmhai.exe 31 PID 2776 wrote to memory of 1148 2776 Ecpgmhai.exe 31 PID 2776 wrote to memory of 1148 2776 Ecpgmhai.exe 31 PID 2776 wrote to memory of 1148 2776 Ecpgmhai.exe 31 PID 1148 wrote to memory of 2604 1148 Ekklaj32.exe 32 PID 1148 wrote to memory of 2604 1148 Ekklaj32.exe 32 PID 1148 wrote to memory of 2604 1148 Ekklaj32.exe 32 PID 1148 wrote to memory of 2604 1148 Ekklaj32.exe 32 PID 2604 wrote to memory of 2572 2604 Eecqjpee.exe 33 PID 2604 wrote to memory of 2572 2604 Eecqjpee.exe 33 PID 2604 wrote to memory of 2572 2604 Eecqjpee.exe 33 PID 2604 wrote to memory of 2572 2604 Eecqjpee.exe 33 PID 2572 wrote to memory of 2956 2572 Eajaoq32.exe 34 PID 2572 wrote to memory of 2956 2572 Eajaoq32.exe 34 PID 2572 wrote to memory of 2956 2572 Eajaoq32.exe 34 PID 2572 wrote to memory of 2956 2572 Eajaoq32.exe 34 PID 2956 wrote to memory of 348 2956 Eloemi32.exe 35 PID 2956 wrote to memory of 348 2956 Eloemi32.exe 35 PID 2956 wrote to memory of 348 2956 Eloemi32.exe 35 PID 2956 wrote to memory of 348 2956 Eloemi32.exe 35 PID 348 wrote to memory of 1796 348 Fehjeo32.exe 36 PID 348 wrote to memory of 1796 348 Fehjeo32.exe 36 PID 348 wrote to memory of 1796 348 Fehjeo32.exe 36 PID 348 wrote to memory of 1796 348 Fehjeo32.exe 36 PID 1796 wrote to memory of 1964 1796 Fjdbnf32.exe 37 PID 1796 wrote to memory of 1964 1796 Fjdbnf32.exe 37 PID 1796 wrote to memory of 1964 1796 Fjdbnf32.exe 37 PID 1796 wrote to memory of 1964 1796 Fjdbnf32.exe 37 PID 1964 wrote to memory of 1788 1964 Fjgoce32.exe 38 PID 1964 wrote to memory of 1788 1964 Fjgoce32.exe 38 PID 1964 wrote to memory of 1788 1964 Fjgoce32.exe 38 PID 1964 wrote to memory of 1788 1964 Fjgoce32.exe 38 PID 1788 wrote to memory of 1980 1788 Fhkpmjln.exe 39 PID 1788 wrote to memory of 1980 1788 Fhkpmjln.exe 39 PID 1788 wrote to memory of 1980 1788 Fhkpmjln.exe 39 PID 1788 wrote to memory of 1980 1788 Fhkpmjln.exe 39 PID 1980 wrote to memory of 2412 1980 Fmhheqje.exe 40 PID 1980 wrote to memory of 2412 1980 Fmhheqje.exe 40 PID 1980 wrote to memory of 2412 1980 Fmhheqje.exe 40 PID 1980 wrote to memory of 2412 1980 Fmhheqje.exe 40 PID 2412 wrote to memory of 1256 2412 Fjlhneio.exe 41 PID 2412 wrote to memory of 1256 2412 Fjlhneio.exe 41 PID 2412 wrote to memory of 1256 2412 Fjlhneio.exe 41 PID 2412 wrote to memory of 1256 2412 Fjlhneio.exe 41 PID 1256 wrote to memory of 2612 1256 Fddmgjpo.exe 42 PID 1256 wrote to memory of 2612 1256 Fddmgjpo.exe 42 PID 1256 wrote to memory of 2612 1256 Fddmgjpo.exe 42 PID 1256 wrote to memory of 2612 1256 Fddmgjpo.exe 42 PID 2612 wrote to memory of 1308 2612 Ffbicfoc.exe 43 PID 2612 wrote to memory of 1308 2612 Ffbicfoc.exe 43 PID 2612 wrote to memory of 1308 2612 Ffbicfoc.exe 43 PID 2612 wrote to memory of 1308 2612 Ffbicfoc.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\0706d99f83533d99d0981ddec800aad38e208fefb12db6cbf7b43b9127662c2c.exe"C:\Users\Admin\AppData\Local\Temp\0706d99f83533d99d0981ddec800aad38e208fefb12db6cbf7b43b9127662c2c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:828 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1312 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:996 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:292 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe33⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe34⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe35⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe36⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe39⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe41⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe42⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe44⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe46⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe48⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe49⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe53⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe54⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe55⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe56⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe57⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe58⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe60⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Jbjochdi.exeC:\Windows\system32\Jbjochdi.exe61⤵
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe62⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe64⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe65⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe66⤵PID:2344
-
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe67⤵PID:2300
-
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe68⤵PID:1652
-
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe69⤵PID:2336
-
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe70⤵
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe71⤵PID:1648
-
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe72⤵
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1728 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe74⤵PID:1716
-
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe75⤵PID:1708
-
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe76⤵PID:2004
-
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe77⤵
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe78⤵PID:2520
-
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe79⤵PID:2952
-
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe80⤵PID:2444
-
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe81⤵
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe82⤵PID:2420
-
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe83⤵
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Kmaled32.exeC:\Windows\system32\Kmaled32.exe84⤵
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe85⤵
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe86⤵
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe87⤵PID:3068
-
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:752 -
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe89⤵PID:2208
-
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2080 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe91⤵PID:2640
-
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe92⤵PID:2632
-
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe93⤵PID:2136
-
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe94⤵
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe95⤵PID:336
-
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe96⤵PID:300
-
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe97⤵
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe98⤵PID:2900
-
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1172 -
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe100⤵PID:2268
-
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe101⤵PID:2188
-
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe102⤵PID:2448
-
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe103⤵
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe104⤵PID:2056
-
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe105⤵PID:2060
-
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe106⤵PID:2748
-
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe107⤵PID:2064
-
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe108⤵PID:1600
-
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe109⤵PID:2168
-
C:\Windows\SysWOW64\Mgnfhlin.exeC:\Windows\system32\Mgnfhlin.exe110⤵PID:2556
-
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe111⤵PID:2940
-
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe112⤵PID:1508
-
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe113⤵
- Drops file in System32 directory
PID:580 -
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1260 -
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe115⤵PID:2212
-
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe116⤵PID:900
-
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe117⤵
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe118⤵PID:2624
-
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe119⤵
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe120⤵
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe121⤵PID:376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-