Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
22s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 12:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d8788be5319a05d24298c2379cae8740N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
d8788be5319a05d24298c2379cae8740N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
d8788be5319a05d24298c2379cae8740N.exe
-
Size
81KB
-
MD5
d8788be5319a05d24298c2379cae8740
-
SHA1
7aa9e1e00f63b64702ef23675e2cf9475f45df33
-
SHA256
133c5c67f6187390ba3606b2aa19ecdb5c5063bd2da2aa026841774b950c3cf5
-
SHA512
fc428a2f4d19690d4c4cd4583bef62113cca5ff31a61b5c7bd78cfd3454135a728d98337b9f97b428df968b0ba021a511cf91f0224f391a22569148115f38489
-
SSDEEP
1536:B97x56coNfdsWqaLJ5bW4BcvZCp7m4LO++/+1m6KadhYxU33HX0L:b7x56AWqaLuMmZCp/LrCimBaH8UH30L
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad d8788be5319a05d24298c2379cae8740N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqjbme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfehpobj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnojpdfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiaddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lffjih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghlhpiia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdfoni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Empclg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Negffbdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbdfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpkedbka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnanbijd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahamdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okkfoikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpbmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Japfphle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Facmhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loaaab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmpafnld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knlpphnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iekbob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jboapc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecdffe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efdohq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okhboc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhombc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkhagodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khbpii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noiiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkglenej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acqpdgni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eilamd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnadiko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibfcei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iljjabfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akoghnnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bghaabdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjmcnmmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bannajom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlbncmih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hchcmnlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Penlon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hekfpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkfpefme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Memagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpgmhkfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jebojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndjloanf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adagjagp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emojih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbbbld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abaaakob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnheniaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Encgglkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idncdgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejcjfgbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqfdlmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bapcaocc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgahcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajidnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aopffk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kehidp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aliejq32.exe -
Executes dropped EXE 64 IoCs
pid Process 3064 Egmeadbk.exe 1492 Ecdffe32.exe 2004 Efdohq32.exe 2456 Ebkpma32.exe 2752 Eiheok32.exe 2640 Fijadk32.exe 2624 Faefim32.exe 3044 Fhakkg32.exe 2704 Ffghlcei.exe 2488 Ffiebc32.exe 824 Gdmekg32.exe 2580 Gbbbld32.exe 1812 Geckno32.exe 952 Giaddm32.exe 2980 Hdjedk32.exe 1680 Hanenoeh.exe 2364 Hgknffcp.exe 2496 Hngbhp32.exe 2504 Hgpgae32.exe 816 Hphljkfk.exe 1764 Heedbbdb.exe 1076 Iomhkgkb.exe 612 Ipmeej32.exe 2940 Ilcfjkgj.exe 1604 Icnngeof.exe 2148 Iogkaf32.exe 856 Jjqlbdog.exe 2520 Jjcigcmd.exe 3020 Jfijmdbh.exe 2208 Jqonjmbn.exe 2812 Jbbgge32.exe 2896 Jmhkdnfp.exe 2852 Kfqpmc32.exe 1092 Koidficq.exe 2664 Knnagehi.exe 2788 Kehidp32.exe 304 Knqnmeff.exe 1684 Kcmfeldm.exe 1200 Knckbe32.exe 2296 Lneghd32.exe 892 Lhnlqjha.exe 2428 Liohhbno.exe 456 Mihkoa32.exe 2700 Mhmhpm32.exe 2368 Meaiia32.exe 536 Mmlmmdga.exe 1552 Mgebfi32.exe 2984 Mmojcceo.exe 472 Mclbkjcf.exe 1692 Mmaghc32.exe 2564 Ndkoemji.exe 3012 Nmccnc32.exe 2696 Noepfkgh.exe 1592 Npdlpnnj.exe 2836 Nimaic32.exe 2956 Noiiaj32.exe 2628 Najbbepc.exe 2076 Onacgf32.exe 2584 Odkkdqmd.exe 412 Ojhdmgkl.exe 1676 Ogldfl32.exe 2860 Ocbekmpi.exe 2944 Onhihepp.exe 804 Ofcnmh32.exe -
Loads dropped DLL 64 IoCs
pid Process 2056 d8788be5319a05d24298c2379cae8740N.exe 2056 d8788be5319a05d24298c2379cae8740N.exe 3064 Egmeadbk.exe 3064 Egmeadbk.exe 1492 Ecdffe32.exe 1492 Ecdffe32.exe 2004 Efdohq32.exe 2004 Efdohq32.exe 2456 Ebkpma32.exe 2456 Ebkpma32.exe 2752 Eiheok32.exe 2752 Eiheok32.exe 2640 Fijadk32.exe 2640 Fijadk32.exe 2624 Faefim32.exe 2624 Faefim32.exe 3044 Fhakkg32.exe 3044 Fhakkg32.exe 2704 Ffghlcei.exe 2704 Ffghlcei.exe 2488 Ffiebc32.exe 2488 Ffiebc32.exe 824 Gdmekg32.exe 824 Gdmekg32.exe 2580 Gbbbld32.exe 2580 Gbbbld32.exe 1812 Geckno32.exe 1812 Geckno32.exe 952 Giaddm32.exe 952 Giaddm32.exe 2980 Hdjedk32.exe 2980 Hdjedk32.exe 1680 Hanenoeh.exe 1680 Hanenoeh.exe 2364 Hgknffcp.exe 2364 Hgknffcp.exe 2496 Hngbhp32.exe 2496 Hngbhp32.exe 2504 Hgpgae32.exe 2504 Hgpgae32.exe 816 Hphljkfk.exe 816 Hphljkfk.exe 1764 Heedbbdb.exe 1764 Heedbbdb.exe 1076 Iomhkgkb.exe 1076 Iomhkgkb.exe 612 Ipmeej32.exe 612 Ipmeej32.exe 2940 Ilcfjkgj.exe 2940 Ilcfjkgj.exe 1604 Icnngeof.exe 1604 Icnngeof.exe 2148 Iogkaf32.exe 2148 Iogkaf32.exe 856 Jjqlbdog.exe 856 Jjqlbdog.exe 2520 Jjcigcmd.exe 2520 Jjcigcmd.exe 3020 Jfijmdbh.exe 3020 Jfijmdbh.exe 2208 Jqonjmbn.exe 2208 Jqonjmbn.exe 2812 Jbbgge32.exe 2812 Jbbgge32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kikkdlge.dll Fddcqm32.exe File opened for modification C:\Windows\SysWOW64\Mkeogn32.exe Lfhgng32.exe File created C:\Windows\SysWOW64\Qaecoekp.dll Bpnkmadn.exe File created C:\Windows\SysWOW64\Fdcahdib.exe Fgpqnpjh.exe File opened for modification C:\Windows\SysWOW64\Gqgjlb32.exe Ggofcmih.exe File created C:\Windows\SysWOW64\Mcagma32.exe Mfngdmgb.exe File created C:\Windows\SysWOW64\Njfbno32.exe Nannejni.exe File created C:\Windows\SysWOW64\Pkglenej.exe Pfjdmggb.exe File created C:\Windows\SysWOW64\Hgaegeac.dll Kkhdohnm.exe File opened for modification C:\Windows\SysWOW64\Mphfji32.exe Mjialchg.exe File created C:\Windows\SysWOW64\Bhhfnd32.exe Bannajom.exe File opened for modification C:\Windows\SysWOW64\Kehidp32.exe Knnagehi.exe File created C:\Windows\SysWOW64\Hgjjbc32.dll Dajiag32.exe File opened for modification C:\Windows\SysWOW64\Iankbldh.exe Ikcbfb32.exe File opened for modification C:\Windows\SysWOW64\Phacnm32.exe Okkfoikl.exe File created C:\Windows\SysWOW64\Ianfacjk.dll Ogbkakeo.exe File opened for modification C:\Windows\SysWOW64\Dfoplkel.exe Dqagddge.exe File created C:\Windows\SysWOW64\Hkhkco32.dll Nlpamn32.exe File opened for modification C:\Windows\SysWOW64\Qagehaon.exe Qjmmkgga.exe File opened for modification C:\Windows\SysWOW64\Dnoqbi32.exe Dgehfodh.exe File opened for modification C:\Windows\SysWOW64\Kgcbpemp.exe Kqijck32.exe File created C:\Windows\SysWOW64\Cpccnp32.exe Ckbakiee.exe File opened for modification C:\Windows\SysWOW64\Jmafocbb.exe Jhengldk.exe File created C:\Windows\SysWOW64\Kjpafanf.exe Kgaejeoc.exe File created C:\Windows\SysWOW64\Fgpqnpjh.exe Fbchfi32.exe File created C:\Windows\SysWOW64\Kpecad32.exe Jgmnhojl.exe File opened for modification C:\Windows\SysWOW64\Bkfigqjn.exe Bcoafcjk.exe File opened for modification C:\Windows\SysWOW64\Dkggel32.exe Danblfmk.exe File created C:\Windows\SysWOW64\Jeachk32.dll Kbcjkbdi.exe File created C:\Windows\SysWOW64\Dkbpbi32.dll Ngeekfka.exe File created C:\Windows\SysWOW64\Mihkoa32.exe Liohhbno.exe File created C:\Windows\SysWOW64\Ibofgebi.dll Nabegpbp.exe File created C:\Windows\SysWOW64\Ejcjfgbk.exe Eqjenb32.exe File created C:\Windows\SysWOW64\Edeeaj32.dll Egnjbfqc.exe File created C:\Windows\SysWOW64\Jojpkd32.dll Cobkja32.exe File opened for modification C:\Windows\SysWOW64\Aiipmb32.exe Apakdmpp.exe File created C:\Windows\SysWOW64\Glgpfkgh.dll Neagan32.exe File opened for modification C:\Windows\SysWOW64\Pjdeaohb.exe Plpehj32.exe File created C:\Windows\SysWOW64\Genhid32.dll Pqfdlmic.exe File created C:\Windows\SysWOW64\Bgbqlm32.exe Bjopbh32.exe File opened for modification C:\Windows\SysWOW64\Jbbgge32.exe Jqonjmbn.exe File opened for modification C:\Windows\SysWOW64\Njconi32.exe Negffbdi.exe File opened for modification C:\Windows\SysWOW64\Gcqika32.exe Gihdblpi.exe File opened for modification C:\Windows\SysWOW64\Pekkga32.exe Ppoboj32.exe File opened for modification C:\Windows\SysWOW64\Aopffk32.exe Aalemg32.exe File created C:\Windows\SysWOW64\Kqijck32.exe Kjpafanf.exe File created C:\Windows\SysWOW64\Ddjbbbna.exe Dlomnp32.exe File created C:\Windows\SysWOW64\Cgpnlgak.exe Bbbedqcc.exe File opened for modification C:\Windows\SysWOW64\Gdciej32.exe Gjndha32.exe File created C:\Windows\SysWOW64\Qdeokd32.exe Qhnnfc32.exe File created C:\Windows\SysWOW64\Kaigmoiq.exe Khpccibp.exe File created C:\Windows\SysWOW64\Cjklgj32.dll Nkjgiiln.exe File created C:\Windows\SysWOW64\Bakgmgpe.exe Ajqoqm32.exe File created C:\Windows\SysWOW64\Elmmhc32.exe Egpdom32.exe File created C:\Windows\SysWOW64\Jmmggo32.dll Hfmfjh32.exe File created C:\Windows\SysWOW64\Oiikjkdg.dll Hinolcbf.exe File opened for modification C:\Windows\SysWOW64\Cekihh32.exe Ckeekp32.exe File created C:\Windows\SysWOW64\Diofenki.exe Dfnncb32.exe File created C:\Windows\SysWOW64\Jgpmbmbl.dll Pabidiko.exe File created C:\Windows\SysWOW64\Bnfhjgcg.dll Feboahlo.exe File created C:\Windows\SysWOW64\Pfekbg32.exe Oqibjq32.exe File created C:\Windows\SysWOW64\Gglimm32.exe Gbpaef32.exe File created C:\Windows\SysWOW64\Hinolcbf.exe Hnhjok32.exe File opened for modification C:\Windows\SysWOW64\Ocakjjok.exe Omgcmp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4260 3432 Process not Found 326 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmoone32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdpjjaiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdcinjpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmlilfkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahkgeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emkanhnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obgpmm32.dll" Mhibik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndjloanf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giaddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hldopgbl.dll" Jookedhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcdkmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfihjm32.dll" Qklhifhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilggal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjmcnmmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkhdfhmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgnkkjgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhkffl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdhokpm.dll" Cdhjjddc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glimdgmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Holgpe32.dll" Jmhkdnfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfekbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npjonlee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efeaqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cddqod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdnppf32.dll" Hcbapdgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghdfhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbpaef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cahbem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gndjpoaa.dll" Iiaddb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfpagd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnqhcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhhfnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdgpj32.dll" Hngbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieebfp32.dll" Ocedieek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkomhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmlilfkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcqika32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhqico32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecmlomgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahiimj32.dll" Ajqoqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgpqnpjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkkkgkla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkpdbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agngqmhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phjgdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfngdmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnlhcog.dll" Dlppgihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emmljodk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahlnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgmagh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igkdfghj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfhchf32.dll" Bpbadcbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibfcei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haadlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcooinfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cemadn32.dll" Jcaekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oablmg32.dll" Pengmqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnbnj32.dll" Klqmaebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnadjb32.dll" Coghfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfblfeb.dll" Jddfbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhofpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnanbijd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgknffcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgaaiian.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2056 wrote to memory of 3064 2056 d8788be5319a05d24298c2379cae8740N.exe 29 PID 2056 wrote to memory of 3064 2056 d8788be5319a05d24298c2379cae8740N.exe 29 PID 2056 wrote to memory of 3064 2056 d8788be5319a05d24298c2379cae8740N.exe 29 PID 2056 wrote to memory of 3064 2056 d8788be5319a05d24298c2379cae8740N.exe 29 PID 3064 wrote to memory of 1492 3064 Egmeadbk.exe 30 PID 3064 wrote to memory of 1492 3064 Egmeadbk.exe 30 PID 3064 wrote to memory of 1492 3064 Egmeadbk.exe 30 PID 3064 wrote to memory of 1492 3064 Egmeadbk.exe 30 PID 1492 wrote to memory of 2004 1492 Ecdffe32.exe 31 PID 1492 wrote to memory of 2004 1492 Ecdffe32.exe 31 PID 1492 wrote to memory of 2004 1492 Ecdffe32.exe 31 PID 1492 wrote to memory of 2004 1492 Ecdffe32.exe 31 PID 2004 wrote to memory of 2456 2004 Efdohq32.exe 32 PID 2004 wrote to memory of 2456 2004 Efdohq32.exe 32 PID 2004 wrote to memory of 2456 2004 Efdohq32.exe 32 PID 2004 wrote to memory of 2456 2004 Efdohq32.exe 32 PID 2456 wrote to memory of 2752 2456 Ebkpma32.exe 33 PID 2456 wrote to memory of 2752 2456 Ebkpma32.exe 33 PID 2456 wrote to memory of 2752 2456 Ebkpma32.exe 33 PID 2456 wrote to memory of 2752 2456 Ebkpma32.exe 33 PID 2752 wrote to memory of 2640 2752 Eiheok32.exe 34 PID 2752 wrote to memory of 2640 2752 Eiheok32.exe 34 PID 2752 wrote to memory of 2640 2752 Eiheok32.exe 34 PID 2752 wrote to memory of 2640 2752 Eiheok32.exe 34 PID 2640 wrote to memory of 2624 2640 Fijadk32.exe 35 PID 2640 wrote to memory of 2624 2640 Fijadk32.exe 35 PID 2640 wrote to memory of 2624 2640 Fijadk32.exe 35 PID 2640 wrote to memory of 2624 2640 Fijadk32.exe 35 PID 2624 wrote to memory of 3044 2624 Faefim32.exe 36 PID 2624 wrote to memory of 3044 2624 Faefim32.exe 36 PID 2624 wrote to memory of 3044 2624 Faefim32.exe 36 PID 2624 wrote to memory of 3044 2624 Faefim32.exe 36 PID 3044 wrote to memory of 2704 3044 Fhakkg32.exe 37 PID 3044 wrote to memory of 2704 3044 Fhakkg32.exe 37 PID 3044 wrote to memory of 2704 3044 Fhakkg32.exe 37 PID 3044 wrote to memory of 2704 3044 Fhakkg32.exe 37 PID 2704 wrote to memory of 2488 2704 Ffghlcei.exe 38 PID 2704 wrote to memory of 2488 2704 Ffghlcei.exe 38 PID 2704 wrote to memory of 2488 2704 Ffghlcei.exe 38 PID 2704 wrote to memory of 2488 2704 Ffghlcei.exe 38 PID 2488 wrote to memory of 824 2488 Ffiebc32.exe 39 PID 2488 wrote to memory of 824 2488 Ffiebc32.exe 39 PID 2488 wrote to memory of 824 2488 Ffiebc32.exe 39 PID 2488 wrote to memory of 824 2488 Ffiebc32.exe 39 PID 824 wrote to memory of 2580 824 Gdmekg32.exe 40 PID 824 wrote to memory of 2580 824 Gdmekg32.exe 40 PID 824 wrote to memory of 2580 824 Gdmekg32.exe 40 PID 824 wrote to memory of 2580 824 Gdmekg32.exe 40 PID 2580 wrote to memory of 1812 2580 Gbbbld32.exe 41 PID 2580 wrote to memory of 1812 2580 Gbbbld32.exe 41 PID 2580 wrote to memory of 1812 2580 Gbbbld32.exe 41 PID 2580 wrote to memory of 1812 2580 Gbbbld32.exe 41 PID 1812 wrote to memory of 952 1812 Geckno32.exe 42 PID 1812 wrote to memory of 952 1812 Geckno32.exe 42 PID 1812 wrote to memory of 952 1812 Geckno32.exe 42 PID 1812 wrote to memory of 952 1812 Geckno32.exe 42 PID 952 wrote to memory of 2980 952 Giaddm32.exe 43 PID 952 wrote to memory of 2980 952 Giaddm32.exe 43 PID 952 wrote to memory of 2980 952 Giaddm32.exe 43 PID 952 wrote to memory of 2980 952 Giaddm32.exe 43 PID 2980 wrote to memory of 1680 2980 Hdjedk32.exe 44 PID 2980 wrote to memory of 1680 2980 Hdjedk32.exe 44 PID 2980 wrote to memory of 1680 2980 Hdjedk32.exe 44 PID 2980 wrote to memory of 1680 2980 Hdjedk32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8788be5319a05d24298c2379cae8740N.exe"C:\Users\Admin\AppData\Local\Temp\d8788be5319a05d24298c2379cae8740N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Egmeadbk.exeC:\Windows\system32\Egmeadbk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Ecdffe32.exeC:\Windows\system32\Ecdffe32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Efdohq32.exeC:\Windows\system32\Efdohq32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Ebkpma32.exeC:\Windows\system32\Ebkpma32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Eiheok32.exeC:\Windows\system32\Eiheok32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Fijadk32.exeC:\Windows\system32\Fijadk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Faefim32.exeC:\Windows\system32\Faefim32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Fhakkg32.exeC:\Windows\system32\Fhakkg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Ffghlcei.exeC:\Windows\system32\Ffghlcei.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Ffiebc32.exeC:\Windows\system32\Ffiebc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Gdmekg32.exeC:\Windows\system32\Gdmekg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\Gbbbld32.exeC:\Windows\system32\Gbbbld32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Geckno32.exeC:\Windows\system32\Geckno32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Giaddm32.exeC:\Windows\system32\Giaddm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Hdjedk32.exeC:\Windows\system32\Hdjedk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Hanenoeh.exeC:\Windows\system32\Hanenoeh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Hgknffcp.exeC:\Windows\system32\Hgknffcp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Hngbhp32.exeC:\Windows\system32\Hngbhp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Hgpgae32.exeC:\Windows\system32\Hgpgae32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Hphljkfk.exeC:\Windows\system32\Hphljkfk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:816 -
C:\Windows\SysWOW64\Heedbbdb.exeC:\Windows\system32\Heedbbdb.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Iomhkgkb.exeC:\Windows\system32\Iomhkgkb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Windows\SysWOW64\Ipmeej32.exeC:\Windows\system32\Ipmeej32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:612 -
C:\Windows\SysWOW64\Ilcfjkgj.exeC:\Windows\system32\Ilcfjkgj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Icnngeof.exeC:\Windows\system32\Icnngeof.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Iogkaf32.exeC:\Windows\system32\Iogkaf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Jjqlbdog.exeC:\Windows\system32\Jjqlbdog.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:856 -
C:\Windows\SysWOW64\Jjcigcmd.exeC:\Windows\system32\Jjcigcmd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Jfijmdbh.exeC:\Windows\system32\Jfijmdbh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Jqonjmbn.exeC:\Windows\system32\Jqonjmbn.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Jbbgge32.exeC:\Windows\system32\Jbbgge32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Jmhkdnfp.exeC:\Windows\system32\Jmhkdnfp.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Kfqpmc32.exeC:\Windows\system32\Kfqpmc32.exe34⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Koidficq.exeC:\Windows\system32\Koidficq.exe35⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Knnagehi.exeC:\Windows\system32\Knnagehi.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Kehidp32.exeC:\Windows\system32\Kehidp32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Knqnmeff.exeC:\Windows\system32\Knqnmeff.exe38⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Kcmfeldm.exeC:\Windows\system32\Kcmfeldm.exe39⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Knckbe32.exeC:\Windows\system32\Knckbe32.exe40⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Lneghd32.exeC:\Windows\system32\Lneghd32.exe41⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Lhnlqjha.exeC:\Windows\system32\Lhnlqjha.exe42⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Liohhbno.exeC:\Windows\system32\Liohhbno.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Mihkoa32.exeC:\Windows\system32\Mihkoa32.exe44⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Mhmhpm32.exeC:\Windows\system32\Mhmhpm32.exe45⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Meaiia32.exeC:\Windows\system32\Meaiia32.exe46⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Mmlmmdga.exeC:\Windows\system32\Mmlmmdga.exe47⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Mgebfi32.exeC:\Windows\system32\Mgebfi32.exe48⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Mmojcceo.exeC:\Windows\system32\Mmojcceo.exe49⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Mclbkjcf.exeC:\Windows\system32\Mclbkjcf.exe50⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Mmaghc32.exeC:\Windows\system32\Mmaghc32.exe51⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Ndkoemji.exeC:\Windows\system32\Ndkoemji.exe52⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Nmccnc32.exeC:\Windows\system32\Nmccnc32.exe53⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Noepfkgh.exeC:\Windows\system32\Noepfkgh.exe54⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Npdlpnnj.exeC:\Windows\system32\Npdlpnnj.exe55⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Nimaic32.exeC:\Windows\system32\Nimaic32.exe56⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Noiiaj32.exeC:\Windows\system32\Noiiaj32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Najbbepc.exeC:\Windows\system32\Najbbepc.exe58⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Onacgf32.exeC:\Windows\system32\Onacgf32.exe59⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Odkkdqmd.exeC:\Windows\system32\Odkkdqmd.exe60⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Ojhdmgkl.exeC:\Windows\system32\Ojhdmgkl.exe61⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\Ogldfl32.exeC:\Windows\system32\Ogldfl32.exe62⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Ocbekmpi.exeC:\Windows\system32\Ocbekmpi.exe63⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Onhihepp.exeC:\Windows\system32\Onhihepp.exe64⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Ofcnmh32.exeC:\Windows\system32\Ofcnmh32.exe65⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Oqibjq32.exeC:\Windows\system32\Oqibjq32.exe66⤵
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Pfekbg32.exeC:\Windows\system32\Pfekbg32.exe67⤵
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Ponokmah.exeC:\Windows\system32\Ponokmah.exe68⤵PID:1736
-
C:\Windows\SysWOW64\Pmbpda32.exeC:\Windows\system32\Pmbpda32.exe69⤵PID:1848
-
C:\Windows\SysWOW64\Pfjdmggb.exeC:\Windows\system32\Pfjdmggb.exe70⤵
- Drops file in System32 directory
PID:1172 -
C:\Windows\SysWOW64\Pkglenej.exeC:\Windows\system32\Pkglenej.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:888 -
C:\Windows\SysWOW64\Pqdend32.exeC:\Windows\system32\Pqdend32.exe72⤵PID:3052
-
C:\Windows\SysWOW64\Pgnmjokn.exeC:\Windows\system32\Pgnmjokn.exe73⤵PID:2096
-
C:\Windows\SysWOW64\Pnhegi32.exeC:\Windows\system32\Pnhegi32.exe74⤵PID:2236
-
C:\Windows\SysWOW64\Pcdnpp32.exeC:\Windows\system32\Pcdnpp32.exe75⤵PID:2392
-
C:\Windows\SysWOW64\Qnjbmh32.exeC:\Windows\system32\Qnjbmh32.exe76⤵PID:2960
-
C:\Windows\SysWOW64\Qcgkeonp.exeC:\Windows\system32\Qcgkeonp.exe77⤵PID:2568
-
C:\Windows\SysWOW64\Qmoone32.exeC:\Windows\system32\Qmoone32.exe78⤵
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Qcigjolm.exeC:\Windows\system32\Qcigjolm.exe79⤵PID:1864
-
C:\Windows\SysWOW64\Ajcpgi32.exeC:\Windows\system32\Ajcpgi32.exe80⤵PID:976
-
C:\Windows\SysWOW64\Ajelmiag.exeC:\Windows\system32\Ajelmiag.exe81⤵PID:972
-
C:\Windows\SysWOW64\Abaaakob.exeC:\Windows\system32\Abaaakob.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1912 -
C:\Windows\SysWOW64\Aliejq32.exeC:\Windows\system32\Aliejq32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1124 -
C:\Windows\SysWOW64\Abcngkmp.exeC:\Windows\system32\Abcngkmp.exe84⤵PID:1340
-
C:\Windows\SysWOW64\Ahpfoa32.exeC:\Windows\system32\Ahpfoa32.exe85⤵PID:2512
-
C:\Windows\SysWOW64\Abejlj32.exeC:\Windows\system32\Abejlj32.exe86⤵PID:1328
-
C:\Windows\SysWOW64\Ajqoqm32.exeC:\Windows\system32\Ajqoqm32.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Bakgmgpe.exeC:\Windows\system32\Bakgmgpe.exe88⤵PID:596
-
C:\Windows\SysWOW64\Bmahbhei.exeC:\Windows\system32\Bmahbhei.exe89⤵PID:2552
-
C:\Windows\SysWOW64\Bhglpqeo.exeC:\Windows\system32\Bhglpqeo.exe90⤵PID:3028
-
C:\Windows\SysWOW64\Bmdehgcf.exeC:\Windows\system32\Bmdehgcf.exe91⤵PID:1476
-
C:\Windows\SysWOW64\Bpbadcbj.exeC:\Windows\system32\Bpbadcbj.exe92⤵
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Bmfamg32.exeC:\Windows\system32\Bmfamg32.exe93⤵PID:2648
-
C:\Windows\SysWOW64\Bdpjjaiq.exeC:\Windows\system32\Bdpjjaiq.exe94⤵
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Blkoocfl.exeC:\Windows\system32\Blkoocfl.exe95⤵PID:2292
-
C:\Windows\SysWOW64\Clnkdc32.exeC:\Windows\system32\Clnkdc32.exe96⤵PID:1808
-
C:\Windows\SysWOW64\Cefpmiji.exeC:\Windows\system32\Cefpmiji.exe97⤵PID:2104
-
C:\Windows\SysWOW64\Clphjc32.exeC:\Windows\system32\Clphjc32.exe98⤵PID:2936
-
C:\Windows\SysWOW64\Campbj32.exeC:\Windows\system32\Campbj32.exe99⤵PID:1616
-
C:\Windows\SysWOW64\Ckeekp32.exeC:\Windows\system32\Ckeekp32.exe100⤵
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Cekihh32.exeC:\Windows\system32\Cekihh32.exe101⤵PID:1012
-
C:\Windows\SysWOW64\Cocnanmd.exeC:\Windows\system32\Cocnanmd.exe102⤵PID:2992
-
C:\Windows\SysWOW64\Cgnbepjp.exeC:\Windows\system32\Cgnbepjp.exe103⤵PID:2092
-
C:\Windows\SysWOW64\Cnhjbjam.exeC:\Windows\system32\Cnhjbjam.exe104⤵PID:2288
-
C:\Windows\SysWOW64\Dhnoocab.exeC:\Windows\system32\Dhnoocab.exe105⤵PID:2736
-
C:\Windows\SysWOW64\Dklkkoqf.exeC:\Windows\system32\Dklkkoqf.exe106⤵PID:2840
-
C:\Windows\SysWOW64\Dddodd32.exeC:\Windows\system32\Dddodd32.exe107⤵PID:2772
-
C:\Windows\SysWOW64\Dkohanoc.exeC:\Windows\system32\Dkohanoc.exe108⤵PID:928
-
C:\Windows\SysWOW64\Dgehfodh.exeC:\Windows\system32\Dgehfodh.exe109⤵
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Dnoqbi32.exeC:\Windows\system32\Dnoqbi32.exe110⤵PID:1792
-
C:\Windows\SysWOW64\Dclikp32.exeC:\Windows\system32\Dclikp32.exe111⤵PID:2400
-
C:\Windows\SysWOW64\Djfagjai.exeC:\Windows\system32\Djfagjai.exe112⤵PID:2248
-
C:\Windows\SysWOW64\Docjpa32.exeC:\Windows\system32\Docjpa32.exe113⤵PID:2500
-
C:\Windows\SysWOW64\Djhnmj32.exeC:\Windows\system32\Djhnmj32.exe114⤵PID:632
-
C:\Windows\SysWOW64\Hbagaa32.exeC:\Windows\system32\Hbagaa32.exe115⤵PID:2484
-
C:\Windows\SysWOW64\Hhnpih32.exeC:\Windows\system32\Hhnpih32.exe116⤵PID:2764
-
C:\Windows\SysWOW64\Hbcdfq32.exeC:\Windows\system32\Hbcdfq32.exe117⤵PID:2844
-
C:\Windows\SysWOW64\Hinlck32.exeC:\Windows\system32\Hinlck32.exe118⤵PID:2768
-
C:\Windows\SysWOW64\Hkoikcaq.exeC:\Windows\system32\Hkoikcaq.exe119⤵PID:1236
-
C:\Windows\SysWOW64\Haiagm32.exeC:\Windows\system32\Haiagm32.exe120⤵PID:1116
-
C:\Windows\SysWOW64\Ikafpbon.exeC:\Windows\system32\Ikafpbon.exe121⤵PID:2644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-