Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
47s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
05/07/2024, 20:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3daaaeed26c3250e7fe561e3f91b7744dbd6332b824d762d7f13cdff8df80b1d.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
3daaaeed26c3250e7fe561e3f91b7744dbd6332b824d762d7f13cdff8df80b1d.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
3daaaeed26c3250e7fe561e3f91b7744dbd6332b824d762d7f13cdff8df80b1d.exe
-
Size
52KB
-
MD5
e151b2a5aae1bd0769b99ec28bb68c8d
-
SHA1
efc762d4e467f3e24825182927d83bc4ef0399a4
-
SHA256
3daaaeed26c3250e7fe561e3f91b7744dbd6332b824d762d7f13cdff8df80b1d
-
SHA512
07e4140cdfd4873aa9c40818356d7f909c868b47c911f0be3279e7187c7e62b75d2d872f5204f9ca59957b3f4ad2eec3c3440bb701d2cd65da6267b26a10ff70
-
SSDEEP
1536:B/kxOIpzZdGBHmPp2e+nRbxd8LtPFigdHMAdKZ:1kxOI5ZdGBmoecR9OLtP4gZMRZ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aggbif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhqnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Didgkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klcjfdqi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnbhpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnmaka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abacjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amidmldj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkipiodd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnjhfbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjeojnep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akjhcimg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikiedq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idabbpgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cceenilo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dghgdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doclijgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpphlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Engpfgql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meonlkcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okjoec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padcqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haggkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 3daaaeed26c3250e7fe561e3f91b7744dbd6332b824d762d7f13cdff8df80b1d.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejeglg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opbnbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phibbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmkipb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hleegpgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opdkgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgbemjqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjckpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfohoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phibbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cidklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnnoempk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klinmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibafhmph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epcomc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phkohkkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjocja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Didgkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fchgnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpincd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpbmhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogqihcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmjehe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikiedq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aogqihcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idabbpgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibqmen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nogodcli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hchcmnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjeojnep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadikaaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knocpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihclmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgoknohj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gflcplhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iehcajjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcebpqcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfogeamk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edahca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnqolikm.exe -
Executes dropped EXE 64 IoCs
pid Process 1684 Aeachphg.exe 2192 Anigaeoh.exe 2016 Apjdin32.exe 2760 Bichbckg.exe 1208 Bpmqom32.exe 2596 Bjbelf32.exe 2884 Bpomdmqa.exe 1680 Belfldoh.exe 2332 Blfnin32.exe 2924 Bbbckh32.exe 664 Beqogc32.exe 2464 Cdflhppk.exe 1632 Ckpdej32.exe 1012 Cdhino32.exe 2428 Ckbakiee.exe 1236 Cpojcpcm.exe 992 Cgibpj32.exe 2424 Ckgkfi32.exe 1540 Clhgnagn.exe 1736 Dljdcqek.exe 1664 Doipoldo.exe 2128 Dindme32.exe 1908 Dhcanahm.exe 2180 Dkbnjmhq.exe 2848 Ddjbbbna.exe 2240 Dkggel32.exe 2992 Epcomc32.exe 2656 Engpfgql.exe 2324 Edahca32.exe 1552 Ekkppkpf.exe 2504 Eddeia32.exe 2364 Ecfednma.exe 1144 Enliaf32.exe 2276 Ecibjn32.exe 1952 Efgnfi32.exe 2964 Ejcjfgbk.exe 1904 Eqmbca32.exe 1068 Eckopm32.exe 2912 Ejeglg32.exe 2936 Fmcchb32.exe 2552 Fcnkemgi.exe 1948 Fflgahfm.exe 2856 Fhjcmcep.exe 1428 Fkipiodd.exe 2896 Fnglekch.exe 1164 Ffndghdj.exe 292 Fgpqnpjh.exe 2860 Fniikj32.exe 2724 Fbeeliin.exe 3060 Fgbmdphe.exe 2808 Fnleqj32.exe 2652 Fqjbme32.exe 2648 Fgdjipfc.exe 1396 Fmabaf32.exe 2348 Ggfgoo32.exe 1272 Gnqolikm.exe 2152 Gmcogf32.exe 2976 Gcmgdpid.exe 3024 Gflcplhh.exe 1916 Gmflmfpe.exe 2844 Gcpdip32.exe 2232 Gimmbg32.exe 2448 Glkinb32.exe 2468 Gbeakllj.exe -
Loads dropped DLL 64 IoCs
pid Process 2072 3daaaeed26c3250e7fe561e3f91b7744dbd6332b824d762d7f13cdff8df80b1d.exe 2072 3daaaeed26c3250e7fe561e3f91b7744dbd6332b824d762d7f13cdff8df80b1d.exe 1684 Aeachphg.exe 1684 Aeachphg.exe 2192 Anigaeoh.exe 2192 Anigaeoh.exe 2016 Apjdin32.exe 2016 Apjdin32.exe 2760 Bichbckg.exe 2760 Bichbckg.exe 1208 Bpmqom32.exe 1208 Bpmqom32.exe 2596 Bjbelf32.exe 2596 Bjbelf32.exe 2884 Bpomdmqa.exe 2884 Bpomdmqa.exe 1680 Belfldoh.exe 1680 Belfldoh.exe 2332 Blfnin32.exe 2332 Blfnin32.exe 2924 Bbbckh32.exe 2924 Bbbckh32.exe 664 Beqogc32.exe 664 Beqogc32.exe 2464 Cdflhppk.exe 2464 Cdflhppk.exe 1632 Ckpdej32.exe 1632 Ckpdej32.exe 1012 Cdhino32.exe 1012 Cdhino32.exe 2428 Ckbakiee.exe 2428 Ckbakiee.exe 1236 Cpojcpcm.exe 1236 Cpojcpcm.exe 992 Cgibpj32.exe 992 Cgibpj32.exe 2424 Ckgkfi32.exe 2424 Ckgkfi32.exe 1540 Clhgnagn.exe 1540 Clhgnagn.exe 1736 Dljdcqek.exe 1736 Dljdcqek.exe 1664 Doipoldo.exe 1664 Doipoldo.exe 2128 Dindme32.exe 2128 Dindme32.exe 1908 Dhcanahm.exe 1908 Dhcanahm.exe 2180 Dkbnjmhq.exe 2180 Dkbnjmhq.exe 2848 Ddjbbbna.exe 2848 Ddjbbbna.exe 2240 Dkggel32.exe 2240 Dkggel32.exe 2992 Epcomc32.exe 2992 Epcomc32.exe 2656 Engpfgql.exe 2656 Engpfgql.exe 2324 Edahca32.exe 2324 Edahca32.exe 1552 Ekkppkpf.exe 1552 Ekkppkpf.exe 2504 Eddeia32.exe 2504 Eddeia32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Klinmg32.exe Jjjaak32.exe File opened for modification C:\Windows\SysWOW64\Fjpbeecn.exe Fbhkdgbk.exe File opened for modification C:\Windows\SysWOW64\Ipqmgbbf.exe Ianmke32.exe File created C:\Windows\SysWOW64\Kgmajelk.dll Cpojcpcm.exe File created C:\Windows\SysWOW64\Joccei32.dll Dkggel32.exe File created C:\Windows\SysWOW64\Lglnblmj.dll Haadlh32.exe File created C:\Windows\SysWOW64\Ebhkgeqj.dll Jjheklqc.exe File created C:\Windows\SysWOW64\Nogodcli.exe Nlibhhme.exe File created C:\Windows\SysWOW64\Bfmkddkn.dll Aqkmgl32.exe File created C:\Windows\SysWOW64\Hkahhl32.dll Bojmogak.exe File created C:\Windows\SysWOW64\Clqjblij.exe Cibnfpjg.exe File created C:\Windows\SysWOW64\Kpkbhl32.dll Ckpdej32.exe File opened for modification C:\Windows\SysWOW64\Bclbhkdj.exe Beibln32.exe File created C:\Windows\SysWOW64\Caapeidl.dll Doclijgd.exe File created C:\Windows\SysWOW64\Fojnhlch.exe Fmlblq32.exe File opened for modification C:\Windows\SysWOW64\Hpincd32.exe Hmjagh32.exe File created C:\Windows\SysWOW64\Cekkaanh.exe Coacdg32.exe File opened for modification C:\Windows\SysWOW64\Klnpke32.exe Kjpdoj32.exe File opened for modification C:\Windows\SysWOW64\Idaimfjf.exe Ibqmen32.exe File created C:\Windows\SysWOW64\Mgnjhfbq.exe Meonlkcm.exe File created C:\Windows\SysWOW64\Iijjpgeh.dll Oefqlmpq.exe File opened for modification C:\Windows\SysWOW64\Flgiaa32.exe Fjimefie.exe File created C:\Windows\SysWOW64\Bqmfcl32.dll Hnhjok32.exe File created C:\Windows\SysWOW64\Ijnbpm32.exe Hpincd32.exe File created C:\Windows\SysWOW64\Pmokcpjc.dll Ljadqn32.exe File created C:\Windows\SysWOW64\Dmbpaa32.exe Difcpc32.exe File created C:\Windows\SysWOW64\Eqacmd32.dll Ekcpdi32.exe File opened for modification C:\Windows\SysWOW64\Ffomjgoj.exe Fgmmnj32.exe File opened for modification C:\Windows\SysWOW64\Iaicpepa.exe Inkgdjqn.exe File opened for modification C:\Windows\SysWOW64\Ijddokdo.exe Ihehbpel.exe File created C:\Windows\SysWOW64\Lodbhp32.exe Llefld32.exe File opened for modification C:\Windows\SysWOW64\Ckgkfi32.exe Cgibpj32.exe File created C:\Windows\SysWOW64\Abfmecba.exe Aogqihcm.exe File created C:\Windows\SysWOW64\Fmnjbi32.dll Cpnchjpa.exe File created C:\Windows\SysWOW64\Olafdoej.dll Ijahik32.exe File created C:\Windows\SysWOW64\Fkgbgine.dll Jedlph32.exe File created C:\Windows\SysWOW64\Pfbkplni.dll Jeiekgfq.exe File created C:\Windows\SysWOW64\Lfmlejjg.dll Jnlkkkod.exe File opened for modification C:\Windows\SysWOW64\Njeikpij.exe Ndlanf32.exe File opened for modification C:\Windows\SysWOW64\Obhdpaqm.exe Nkqlodpk.exe File opened for modification C:\Windows\SysWOW64\Pfmclold.exe Pnfkjb32.exe File opened for modification C:\Windows\SysWOW64\Hjdhpg32.exe Hbmpoj32.exe File created C:\Windows\SysWOW64\Bkhdmglf.dll Iobdopna.exe File opened for modification C:\Windows\SysWOW64\Iognjojl.exe Ilianckh.exe File created C:\Windows\SysWOW64\Lcbbidgl.exe Ldpbmg32.exe File created C:\Windows\SysWOW64\Bnagecdp.exe Bkckihel.exe File created C:\Windows\SysWOW64\Enmbeehg.exe Ekofijic.exe File created C:\Windows\SysWOW64\Qdmcqp32.dll Goadik32.exe File created C:\Windows\SysWOW64\Kegflkfk.dll Gndedhdj.exe File created C:\Windows\SysWOW64\Boknmnja.dll Genmab32.exe File created C:\Windows\SysWOW64\Egjdphbc.dll Ipmgncii.exe File opened for modification C:\Windows\SysWOW64\Idabbpgj.exe Imgjfe32.exe File created C:\Windows\SysWOW64\Hjdhpg32.exe Hbmpoj32.exe File opened for modification C:\Windows\SysWOW64\Nhbpbi32.exe Neddfm32.exe File created C:\Windows\SysWOW64\Lobpck32.dll Bclbhkdj.exe File created C:\Windows\SysWOW64\Omemciec.dll Dghgdg32.exe File created C:\Windows\SysWOW64\Ehechn32.exe Enpoje32.exe File opened for modification C:\Windows\SysWOW64\Hchcmnlj.exe Gmnkqcem.exe File created C:\Windows\SysWOW64\Pacjefjn.dll Jphcgq32.exe File created C:\Windows\SysWOW64\Hngiioph.dll Epcomc32.exe File created C:\Windows\SysWOW64\Gailehfk.dll Hnedfljc.exe File created C:\Windows\SysWOW64\Ljjnpo32.exe Lcpecdio.exe File created C:\Windows\SysWOW64\Fgmmnj32.exe Fdnabo32.exe File created C:\Windows\SysWOW64\Gjgjebcf.dll Fbeeliin.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5580 5556 WerFault.exe 471 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gninpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gefjlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klmghfio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjlgdaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nikflm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlbcgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfcajekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpnogmbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gefjlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlibhhme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbndgof.dll" Aoedch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgnidjl.dll" Aogqihcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgjknijp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kffgjn32.dll" Kncmknkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mddilm32.dll" Qkoeoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfmkddkn.dll" Aqkmgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeiekgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhihnldi.dll" Beqogc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnlbpman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkbhjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffbjpfmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecibjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpincd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfcoll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pciecppn.dll" Ffndghdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgihopao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkgonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoibkj32.dll" Fccncknc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjckpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpidah32.dll" Ciggap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jedlph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdman32.dll" Gcpdip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnbhpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omfoko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmkipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cboljemb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfninhkj.dll" Ekofijic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjplf32.dll" Fmlblq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acmjpako.dll" Iehcajjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdklcebk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iodhfp32.dll" Mcghcgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkpkkljf.dll" Aoqjhiie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifmfohg.dll" Abacjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jphcgq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmjagh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcpidagc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppanehoa.dll" Npbbcgga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnagecdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbhkdgbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfcajekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdndmmmb.dll" Gbbnkfjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epcdai32.dll" Jdoblckh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcmgdpid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnmaka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddbegmqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlnkhi32.dll" Engpfgql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nihjfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcgmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfodloop.dll" Dmimkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jebojh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhjcmcep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cheakc32.dll" Gmflmfpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqiofk32.dll" Lcbbidgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnfkjb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2072 wrote to memory of 1684 2072 3daaaeed26c3250e7fe561e3f91b7744dbd6332b824d762d7f13cdff8df80b1d.exe 29 PID 2072 wrote to memory of 1684 2072 3daaaeed26c3250e7fe561e3f91b7744dbd6332b824d762d7f13cdff8df80b1d.exe 29 PID 2072 wrote to memory of 1684 2072 3daaaeed26c3250e7fe561e3f91b7744dbd6332b824d762d7f13cdff8df80b1d.exe 29 PID 2072 wrote to memory of 1684 2072 3daaaeed26c3250e7fe561e3f91b7744dbd6332b824d762d7f13cdff8df80b1d.exe 29 PID 1684 wrote to memory of 2192 1684 Aeachphg.exe 30 PID 1684 wrote to memory of 2192 1684 Aeachphg.exe 30 PID 1684 wrote to memory of 2192 1684 Aeachphg.exe 30 PID 1684 wrote to memory of 2192 1684 Aeachphg.exe 30 PID 2192 wrote to memory of 2016 2192 Anigaeoh.exe 31 PID 2192 wrote to memory of 2016 2192 Anigaeoh.exe 31 PID 2192 wrote to memory of 2016 2192 Anigaeoh.exe 31 PID 2192 wrote to memory of 2016 2192 Anigaeoh.exe 31 PID 2016 wrote to memory of 2760 2016 Apjdin32.exe 32 PID 2016 wrote to memory of 2760 2016 Apjdin32.exe 32 PID 2016 wrote to memory of 2760 2016 Apjdin32.exe 32 PID 2016 wrote to memory of 2760 2016 Apjdin32.exe 32 PID 2760 wrote to memory of 1208 2760 Bichbckg.exe 33 PID 2760 wrote to memory of 1208 2760 Bichbckg.exe 33 PID 2760 wrote to memory of 1208 2760 Bichbckg.exe 33 PID 2760 wrote to memory of 1208 2760 Bichbckg.exe 33 PID 1208 wrote to memory of 2596 1208 Bpmqom32.exe 34 PID 1208 wrote to memory of 2596 1208 Bpmqom32.exe 34 PID 1208 wrote to memory of 2596 1208 Bpmqom32.exe 34 PID 1208 wrote to memory of 2596 1208 Bpmqom32.exe 34 PID 2596 wrote to memory of 2884 2596 Bjbelf32.exe 35 PID 2596 wrote to memory of 2884 2596 Bjbelf32.exe 35 PID 2596 wrote to memory of 2884 2596 Bjbelf32.exe 35 PID 2596 wrote to memory of 2884 2596 Bjbelf32.exe 35 PID 2884 wrote to memory of 1680 2884 Bpomdmqa.exe 36 PID 2884 wrote to memory of 1680 2884 Bpomdmqa.exe 36 PID 2884 wrote to memory of 1680 2884 Bpomdmqa.exe 36 PID 2884 wrote to memory of 1680 2884 Bpomdmqa.exe 36 PID 1680 wrote to memory of 2332 1680 Belfldoh.exe 37 PID 1680 wrote to memory of 2332 1680 Belfldoh.exe 37 PID 1680 wrote to memory of 2332 1680 Belfldoh.exe 37 PID 1680 wrote to memory of 2332 1680 Belfldoh.exe 37 PID 2332 wrote to memory of 2924 2332 Blfnin32.exe 38 PID 2332 wrote to memory of 2924 2332 Blfnin32.exe 38 PID 2332 wrote to memory of 2924 2332 Blfnin32.exe 38 PID 2332 wrote to memory of 2924 2332 Blfnin32.exe 38 PID 2924 wrote to memory of 664 2924 Bbbckh32.exe 39 PID 2924 wrote to memory of 664 2924 Bbbckh32.exe 39 PID 2924 wrote to memory of 664 2924 Bbbckh32.exe 39 PID 2924 wrote to memory of 664 2924 Bbbckh32.exe 39 PID 664 wrote to memory of 2464 664 Beqogc32.exe 40 PID 664 wrote to memory of 2464 664 Beqogc32.exe 40 PID 664 wrote to memory of 2464 664 Beqogc32.exe 40 PID 664 wrote to memory of 2464 664 Beqogc32.exe 40 PID 2464 wrote to memory of 1632 2464 Cdflhppk.exe 41 PID 2464 wrote to memory of 1632 2464 Cdflhppk.exe 41 PID 2464 wrote to memory of 1632 2464 Cdflhppk.exe 41 PID 2464 wrote to memory of 1632 2464 Cdflhppk.exe 41 PID 1632 wrote to memory of 1012 1632 Ckpdej32.exe 42 PID 1632 wrote to memory of 1012 1632 Ckpdej32.exe 42 PID 1632 wrote to memory of 1012 1632 Ckpdej32.exe 42 PID 1632 wrote to memory of 1012 1632 Ckpdej32.exe 42 PID 1012 wrote to memory of 2428 1012 Cdhino32.exe 43 PID 1012 wrote to memory of 2428 1012 Cdhino32.exe 43 PID 1012 wrote to memory of 2428 1012 Cdhino32.exe 43 PID 1012 wrote to memory of 2428 1012 Cdhino32.exe 43 PID 2428 wrote to memory of 1236 2428 Ckbakiee.exe 44 PID 2428 wrote to memory of 1236 2428 Ckbakiee.exe 44 PID 2428 wrote to memory of 1236 2428 Ckbakiee.exe 44 PID 2428 wrote to memory of 1236 2428 Ckbakiee.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\3daaaeed26c3250e7fe561e3f91b7744dbd6332b824d762d7f13cdff8df80b1d.exe"C:\Users\Admin\AppData\Local\Temp\3daaaeed26c3250e7fe561e3f91b7744dbd6332b824d762d7f13cdff8df80b1d.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Aeachphg.exeC:\Windows\system32\Aeachphg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Anigaeoh.exeC:\Windows\system32\Anigaeoh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Apjdin32.exeC:\Windows\system32\Apjdin32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Bichbckg.exeC:\Windows\system32\Bichbckg.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Bpmqom32.exeC:\Windows\system32\Bpmqom32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Bjbelf32.exeC:\Windows\system32\Bjbelf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Bpomdmqa.exeC:\Windows\system32\Bpomdmqa.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Belfldoh.exeC:\Windows\system32\Belfldoh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Blfnin32.exeC:\Windows\system32\Blfnin32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Bbbckh32.exeC:\Windows\system32\Bbbckh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Beqogc32.exeC:\Windows\system32\Beqogc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Cdflhppk.exeC:\Windows\system32\Cdflhppk.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Ckpdej32.exeC:\Windows\system32\Ckpdej32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Cdhino32.exeC:\Windows\system32\Cdhino32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Ckbakiee.exeC:\Windows\system32\Ckbakiee.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Cpojcpcm.exeC:\Windows\system32\Cpojcpcm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1236 -
C:\Windows\SysWOW64\Cgibpj32.exeC:\Windows\system32\Cgibpj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:992 -
C:\Windows\SysWOW64\Ckgkfi32.exeC:\Windows\system32\Ckgkfi32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Clhgnagn.exeC:\Windows\system32\Clhgnagn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Dljdcqek.exeC:\Windows\system32\Dljdcqek.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Doipoldo.exeC:\Windows\system32\Doipoldo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Dindme32.exeC:\Windows\system32\Dindme32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Dhcanahm.exeC:\Windows\system32\Dhcanahm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1908 -
C:\Windows\SysWOW64\Dkbnjmhq.exeC:\Windows\system32\Dkbnjmhq.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Ddjbbbna.exeC:\Windows\system32\Ddjbbbna.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Dkggel32.exeC:\Windows\system32\Dkggel32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Epcomc32.exeC:\Windows\system32\Epcomc32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Engpfgql.exeC:\Windows\system32\Engpfgql.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Edahca32.exeC:\Windows\system32\Edahca32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Ekkppkpf.exeC:\Windows\system32\Ekkppkpf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Eddeia32.exeC:\Windows\system32\Eddeia32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Ecfednma.exeC:\Windows\system32\Ecfednma.exe33⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Enliaf32.exeC:\Windows\system32\Enliaf32.exe34⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Ecibjn32.exeC:\Windows\system32\Ecibjn32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Efgnfi32.exeC:\Windows\system32\Efgnfi32.exe36⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Ejcjfgbk.exeC:\Windows\system32\Ejcjfgbk.exe37⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Eqmbca32.exeC:\Windows\system32\Eqmbca32.exe38⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Eckopm32.exeC:\Windows\system32\Eckopm32.exe39⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Ejeglg32.exeC:\Windows\system32\Ejeglg32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Fmcchb32.exeC:\Windows\system32\Fmcchb32.exe41⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Fcnkemgi.exeC:\Windows\system32\Fcnkemgi.exe42⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Fflgahfm.exeC:\Windows\system32\Fflgahfm.exe43⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Fhjcmcep.exeC:\Windows\system32\Fhjcmcep.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Fkipiodd.exeC:\Windows\system32\Fkipiodd.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Fnglekch.exeC:\Windows\system32\Fnglekch.exe46⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Ffndghdj.exeC:\Windows\system32\Ffndghdj.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\Fgpqnpjh.exeC:\Windows\system32\Fgpqnpjh.exe48⤵
- Executes dropped EXE
PID:292 -
C:\Windows\SysWOW64\Fniikj32.exeC:\Windows\system32\Fniikj32.exe49⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Fbeeliin.exeC:\Windows\system32\Fbeeliin.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Fgbmdphe.exeC:\Windows\system32\Fgbmdphe.exe51⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Fnleqj32.exeC:\Windows\system32\Fnleqj32.exe52⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Fqjbme32.exeC:\Windows\system32\Fqjbme32.exe53⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Fgdjipfc.exeC:\Windows\system32\Fgdjipfc.exe54⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Fmabaf32.exeC:\Windows\system32\Fmabaf32.exe55⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Ggfgoo32.exeC:\Windows\system32\Ggfgoo32.exe56⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Gnqolikm.exeC:\Windows\system32\Gnqolikm.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Gmcogf32.exeC:\Windows\system32\Gmcogf32.exe58⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Gcmgdpid.exeC:\Windows\system32\Gcmgdpid.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Gflcplhh.exeC:\Windows\system32\Gflcplhh.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Gmflmfpe.exeC:\Windows\system32\Gmflmfpe.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Gcpdip32.exeC:\Windows\system32\Gcpdip32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Gimmbg32.exeC:\Windows\system32\Gimmbg32.exe63⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Glkinb32.exeC:\Windows\system32\Glkinb32.exe64⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Gbeakllj.exeC:\Windows\system32\Gbeakllj.exe65⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Gecmghkm.exeC:\Windows\system32\Gecmghkm.exe66⤵PID:976
-
C:\Windows\SysWOW64\Gmjehe32.exeC:\Windows\system32\Gmjehe32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1492 -
C:\Windows\SysWOW64\Gnlbpman.exeC:\Windows\system32\Gnlbpman.exe68⤵
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Gefjlg32.exeC:\Windows\system32\Gefjlg32.exe69⤵
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Glpbiaqg.exeC:\Windows\system32\Glpbiaqg.exe70⤵PID:580
-
C:\Windows\SysWOW64\Hnnoempk.exeC:\Windows\system32\Hnnoempk.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Halkahoo.exeC:\Windows\system32\Halkahoo.exe72⤵PID:2864
-
C:\Windows\SysWOW64\Hiccbfoa.exeC:\Windows\system32\Hiccbfoa.exe73⤵PID:2804
-
C:\Windows\SysWOW64\Hjeojnep.exeC:\Windows\system32\Hjeojnep.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2772 -
C:\Windows\SysWOW64\Haoggh32.exeC:\Windows\system32\Haoggh32.exe75⤵PID:2548
-
C:\Windows\SysWOW64\Hdmdcc32.exeC:\Windows\system32\Hdmdcc32.exe76⤵PID:2540
-
C:\Windows\SysWOW64\Hldldq32.exeC:\Windows\system32\Hldldq32.exe77⤵PID:2292
-
C:\Windows\SysWOW64\Hnbhpl32.exeC:\Windows\system32\Hnbhpl32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Haadlh32.exeC:\Windows\system32\Haadlh32.exe79⤵
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Hdpqhc32.exeC:\Windows\system32\Hdpqhc32.exe80⤵PID:832
-
C:\Windows\SysWOW64\Hnedfljc.exeC:\Windows\system32\Hnedfljc.exe81⤵
- Drops file in System32 directory
PID:1160 -
C:\Windows\SysWOW64\Hacabgig.exeC:\Windows\system32\Hacabgig.exe82⤵PID:2876
-
C:\Windows\SysWOW64\Hdbmnchk.exeC:\Windows\system32\Hdbmnchk.exe83⤵PID:1548
-
C:\Windows\SysWOW64\Hjlekm32.exeC:\Windows\system32\Hjlekm32.exe84⤵PID:1840
-
C:\Windows\SysWOW64\Hmjagh32.exeC:\Windows\system32\Hmjagh32.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Hpincd32.exeC:\Windows\system32\Hpincd32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Ijnbpm32.exeC:\Windows\system32\Ijnbpm32.exe87⤵PID:1084
-
C:\Windows\SysWOW64\Iiablido.exeC:\Windows\system32\Iiablido.exe88⤵PID:2008
-
C:\Windows\SysWOW64\Ipkkhckl.exeC:\Windows\system32\Ipkkhckl.exe89⤵PID:2708
-
C:\Windows\SysWOW64\Ibigeojp.exeC:\Windows\system32\Ibigeojp.exe90⤵PID:2636
-
C:\Windows\SysWOW64\Iehcajjc.exeC:\Windows\system32\Iehcajjc.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Ipmgncii.exeC:\Windows\system32\Ipmgncii.exe92⤵
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Iblcjohm.exeC:\Windows\system32\Iblcjohm.exe93⤵PID:1972
-
C:\Windows\SysWOW64\Iejpfjha.exeC:\Windows\system32\Iejpfjha.exe94⤵PID:2960
-
C:\Windows\SysWOW64\Ildhcd32.exeC:\Windows\system32\Ildhcd32.exe95⤵PID:2188
-
C:\Windows\SysWOW64\Iobdopna.exeC:\Windows\system32\Iobdopna.exe96⤵
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Ihkihe32.exeC:\Windows\system32\Ihkihe32.exe97⤵PID:2108
-
C:\Windows\SysWOW64\Ikiedq32.exeC:\Windows\system32\Ikiedq32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2680 -
C:\Windows\SysWOW64\Ibqmen32.exeC:\Windows\system32\Ibqmen32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Idaimfjf.exeC:\Windows\system32\Idaimfjf.exe100⤵PID:912
-
C:\Windows\SysWOW64\Ilianckh.exeC:\Windows\system32\Ilianckh.exe101⤵
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Iognjojl.exeC:\Windows\system32\Iognjojl.exe102⤵PID:700
-
C:\Windows\SysWOW64\Jaejfj32.exeC:\Windows\system32\Jaejfj32.exe103⤵PID:2728
-
C:\Windows\SysWOW64\Jnlkkkod.exeC:\Windows\system32\Jnlkkkod.exe104⤵
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Jahflj32.exeC:\Windows\system32\Jahflj32.exe105⤵PID:2932
-
C:\Windows\SysWOW64\Jdfche32.exeC:\Windows\system32\Jdfche32.exe106⤵PID:380
-
C:\Windows\SysWOW64\Jjckpl32.exeC:\Windows\system32\Jjckpl32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Jajcaj32.exeC:\Windows\system32\Jajcaj32.exe108⤵PID:816
-
C:\Windows\SysWOW64\Jclpib32.exeC:\Windows\system32\Jclpib32.exe109⤵PID:2284
-
C:\Windows\SysWOW64\Jkbhjo32.exeC:\Windows\system32\Jkbhjo32.exe110⤵
- Modifies registry class
PID:1296 -
C:\Windows\SysWOW64\Jlddbgai.exeC:\Windows\system32\Jlddbgai.exe111⤵PID:2084
-
C:\Windows\SysWOW64\Jdklcebk.exeC:\Windows\system32\Jdklcebk.exe112⤵
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Jgihopao.exeC:\Windows\system32\Jgihopao.exe113⤵
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Jjheklqc.exeC:\Windows\system32\Jjheklqc.exe114⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Jpbmhf32.exeC:\Windows\system32\Jpbmhf32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:344 -
C:\Windows\SysWOW64\Jcpidagc.exeC:\Windows\system32\Jcpidagc.exe116⤵
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Jjjaak32.exeC:\Windows\system32\Jjjaak32.exe117⤵
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Klinmg32.exeC:\Windows\system32\Klinmg32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1816 -
C:\Windows\SysWOW64\Kbefen32.exeC:\Windows\system32\Kbefen32.exe119⤵PID:3040
-
C:\Windows\SysWOW64\Kfabfldd.exeC:\Windows\system32\Kfabfldd.exe120⤵PID:2300
-
C:\Windows\SysWOW64\Kknkncbl.exeC:\Windows\system32\Kknkncbl.exe121⤵PID:2584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-