Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
06/07/2024, 04:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e7dac5a7d4cc99a867b9a5d75327d7d2ee79018678727a1af8f1bd045362d2cb.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
e7dac5a7d4cc99a867b9a5d75327d7d2ee79018678727a1af8f1bd045362d2cb.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
e7dac5a7d4cc99a867b9a5d75327d7d2ee79018678727a1af8f1bd045362d2cb.exe
-
Size
250KB
-
MD5
69746eb280964a9aab995799efa41f2f
-
SHA1
0ef87168f7e63eb8794ece0debd0212d2a3bfa8b
-
SHA256
e7dac5a7d4cc99a867b9a5d75327d7d2ee79018678727a1af8f1bd045362d2cb
-
SHA512
bdd7f06e040226f2d765c93f3144c7fe87c99b1584598275072bf8281ae77e7a28ecf55ebac40bb895e1fd90b0ef03482c3e479aeebd1a1341631e03f9a2ecf5
-
SSDEEP
6144:8es61kvCvfmZ7KRRRGBCvfmZ7KFpNlJTBCvfmZ7d:8j63
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjieace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plljbkml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fokaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfdbji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhdddnep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eamdlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bapejd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djffihmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcfioj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcgpiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahlnmjkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lppkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfmjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcifdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqhiab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhgnbehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kidjfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opcaiggo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmchljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpojlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deonff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnknqpgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnbfkccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gklkdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdincdcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjgmka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbdkdffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djffihmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhdcbjal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbhpddbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mogene32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pikaqppk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhngbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckopch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbfhjfdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqjfgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbqekhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmfkbeoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnfeep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnegldo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" e7dac5a7d4cc99a867b9a5d75327d7d2ee79018678727a1af8f1bd045362d2cb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcfknooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpagbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcdmikma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegbpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdolga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnagbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqkgbkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpnibl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnbbjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkajkoml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olokighn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaegaaah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhfbmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khkdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dicmlpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnbfkccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdemap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkpeojha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaiijgbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiodliep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbkkepio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjchjcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fholmo32.exe -
Executes dropped EXE 64 IoCs
pid Process 1664 Qggoeilh.exe 2324 Qnagbc32.exe 2936 Agilkijf.exe 2320 Ancdgcab.exe 2876 Acdfki32.exe 2652 Aokfpjai.exe 2204 Adhohapp.exe 2424 Bbolge32.exe 1960 Bqciha32.exe 2848 Bmjjmbgc.exe 2900 Bfcnfh32.exe 688 Bmmgbbeq.exe 1612 Cbllph32.exe 2032 Cbqekhmp.exe 2252 Ckijdm32.exe 328 Dcfknooi.exe 2580 Dhdddnep.exe 2156 Djcpqidc.exe 1784 Dbneekan.exe 1672 Djemfibq.exe 2564 Deonff32.exe 2028 Dfnjqifb.exe 2372 Epgoio32.exe 872 Ebghkjjc.exe 2144 Eamdlf32.exe 584 Edkahbmo.exe 2984 Edmnnakm.exe 2924 Fcbjon32.exe 2740 Fgqcel32.exe 2772 Fiopah32.exe 2872 Fpihnbmk.exe 2696 Falakjag.exe 628 Fldbnb32.exe 2176 Gkiooocb.exe 860 Gnhkkjbf.exe 1064 Gklkdn32.exe 2532 Gcgpiq32.exe 2120 Gnmdfi32.exe 592 Gdfmccfm.exe 2188 Hfjfpkji.exe 2112 Hjfbaj32.exe 2456 Hobjia32.exe 2588 Hfmbfkhf.exe 1876 Hmfkbeoc.exe 1532 Hcqcoo32.exe 1968 Hfookk32.exe 932 Hogddpld.exe 332 Hiphmf32.exe 2988 Hojqjp32.exe 1740 Hqkmahpp.exe 2020 Hjcajn32.exe 2784 Ijenpn32.exe 2996 Iekbmfdc.exe 2768 Ijhkembk.exe 2680 Iabcbg32.exe 2716 Ijjgkmqh.exe 2756 Imidgh32.exe 2052 Icbldbgi.exe 2232 Iiodliep.exe 2972 Iceiibef.exe 1628 Ifceemdj.exe 3012 Jlpmndba.exe 2264 Jnojjp32.exe 2284 Jhgnbehe.exe -
Loads dropped DLL 64 IoCs
pid Process 3044 e7dac5a7d4cc99a867b9a5d75327d7d2ee79018678727a1af8f1bd045362d2cb.exe 3044 e7dac5a7d4cc99a867b9a5d75327d7d2ee79018678727a1af8f1bd045362d2cb.exe 1664 Qggoeilh.exe 1664 Qggoeilh.exe 2324 Qnagbc32.exe 2324 Qnagbc32.exe 2936 Agilkijf.exe 2936 Agilkijf.exe 2320 Ancdgcab.exe 2320 Ancdgcab.exe 2876 Acdfki32.exe 2876 Acdfki32.exe 2652 Aokfpjai.exe 2652 Aokfpjai.exe 2204 Adhohapp.exe 2204 Adhohapp.exe 2424 Bbolge32.exe 2424 Bbolge32.exe 1960 Bqciha32.exe 1960 Bqciha32.exe 2848 Bmjjmbgc.exe 2848 Bmjjmbgc.exe 2900 Bfcnfh32.exe 2900 Bfcnfh32.exe 688 Bmmgbbeq.exe 688 Bmmgbbeq.exe 1612 Cbllph32.exe 1612 Cbllph32.exe 2032 Cbqekhmp.exe 2032 Cbqekhmp.exe 2252 Ckijdm32.exe 2252 Ckijdm32.exe 328 Dcfknooi.exe 328 Dcfknooi.exe 2580 Dhdddnep.exe 2580 Dhdddnep.exe 2156 Djcpqidc.exe 2156 Djcpqidc.exe 1784 Dbneekan.exe 1784 Dbneekan.exe 1672 Djemfibq.exe 1672 Djemfibq.exe 2564 Deonff32.exe 2564 Deonff32.exe 2028 Dfnjqifb.exe 2028 Dfnjqifb.exe 2372 Epgoio32.exe 2372 Epgoio32.exe 872 Ebghkjjc.exe 872 Ebghkjjc.exe 2144 Eamdlf32.exe 2144 Eamdlf32.exe 584 Edkahbmo.exe 584 Edkahbmo.exe 2984 Edmnnakm.exe 2984 Edmnnakm.exe 2924 Fcbjon32.exe 2924 Fcbjon32.exe 2740 Fgqcel32.exe 2740 Fgqcel32.exe 2772 Fiopah32.exe 2772 Fiopah32.exe 2872 Fpihnbmk.exe 2872 Fpihnbmk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hjcajn32.exe Hqkmahpp.exe File created C:\Windows\SysWOW64\Kemgqm32.exe Kocodbpk.exe File created C:\Windows\SysWOW64\Phelnhnb.exe Pegpamoo.exe File created C:\Windows\SysWOW64\Eaodhk32.dll Fagqed32.exe File created C:\Windows\SysWOW64\Kaebeiqd.dll Aekelo32.exe File created C:\Windows\SysWOW64\Eiajmgka.dll Epmahmcm.exe File opened for modification C:\Windows\SysWOW64\Kocodbpk.exe Kldchgag.exe File opened for modification C:\Windows\SysWOW64\Lcnhcdkp.exe Lppkgi32.exe File opened for modification C:\Windows\SysWOW64\Ompgqonl.exe Olokighn.exe File opened for modification C:\Windows\SysWOW64\Glhhgahg.exe Giikkehc.exe File opened for modification C:\Windows\SysWOW64\Geplpfnh.exe Gcapckod.exe File opened for modification C:\Windows\SysWOW64\Hngppgae.exe Hkidclbb.exe File created C:\Windows\SysWOW64\Gkkkejhl.dll Hdailaib.exe File created C:\Windows\SysWOW64\Agldbd32.dll Gnhkkjbf.exe File created C:\Windows\SysWOW64\Gddfepbh.dll Jadlgjjq.exe File created C:\Windows\SysWOW64\Kahmln32.dll Mkconepp.exe File created C:\Windows\SysWOW64\Gndjkkom.dll Qhehmkqn.exe File opened for modification C:\Windows\SysWOW64\Ahlnmjkf.exe Adqbml32.exe File opened for modification C:\Windows\SysWOW64\Hjpnjheg.exe Hfdbji32.exe File opened for modification C:\Windows\SysWOW64\Pbcfie32.exe Ppejmj32.exe File created C:\Windows\SysWOW64\Bhqdgm32.exe Bbflkcao.exe File created C:\Windows\SysWOW64\Cincaq32.exe Cbdkdffm.exe File created C:\Windows\SysWOW64\Dghjmlnm.exe Deimaa32.exe File created C:\Windows\SysWOW64\Dlfbck32.exe Dcojbm32.exe File opened for modification C:\Windows\SysWOW64\Fholmo32.exe Fbbcdh32.exe File created C:\Windows\SysWOW64\Ahlnmjkf.exe Adqbml32.exe File opened for modification C:\Windows\SysWOW64\Gcgpiq32.exe Gklkdn32.exe File opened for modification C:\Windows\SysWOW64\Iekbmfdc.exe Ijenpn32.exe File created C:\Windows\SysWOW64\Bgdalf32.dll Pjchjcmf.exe File opened for modification C:\Windows\SysWOW64\Bbdoec32.exe Bofbih32.exe File created C:\Windows\SysWOW64\Nnfeep32.exe Njjieace.exe File created C:\Windows\SysWOW64\Pinnfonh.exe Pbcfie32.exe File created C:\Windows\SysWOW64\Dcmapo32.dll Bfcnfh32.exe File opened for modification C:\Windows\SysWOW64\Jhgnbehe.exe Jnojjp32.exe File opened for modification C:\Windows\SysWOW64\Pinnfonh.exe Pbcfie32.exe File created C:\Windows\SysWOW64\Anfjpa32.exe Akhndf32.exe File created C:\Windows\SysWOW64\Aobinedj.dll Eccdmmpk.exe File opened for modification C:\Windows\SysWOW64\Fpihnbmk.exe Fiopah32.exe File created C:\Windows\SysWOW64\Kocodbpk.exe Kldchgag.exe File created C:\Windows\SysWOW64\Hiihgc32.dll Khkdmh32.exe File created C:\Windows\SysWOW64\Jgdicbgi.dll Eelfedpa.exe File created C:\Windows\SysWOW64\Iepfml32.dll Qggoeilh.exe File created C:\Windows\SysWOW64\Gdpene32.dll Dfdqpdja.exe File created C:\Windows\SysWOW64\Fpcghl32.exe Fhlogo32.exe File created C:\Windows\SysWOW64\Jekoljgo.exe Jpnfdbig.exe File created C:\Windows\SysWOW64\Laknfmgd.exe Lkafib32.exe File created C:\Windows\SysWOW64\Mnfhfmhc.exe Mfoqephq.exe File opened for modification C:\Windows\SysWOW64\Plljbkml.exe Pinnfonh.exe File created C:\Windows\SysWOW64\Jcdmpg32.dll Cdgdlnop.exe File created C:\Windows\SysWOW64\Fmdapnnp.dll Hkkaik32.exe File created C:\Windows\SysWOW64\Goqeoiki.dll Ifceemdj.exe File opened for modification C:\Windows\SysWOW64\Johlpoij.exe Jdbhcfjd.exe File created C:\Windows\SysWOW64\Jmifofko.dll Lohiob32.exe File created C:\Windows\SysWOW64\Giiinjlg.dll Lcnhcdkp.exe File opened for modification C:\Windows\SysWOW64\Odgchjhl.exe Obffpa32.exe File opened for modification C:\Windows\SysWOW64\Gcifdj32.exe Glongpao.exe File created C:\Windows\SysWOW64\Ipapioii.dll Ijhkembk.exe File created C:\Windows\SysWOW64\Libghd32.dll Ndnplk32.exe File opened for modification C:\Windows\SysWOW64\Bkhjcing.exe Blejgm32.exe File opened for modification C:\Windows\SysWOW64\Dicmlpje.exe Dfdqpdja.exe File opened for modification C:\Windows\SysWOW64\Eelfedpa.exe Eoanij32.exe File created C:\Windows\SysWOW64\Mmchhqaf.dll Qnagbc32.exe File opened for modification C:\Windows\SysWOW64\Acdfki32.exe Ancdgcab.exe File created C:\Windows\SysWOW64\Mbginggd.dll Acdfki32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3568 3192 WerFault.exe 314 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbqekhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pficnc32.dll" Ebghkjjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edkahbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjkegjeg.dll" Oepianef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oafjfokk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pinnfonh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Annpaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijbjpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckijdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbooen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcdbiikn.dll" Akhndf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfdjpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckopch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcdmikma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hngppgae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llloeb32.dll" Fldbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fldbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opennf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmfab32.dll" Cbihpbpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpjhcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imidgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmggm32.dll" Jhikhefb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjfhad32.dll" Qbhpddbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geplpfnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgkknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffjpg32.dll" Ahlnmjkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiaqif32.dll" Cklpml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djffihmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giikkehc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lahaqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncjcnfcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epmahmcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpgopjh.dll" Fokaoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ginefe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcebdo32.dll" Hqhiab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdpinonc.dll" Djcpqidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkajkoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncemobj.dll" Njaoeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcojn32.dll" Cqqbgoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkapcaf.dll" Gklkdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kemgqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llgllj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbjbmonp.dll" Ccmanjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oikgjlgb.dll" Deonff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kidjfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opcaiggo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiopah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmmpiog.dll" Bgfdjfkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngnlaehe.dll" Fhcehngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjcajn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnhkkjbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieiegf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijenpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opqjjalh.dll" Oafjfokk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbojchdc.dll" Gaiijgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jadlgjjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfdbji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnbfkccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcfioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Happkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kocodbpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aadbfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfbdje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eenckc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3044 wrote to memory of 1664 3044 e7dac5a7d4cc99a867b9a5d75327d7d2ee79018678727a1af8f1bd045362d2cb.exe 29 PID 3044 wrote to memory of 1664 3044 e7dac5a7d4cc99a867b9a5d75327d7d2ee79018678727a1af8f1bd045362d2cb.exe 29 PID 3044 wrote to memory of 1664 3044 e7dac5a7d4cc99a867b9a5d75327d7d2ee79018678727a1af8f1bd045362d2cb.exe 29 PID 3044 wrote to memory of 1664 3044 e7dac5a7d4cc99a867b9a5d75327d7d2ee79018678727a1af8f1bd045362d2cb.exe 29 PID 1664 wrote to memory of 2324 1664 Qggoeilh.exe 30 PID 1664 wrote to memory of 2324 1664 Qggoeilh.exe 30 PID 1664 wrote to memory of 2324 1664 Qggoeilh.exe 30 PID 1664 wrote to memory of 2324 1664 Qggoeilh.exe 30 PID 2324 wrote to memory of 2936 2324 Qnagbc32.exe 31 PID 2324 wrote to memory of 2936 2324 Qnagbc32.exe 31 PID 2324 wrote to memory of 2936 2324 Qnagbc32.exe 31 PID 2324 wrote to memory of 2936 2324 Qnagbc32.exe 31 PID 2936 wrote to memory of 2320 2936 Agilkijf.exe 32 PID 2936 wrote to memory of 2320 2936 Agilkijf.exe 32 PID 2936 wrote to memory of 2320 2936 Agilkijf.exe 32 PID 2936 wrote to memory of 2320 2936 Agilkijf.exe 32 PID 2320 wrote to memory of 2876 2320 Ancdgcab.exe 33 PID 2320 wrote to memory of 2876 2320 Ancdgcab.exe 33 PID 2320 wrote to memory of 2876 2320 Ancdgcab.exe 33 PID 2320 wrote to memory of 2876 2320 Ancdgcab.exe 33 PID 2876 wrote to memory of 2652 2876 Acdfki32.exe 34 PID 2876 wrote to memory of 2652 2876 Acdfki32.exe 34 PID 2876 wrote to memory of 2652 2876 Acdfki32.exe 34 PID 2876 wrote to memory of 2652 2876 Acdfki32.exe 34 PID 2652 wrote to memory of 2204 2652 Aokfpjai.exe 35 PID 2652 wrote to memory of 2204 2652 Aokfpjai.exe 35 PID 2652 wrote to memory of 2204 2652 Aokfpjai.exe 35 PID 2652 wrote to memory of 2204 2652 Aokfpjai.exe 35 PID 2204 wrote to memory of 2424 2204 Adhohapp.exe 36 PID 2204 wrote to memory of 2424 2204 Adhohapp.exe 36 PID 2204 wrote to memory of 2424 2204 Adhohapp.exe 36 PID 2204 wrote to memory of 2424 2204 Adhohapp.exe 36 PID 2424 wrote to memory of 1960 2424 Bbolge32.exe 37 PID 2424 wrote to memory of 1960 2424 Bbolge32.exe 37 PID 2424 wrote to memory of 1960 2424 Bbolge32.exe 37 PID 2424 wrote to memory of 1960 2424 Bbolge32.exe 37 PID 1960 wrote to memory of 2848 1960 Bqciha32.exe 38 PID 1960 wrote to memory of 2848 1960 Bqciha32.exe 38 PID 1960 wrote to memory of 2848 1960 Bqciha32.exe 38 PID 1960 wrote to memory of 2848 1960 Bqciha32.exe 38 PID 2848 wrote to memory of 2900 2848 Bmjjmbgc.exe 39 PID 2848 wrote to memory of 2900 2848 Bmjjmbgc.exe 39 PID 2848 wrote to memory of 2900 2848 Bmjjmbgc.exe 39 PID 2848 wrote to memory of 2900 2848 Bmjjmbgc.exe 39 PID 2900 wrote to memory of 688 2900 Bfcnfh32.exe 40 PID 2900 wrote to memory of 688 2900 Bfcnfh32.exe 40 PID 2900 wrote to memory of 688 2900 Bfcnfh32.exe 40 PID 2900 wrote to memory of 688 2900 Bfcnfh32.exe 40 PID 688 wrote to memory of 1612 688 Bmmgbbeq.exe 41 PID 688 wrote to memory of 1612 688 Bmmgbbeq.exe 41 PID 688 wrote to memory of 1612 688 Bmmgbbeq.exe 41 PID 688 wrote to memory of 1612 688 Bmmgbbeq.exe 41 PID 1612 wrote to memory of 2032 1612 Cbllph32.exe 42 PID 1612 wrote to memory of 2032 1612 Cbllph32.exe 42 PID 1612 wrote to memory of 2032 1612 Cbllph32.exe 42 PID 1612 wrote to memory of 2032 1612 Cbllph32.exe 42 PID 2032 wrote to memory of 2252 2032 Cbqekhmp.exe 43 PID 2032 wrote to memory of 2252 2032 Cbqekhmp.exe 43 PID 2032 wrote to memory of 2252 2032 Cbqekhmp.exe 43 PID 2032 wrote to memory of 2252 2032 Cbqekhmp.exe 43 PID 2252 wrote to memory of 328 2252 Ckijdm32.exe 44 PID 2252 wrote to memory of 328 2252 Ckijdm32.exe 44 PID 2252 wrote to memory of 328 2252 Ckijdm32.exe 44 PID 2252 wrote to memory of 328 2252 Ckijdm32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7dac5a7d4cc99a867b9a5d75327d7d2ee79018678727a1af8f1bd045362d2cb.exe"C:\Users\Admin\AppData\Local\Temp\e7dac5a7d4cc99a867b9a5d75327d7d2ee79018678727a1af8f1bd045362d2cb.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Qggoeilh.exeC:\Windows\system32\Qggoeilh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Qnagbc32.exeC:\Windows\system32\Qnagbc32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Agilkijf.exeC:\Windows\system32\Agilkijf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Ancdgcab.exeC:\Windows\system32\Ancdgcab.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Acdfki32.exeC:\Windows\system32\Acdfki32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Aokfpjai.exeC:\Windows\system32\Aokfpjai.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Adhohapp.exeC:\Windows\system32\Adhohapp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Bbolge32.exeC:\Windows\system32\Bbolge32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Bqciha32.exeC:\Windows\system32\Bqciha32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Bmjjmbgc.exeC:\Windows\system32\Bmjjmbgc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Bfcnfh32.exeC:\Windows\system32\Bfcnfh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Bmmgbbeq.exeC:\Windows\system32\Bmmgbbeq.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Cbllph32.exeC:\Windows\system32\Cbllph32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Cbqekhmp.exeC:\Windows\system32\Cbqekhmp.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Ckijdm32.exeC:\Windows\system32\Ckijdm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Dcfknooi.exeC:\Windows\system32\Dcfknooi.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:328 -
C:\Windows\SysWOW64\Dhdddnep.exeC:\Windows\system32\Dhdddnep.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Djcpqidc.exeC:\Windows\system32\Djcpqidc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Dbneekan.exeC:\Windows\system32\Dbneekan.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Djemfibq.exeC:\Windows\system32\Djemfibq.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Deonff32.exeC:\Windows\system32\Deonff32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Dfnjqifb.exeC:\Windows\system32\Dfnjqifb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\Epgoio32.exeC:\Windows\system32\Epgoio32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Ebghkjjc.exeC:\Windows\system32\Ebghkjjc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Eamdlf32.exeC:\Windows\system32\Eamdlf32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Edkahbmo.exeC:\Windows\system32\Edkahbmo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:584 -
C:\Windows\SysWOW64\Edmnnakm.exeC:\Windows\system32\Edmnnakm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Fcbjon32.exeC:\Windows\system32\Fcbjon32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Fgqcel32.exeC:\Windows\system32\Fgqcel32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Fiopah32.exeC:\Windows\system32\Fiopah32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Fpihnbmk.exeC:\Windows\system32\Fpihnbmk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Falakjag.exeC:\Windows\system32\Falakjag.exe33⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Fldbnb32.exeC:\Windows\system32\Fldbnb32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:628 -
C:\Windows\SysWOW64\Gkiooocb.exeC:\Windows\system32\Gkiooocb.exe35⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Gnhkkjbf.exeC:\Windows\system32\Gnhkkjbf.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Gklkdn32.exeC:\Windows\system32\Gklkdn32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Gcgpiq32.exeC:\Windows\system32\Gcgpiq32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Gnmdfi32.exeC:\Windows\system32\Gnmdfi32.exe39⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Gdfmccfm.exeC:\Windows\system32\Gdfmccfm.exe40⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Hfjfpkji.exeC:\Windows\system32\Hfjfpkji.exe41⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Hjfbaj32.exeC:\Windows\system32\Hjfbaj32.exe42⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Hobjia32.exeC:\Windows\system32\Hobjia32.exe43⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Hfmbfkhf.exeC:\Windows\system32\Hfmbfkhf.exe44⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Hmfkbeoc.exeC:\Windows\system32\Hmfkbeoc.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Hcqcoo32.exeC:\Windows\system32\Hcqcoo32.exe46⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Hfookk32.exeC:\Windows\system32\Hfookk32.exe47⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Hogddpld.exeC:\Windows\system32\Hogddpld.exe48⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Hiphmf32.exeC:\Windows\system32\Hiphmf32.exe49⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Hojqjp32.exeC:\Windows\system32\Hojqjp32.exe50⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Hqkmahpp.exeC:\Windows\system32\Hqkmahpp.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Hjcajn32.exeC:\Windows\system32\Hjcajn32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Ieiegf32.exeC:\Windows\system32\Ieiegf32.exe53⤵
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Ijenpn32.exeC:\Windows\system32\Ijenpn32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Iekbmfdc.exeC:\Windows\system32\Iekbmfdc.exe55⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Ijhkembk.exeC:\Windows\system32\Ijhkembk.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Iabcbg32.exeC:\Windows\system32\Iabcbg32.exe57⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Ijjgkmqh.exeC:\Windows\system32\Ijjgkmqh.exe58⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Imidgh32.exeC:\Windows\system32\Imidgh32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Icbldbgi.exeC:\Windows\system32\Icbldbgi.exe60⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Iiodliep.exeC:\Windows\system32\Iiodliep.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Iceiibef.exeC:\Windows\system32\Iceiibef.exe62⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Ifceemdj.exeC:\Windows\system32\Ifceemdj.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Jlpmndba.exeC:\Windows\system32\Jlpmndba.exe64⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Jnojjp32.exeC:\Windows\system32\Jnojjp32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Jhgnbehe.exeC:\Windows\system32\Jhgnbehe.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Jpnfdbig.exeC:\Windows\system32\Jpnfdbig.exe67⤵
- Drops file in System32 directory
PID:1488 -
C:\Windows\SysWOW64\Jekoljgo.exeC:\Windows\system32\Jekoljgo.exe68⤵PID:1132
-
C:\Windows\SysWOW64\Jhikhefb.exeC:\Windows\system32\Jhikhefb.exe69⤵
- Modifies registry class
PID:340 -
C:\Windows\SysWOW64\Jbooen32.exeC:\Windows\system32\Jbooen32.exe70⤵
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Jhlgnd32.exeC:\Windows\system32\Jhlgnd32.exe71⤵PID:2088
-
C:\Windows\SysWOW64\Jadlgjjq.exeC:\Windows\system32\Jadlgjjq.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Jdbhcfjd.exeC:\Windows\system32\Jdbhcfjd.exe73⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Johlpoij.exeC:\Windows\system32\Johlpoij.exe74⤵PID:2808
-
C:\Windows\SysWOW64\Kdeehe32.exeC:\Windows\system32\Kdeehe32.exe75⤵PID:2668
-
C:\Windows\SysWOW64\Kkomepon.exeC:\Windows\system32\Kkomepon.exe76⤵PID:2444
-
C:\Windows\SysWOW64\Kplfmfmf.exeC:\Windows\system32\Kplfmfmf.exe77⤵PID:2044
-
C:\Windows\SysWOW64\Kkajkoml.exeC:\Windows\system32\Kkajkoml.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Kidjfl32.exeC:\Windows\system32\Kidjfl32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Kdincdcl.exeC:\Windows\system32\Kdincdcl.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3008 -
C:\Windows\SysWOW64\Kghkppbp.exeC:\Windows\system32\Kghkppbp.exe81⤵PID:1192
-
C:\Windows\SysWOW64\Kldchgag.exeC:\Windows\system32\Kldchgag.exe82⤵
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Kocodbpk.exeC:\Windows\system32\Kocodbpk.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Kemgqm32.exeC:\Windows\system32\Kemgqm32.exe84⤵
- Modifies registry class
PID:612 -
C:\Windows\SysWOW64\Khkdmh32.exeC:\Windows\system32\Khkdmh32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Kcahjqfa.exeC:\Windows\system32\Kcahjqfa.exe86⤵PID:2080
-
C:\Windows\SysWOW64\Khnqbhdi.exeC:\Windows\system32\Khnqbhdi.exe87⤵PID:2956
-
C:\Windows\SysWOW64\Lohiob32.exeC:\Windows\system32\Lohiob32.exe88⤵
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Lddagi32.exeC:\Windows\system32\Lddagi32.exe89⤵PID:2860
-
C:\Windows\SysWOW64\Lllihf32.exeC:\Windows\system32\Lllihf32.exe90⤵PID:2664
-
C:\Windows\SysWOW64\Lahaqm32.exeC:\Windows\system32\Lahaqm32.exe91⤵
- Modifies registry class
PID:1056 -
C:\Windows\SysWOW64\Lhbjmg32.exeC:\Windows\system32\Lhbjmg32.exe92⤵PID:1004
-
C:\Windows\SysWOW64\Lkafib32.exeC:\Windows\system32\Lkafib32.exe93⤵
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Laknfmgd.exeC:\Windows\system32\Laknfmgd.exe94⤵PID:2700
-
C:\Windows\SysWOW64\Lhegcg32.exeC:\Windows\system32\Lhegcg32.exe95⤵PID:1660
-
C:\Windows\SysWOW64\Lkccob32.exeC:\Windows\system32\Lkccob32.exe96⤵PID:1800
-
C:\Windows\SysWOW64\Lppkgi32.exeC:\Windows\system32\Lppkgi32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1416 -
C:\Windows\SysWOW64\Lcnhcdkp.exeC:\Windows\system32\Lcnhcdkp.exe98⤵
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Ljhppo32.exeC:\Windows\system32\Ljhppo32.exe99⤵PID:972
-
C:\Windows\SysWOW64\Llgllj32.exeC:\Windows\system32\Llgllj32.exe100⤵
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Mfoqephq.exeC:\Windows\system32\Mfoqephq.exe101⤵
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\Mnfhfmhc.exeC:\Windows\system32\Mnfhfmhc.exe102⤵PID:2168
-
C:\Windows\SysWOW64\Mogene32.exeC:\Windows\system32\Mogene32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2040 -
C:\Windows\SysWOW64\Mgomoboc.exeC:\Windows\system32\Mgomoboc.exe104⤵PID:2376
-
C:\Windows\SysWOW64\Mlkegimk.exeC:\Windows\system32\Mlkegimk.exe105⤵PID:3060
-
C:\Windows\SysWOW64\Mojaceln.exeC:\Windows\system32\Mojaceln.exe106⤵PID:2192
-
C:\Windows\SysWOW64\Mfdjpo32.exeC:\Windows\system32\Mfdjpo32.exe107⤵
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Mhbflj32.exeC:\Windows\system32\Mhbflj32.exe108⤵PID:3000
-
C:\Windows\SysWOW64\Mchjjc32.exeC:\Windows\system32\Mchjjc32.exe109⤵PID:2636
-
C:\Windows\SysWOW64\Mbkkepio.exeC:\Windows\system32\Mbkkepio.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2208 -
C:\Windows\SysWOW64\Mhdcbjal.exeC:\Windows\system32\Mhdcbjal.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2844 -
C:\Windows\SysWOW64\Mkconepp.exeC:\Windows\system32\Mkconepp.exe112⤵
- Drops file in System32 directory
PID:1176 -
C:\Windows\SysWOW64\Mbmgkp32.exeC:\Windows\system32\Mbmgkp32.exe113⤵PID:1696
-
C:\Windows\SysWOW64\Mdkcgk32.exeC:\Windows\system32\Mdkcgk32.exe114⤵PID:2832
-
C:\Windows\SysWOW64\Mgjpcf32.exeC:\Windows\system32\Mgjpcf32.exe115⤵PID:2616
-
C:\Windows\SysWOW64\Moahdd32.exeC:\Windows\system32\Moahdd32.exe116⤵PID:2292
-
C:\Windows\SysWOW64\Nbodpo32.exeC:\Windows\system32\Nbodpo32.exe117⤵PID:2596
-
C:\Windows\SysWOW64\Ndnplk32.exeC:\Windows\system32\Ndnplk32.exe118⤵
- Drops file in System32 directory
PID:992 -
C:\Windows\SysWOW64\Njjieace.exeC:\Windows\system32\Njjieace.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:560 -
C:\Windows\SysWOW64\Nnfeep32.exeC:\Windows\system32\Nnfeep32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:772 -
C:\Windows\SysWOW64\Nccmng32.exeC:\Windows\system32\Nccmng32.exe121⤵PID:2604
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-