Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2023, 13:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d357457c204c108eb8c4aa7e5de62a49_JC.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
d357457c204c108eb8c4aa7e5de62a49_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
d357457c204c108eb8c4aa7e5de62a49_JC.exe
-
Size
109KB
-
MD5
d357457c204c108eb8c4aa7e5de62a49
-
SHA1
10be8bb6fb26bfba4e7fc407873fca008122ba97
-
SHA256
139dd02d233598ee8c36419b1329661728426c55b1fdd3735b6feb5e9f1328b7
-
SHA512
0df3ff0d64be14b0dca1174b0f5ea238b5f2342288a0a89506bbebaab81c131904c6fe2970d46e8d1866361459eddd4c6547aa1b44d6afef4a6039b4528d4fcf
-
SSDEEP
3072:0of9ZKAJ1KBaQWLN5QWWtmJ9ZLCqwzBu1DjHLMVDqqkSpR:0olZKeHQWDkUJ9hwtu1DjrFqhz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghkeio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idkbkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Monjjgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nopfpgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phcgcqab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhcbodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emkndc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lopmii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ondljl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pccahbmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkkeclfh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nobdbkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmenca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohkkhhmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfldelik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fneggdhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffnknafg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgbpaipl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkeaqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knchpiom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glgcbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmdgikhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cglgjeci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glcaambb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hekgfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jokkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nacmdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qohpkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlglidlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifmqfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kckqbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncchae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfmojenc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjlmclqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oalipoiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imkbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccdnjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcgnbaeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqbpojnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfelogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfnqklgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cndeii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gppcmeem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdccbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahcajk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmlilh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbfklei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcnqpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njpdnedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmhocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmhgmmbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmmqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnfkdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gahcmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkjjlhle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdnmfclj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfodeohd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkokcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qacameaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Biadeoce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcmbee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjoiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcejco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdmqmc32.exe -
Executes dropped EXE 64 IoCs
pid Process 1264 Acnemi32.exe 4624 Aijnep32.exe 4080 Afnnnd32.exe 744 Bjlgdc32.exe 1176 Bcelmhen.exe 1764 Biadeoce.exe 3580 Bidqko32.exe 3484 Bjcmebie.exe 4248 Bggnof32.exe 3644 Cqpbglno.exe 4920 Cikglnkj.exe 3980 Cglgjeci.exe 1628 Cpglnhad.exe 2108 Cippgm32.exe 2008 Cjomap32.exe 1348 Cpleig32.exe 4280 Cjaifp32.exe 4888 Dpnbog32.exe 3224 Diffglam.exe 3916 Diicml32.exe 2872 Dfmcfp32.exe 1580 Dhlpqc32.exe 4560 Dpgeee32.exe 2928 Djmibn32.exe 1720 Eibfck32.exe 3064 Ejbbmnnb.exe 2660 Efhcbodf.exe 3912 Edmclccp.exe 5080 Emehdh32.exe 3420 Ehjlaaig.exe 768 Fpeafcfa.exe 988 Fkkeclfh.exe 4204 Fhofmq32.exe 3312 Fmlneg32.exe 4400 Fhabbp32.exe 4692 Fibojhim.exe 1680 Fhdohp32.exe 4600 Ghkeio32.exe 3784 Gdafnpqh.exe 4356 Gddbcp32.exe 1204 Gahcmd32.exe 3388 Hkpheidp.exe 5076 Hdilnojp.exe 2832 Hammhcij.exe 4300 Hkeaqi32.exe 2640 Hpbiip32.exe 4472 Hkgnfhnh.exe 2696 Haafcb32.exe 4844 Hkjjlhle.exe 4360 Hpfcdojl.exe 1180 Igqkqiai.exe 2680 Iafonaao.exe 528 Ijadbdoj.exe 1816 Ihbdplfi.exe 3140 Iakiia32.exe 384 Ikcmbfcj.exe 100 Idkbkl32.exe 220 Indfca32.exe 2464 Jdnoplhh.exe 2528 Jjjghcfp.exe 1664 Jdpkflfe.exe 2260 Jbdlop32.exe 3824 Jgadgf32.exe 4764 Jbfheo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Alkdoago.dll Ikcmbfcj.exe File opened for modification C:\Windows\SysWOW64\Jhpqaiji.exe Jbfheo32.exe File created C:\Windows\SysWOW64\Ackbmcjl.exe Ahenokjf.exe File opened for modification C:\Windows\SysWOW64\Cfnqklgh.exe Ccpdoqgd.exe File created C:\Windows\SysWOW64\Iljpij32.exe Hgkkkcbc.exe File opened for modification C:\Windows\SysWOW64\Njpdnedf.exe Neclenfo.exe File created C:\Windows\SysWOW64\Ojmjcf32.dll Gpnfge32.exe File opened for modification C:\Windows\SysWOW64\Bgbpaipl.exe Baegibae.exe File created C:\Windows\SysWOW64\Nofhmj32.dll Emehdh32.exe File opened for modification C:\Windows\SysWOW64\Jbdlop32.exe Jdpkflfe.exe File created C:\Windows\SysWOW64\Nhmeapmd.exe Nacmdf32.exe File created C:\Windows\SysWOW64\Gdidcm32.dll Oadfkdgd.exe File created C:\Windows\SysWOW64\Kqphfe32.exe Kjepjkhf.exe File created C:\Windows\SysWOW64\Cdbijb32.dll Nmnqjp32.exe File created C:\Windows\SysWOW64\Dpaagldf.dll Fpdcag32.exe File created C:\Windows\SysWOW64\Fkccgodj.dll Ffqhcq32.exe File created C:\Windows\SysWOW64\Goglcahb.exe Gflhoo32.exe File created C:\Windows\SysWOW64\Gadiippo.dll Ondljl32.exe File created C:\Windows\SysWOW64\Pcmdgodo.dll Cdpcal32.exe File opened for modification C:\Windows\SysWOW64\Oihagaji.exe Oboijgbl.exe File opened for modification C:\Windows\SysWOW64\Fikbocki.exe Ffmfchle.exe File opened for modification C:\Windows\SysWOW64\Gipdap32.exe Gdcliikj.exe File created C:\Windows\SysWOW64\Lqbncb32.exe Lkeekk32.exe File created C:\Windows\SysWOW64\Micgbemj.dll Ckhecmcf.exe File created C:\Windows\SysWOW64\Nklinjmj.dll Dbnmke32.exe File opened for modification C:\Windows\SysWOW64\Fhofmq32.exe Fkkeclfh.exe File created C:\Windows\SysWOW64\Haedpe32.dll Hkjjlhle.exe File opened for modification C:\Windows\SysWOW64\Hlegnjbm.exe Higjaoci.exe File created C:\Windows\SysWOW64\Mbnnhndk.dll Pajeam32.exe File opened for modification C:\Windows\SysWOW64\Hmkigh32.exe Hfaajnfb.exe File created C:\Windows\SysWOW64\Gmmhebph.dll Afnnnd32.exe File created C:\Windows\SysWOW64\Jdnoplhh.exe Indfca32.exe File opened for modification C:\Windows\SysWOW64\Bjnmpl32.exe Bohibc32.exe File opened for modification C:\Windows\SysWOW64\Fjmkoeqi.exe Fdccbl32.exe File created C:\Windows\SysWOW64\Ijcjmmil.exe Idfaefkd.exe File opened for modification C:\Windows\SysWOW64\Omgcpokp.exe Ohkkhhmh.exe File opened for modification C:\Windows\SysWOW64\Ncqlkemc.exe Nqbpojnp.exe File opened for modification C:\Windows\SysWOW64\Fmlneg32.exe Fhofmq32.exe File created C:\Windows\SysWOW64\Kijchhbo.exe Kbpkkn32.exe File opened for modification C:\Windows\SysWOW64\Bfendmoc.exe Bmlilh32.exe File created C:\Windows\SysWOW64\Dlghoa32.exe Dfjpfj32.exe File opened for modification C:\Windows\SysWOW64\Gmiclo32.exe Gbdoof32.exe File created C:\Windows\SysWOW64\Odhifjkg.exe Nmnqjp32.exe File opened for modification C:\Windows\SysWOW64\Anobgl32.exe Akqfkp32.exe File created C:\Windows\SysWOW64\Klhnfo32.exe Kpanan32.exe File opened for modification C:\Windows\SysWOW64\Mfeeabda.exe Mokmdh32.exe File opened for modification C:\Windows\SysWOW64\Nadleilm.exe Nnfpinmi.exe File opened for modification C:\Windows\SysWOW64\Phcgcqab.exe Pfdjinjo.exe File created C:\Windows\SysWOW64\Aggpfkjj.exe Amnlme32.exe File created C:\Windows\SysWOW64\Qfdngj32.dll Hienlpel.exe File created C:\Windows\SysWOW64\Kglmio32.exe Kdmqmc32.exe File created C:\Windows\SysWOW64\Ppioondd.dll Dbicpfdk.exe File created C:\Windows\SysWOW64\Fpdcag32.exe Fmfgek32.exe File opened for modification C:\Windows\SysWOW64\Holfoqcm.exe Hmkigh32.exe File created C:\Windows\SysWOW64\Gelfeh32.dll Cnjdpaki.exe File created C:\Windows\SysWOW64\Jgadgf32.exe Jbdlop32.exe File created C:\Windows\SysWOW64\Gengje32.dll Pdkoch32.exe File opened for modification C:\Windows\SysWOW64\Dmadco32.exe Dbkqfe32.exe File opened for modification C:\Windows\SysWOW64\Glgcbf32.exe Gihgfk32.exe File opened for modification C:\Windows\SysWOW64\Lbinam32.exe Leenhhdn.exe File opened for modification C:\Windows\SysWOW64\Ahenokjf.exe Afgacokc.exe File created C:\Windows\SysWOW64\Pnnlinml.dll Ijcjmmil.exe File opened for modification C:\Windows\SysWOW64\Lcggio32.exe Lnjnqh32.exe File created C:\Windows\SysWOW64\Dnjfibml.dll Bemqih32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3480 13256 WerFault.exe 644 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfmcfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emkndc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fikbocki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcneqod.dll" Felbnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocjoadei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgqoll32.dll" Ljceqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aogbfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiejjepo.dll" Hpnoncim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgifbhid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbkbpoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dblgpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edflhb32.dll" Ipmbjgpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofdocoe.dll" Dmennnni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlfndjhh.dll" Gbdoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhabbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iakiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhmeapmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcoobn32.dll" Okjnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckfphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olealnbk.dll" Dfjpfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chiblk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfajq32.dll" Mnlnbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcplmmbl.dll" Nhmeapmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajaoo32.dll" Fimodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjohde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmiclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egilaj32.dll" Qdaniq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgjmg32.dll" Hibjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpanan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Leenhhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmmbbejp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idfaefkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Poimpapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blciboie.dll" Pldcjeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpmfmao.dll" Anobgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqlefl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagnlg32.dll" Nklbmllg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmcjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgaclkia.dll" Hlepcdoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmlneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnneheln.dll" Hkeaqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cicdai32.dll" Jgenbfoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nojjcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlobkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alkijdci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibfnqmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpolbbim.dll" Nmdgikhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdodkebj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqmkae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dohjem32.dll" Kngkqbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kckqbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqbncb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akepfpcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akglloai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdkgabfn.dll" Eblimcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lippqp32.dll" Fbgihaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glgcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchdqkfl.dll" Nnhmnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbkofn32.dll" Qjfmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccpdoqgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfkbde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpcfmkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egacbb32.dll" Ikbfgppo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1292 wrote to memory of 1264 1292 d357457c204c108eb8c4aa7e5de62a49_JC.exe 82 PID 1292 wrote to memory of 1264 1292 d357457c204c108eb8c4aa7e5de62a49_JC.exe 82 PID 1292 wrote to memory of 1264 1292 d357457c204c108eb8c4aa7e5de62a49_JC.exe 82 PID 1264 wrote to memory of 4624 1264 Acnemi32.exe 83 PID 1264 wrote to memory of 4624 1264 Acnemi32.exe 83 PID 1264 wrote to memory of 4624 1264 Acnemi32.exe 83 PID 4624 wrote to memory of 4080 4624 Aijnep32.exe 84 PID 4624 wrote to memory of 4080 4624 Aijnep32.exe 84 PID 4624 wrote to memory of 4080 4624 Aijnep32.exe 84 PID 4080 wrote to memory of 744 4080 Afnnnd32.exe 86 PID 4080 wrote to memory of 744 4080 Afnnnd32.exe 86 PID 4080 wrote to memory of 744 4080 Afnnnd32.exe 86 PID 744 wrote to memory of 1176 744 Bjlgdc32.exe 87 PID 744 wrote to memory of 1176 744 Bjlgdc32.exe 87 PID 744 wrote to memory of 1176 744 Bjlgdc32.exe 87 PID 1176 wrote to memory of 1764 1176 Bcelmhen.exe 88 PID 1176 wrote to memory of 1764 1176 Bcelmhen.exe 88 PID 1176 wrote to memory of 1764 1176 Bcelmhen.exe 88 PID 1764 wrote to memory of 3580 1764 Biadeoce.exe 89 PID 1764 wrote to memory of 3580 1764 Biadeoce.exe 89 PID 1764 wrote to memory of 3580 1764 Biadeoce.exe 89 PID 3580 wrote to memory of 3484 3580 Bidqko32.exe 90 PID 3580 wrote to memory of 3484 3580 Bidqko32.exe 90 PID 3580 wrote to memory of 3484 3580 Bidqko32.exe 90 PID 3484 wrote to memory of 4248 3484 Bjcmebie.exe 91 PID 3484 wrote to memory of 4248 3484 Bjcmebie.exe 91 PID 3484 wrote to memory of 4248 3484 Bjcmebie.exe 91 PID 4248 wrote to memory of 3644 4248 Bggnof32.exe 92 PID 4248 wrote to memory of 3644 4248 Bggnof32.exe 92 PID 4248 wrote to memory of 3644 4248 Bggnof32.exe 92 PID 3644 wrote to memory of 4920 3644 Cqpbglno.exe 93 PID 3644 wrote to memory of 4920 3644 Cqpbglno.exe 93 PID 3644 wrote to memory of 4920 3644 Cqpbglno.exe 93 PID 4920 wrote to memory of 3980 4920 Cikglnkj.exe 94 PID 4920 wrote to memory of 3980 4920 Cikglnkj.exe 94 PID 4920 wrote to memory of 3980 4920 Cikglnkj.exe 94 PID 3980 wrote to memory of 1628 3980 Cglgjeci.exe 95 PID 3980 wrote to memory of 1628 3980 Cglgjeci.exe 95 PID 3980 wrote to memory of 1628 3980 Cglgjeci.exe 95 PID 1628 wrote to memory of 2108 1628 Cpglnhad.exe 96 PID 1628 wrote to memory of 2108 1628 Cpglnhad.exe 96 PID 1628 wrote to memory of 2108 1628 Cpglnhad.exe 96 PID 2108 wrote to memory of 2008 2108 Cippgm32.exe 97 PID 2108 wrote to memory of 2008 2108 Cippgm32.exe 97 PID 2108 wrote to memory of 2008 2108 Cippgm32.exe 97 PID 2008 wrote to memory of 1348 2008 Cjomap32.exe 98 PID 2008 wrote to memory of 1348 2008 Cjomap32.exe 98 PID 2008 wrote to memory of 1348 2008 Cjomap32.exe 98 PID 1348 wrote to memory of 4280 1348 Cpleig32.exe 99 PID 1348 wrote to memory of 4280 1348 Cpleig32.exe 99 PID 1348 wrote to memory of 4280 1348 Cpleig32.exe 99 PID 4280 wrote to memory of 4888 4280 Cjaifp32.exe 100 PID 4280 wrote to memory of 4888 4280 Cjaifp32.exe 100 PID 4280 wrote to memory of 4888 4280 Cjaifp32.exe 100 PID 4888 wrote to memory of 3224 4888 Dpnbog32.exe 101 PID 4888 wrote to memory of 3224 4888 Dpnbog32.exe 101 PID 4888 wrote to memory of 3224 4888 Dpnbog32.exe 101 PID 3224 wrote to memory of 3916 3224 Diffglam.exe 102 PID 3224 wrote to memory of 3916 3224 Diffglam.exe 102 PID 3224 wrote to memory of 3916 3224 Diffglam.exe 102 PID 3916 wrote to memory of 2872 3916 Diicml32.exe 103 PID 3916 wrote to memory of 2872 3916 Diicml32.exe 103 PID 3916 wrote to memory of 2872 3916 Diicml32.exe 103 PID 2872 wrote to memory of 1580 2872 Dfmcfp32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\d357457c204c108eb8c4aa7e5de62a49_JC.exe"C:\Users\Admin\AppData\Local\Temp\d357457c204c108eb8c4aa7e5de62a49_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\Afnnnd32.exeC:\Windows\system32\Afnnnd32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Cippgm32.exeC:\Windows\system32\Cippgm32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe23⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Dpgeee32.exeC:\Windows\system32\Dpgeee32.exe24⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Djmibn32.exeC:\Windows\system32\Djmibn32.exe25⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Eibfck32.exeC:\Windows\system32\Eibfck32.exe26⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Ejbbmnnb.exeC:\Windows\system32\Ejbbmnnb.exe27⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Efhcbodf.exeC:\Windows\system32\Efhcbodf.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Edmclccp.exeC:\Windows\system32\Edmclccp.exe29⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5080 -
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe31⤵
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe32⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Fkkeclfh.exeC:\Windows\system32\Fkkeclfh.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:988 -
C:\Windows\SysWOW64\Fhofmq32.exeC:\Windows\system32\Fhofmq32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4204 -
C:\Windows\SysWOW64\Fmlneg32.exeC:\Windows\system32\Fmlneg32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:3312 -
C:\Windows\SysWOW64\Fhabbp32.exeC:\Windows\system32\Fhabbp32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4400 -
C:\Windows\SysWOW64\Fibojhim.exeC:\Windows\system32\Fibojhim.exe37⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Fhdohp32.exeC:\Windows\system32\Fhdohp32.exe38⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Ghkeio32.exeC:\Windows\system32\Ghkeio32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe40⤵
- Executes dropped EXE
PID:3784 -
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe41⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Gahcmd32.exeC:\Windows\system32\Gahcmd32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Hkpheidp.exeC:\Windows\system32\Hkpheidp.exe43⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Hdilnojp.exeC:\Windows\system32\Hdilnojp.exe44⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe45⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Hkeaqi32.exeC:\Windows\system32\Hkeaqi32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4300 -
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe47⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Hkgnfhnh.exeC:\Windows\system32\Hkgnfhnh.exe48⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Haafcb32.exeC:\Windows\system32\Haafcb32.exe49⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Hkjjlhle.exeC:\Windows\system32\Hkjjlhle.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4844 -
C:\Windows\SysWOW64\Hpfcdojl.exeC:\Windows\system32\Hpfcdojl.exe51⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Igqkqiai.exeC:\Windows\system32\Igqkqiai.exe52⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Iafonaao.exeC:\Windows\system32\Iafonaao.exe53⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Ijadbdoj.exeC:\Windows\system32\Ijadbdoj.exe54⤵
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\Ihbdplfi.exeC:\Windows\system32\Ihbdplfi.exe55⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:3140 -
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:384 -
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:100 -
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:220 -
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe60⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe61⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Jbdlop32.exeC:\Windows\system32\Jbdlop32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe64⤵
- Executes dropped EXE
PID:3824 -
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4764 -
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe66⤵PID:3628
-
C:\Windows\SysWOW64\Jnmijq32.exeC:\Windows\system32\Jnmijq32.exe67⤵PID:2120
-
C:\Windows\SysWOW64\Jqlefl32.exeC:\Windows\system32\Jqlefl32.exe68⤵
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Jgenbfoa.exeC:\Windows\system32\Jgenbfoa.exe69⤵
- Modifies registry class
PID:3952 -
C:\Windows\SysWOW64\Jbkbpoog.exeC:\Windows\system32\Jbkbpoog.exe70⤵
- Modifies registry class
PID:4568 -
C:\Windows\SysWOW64\Kiejmi32.exeC:\Windows\system32\Kiejmi32.exe71⤵PID:3444
-
C:\Windows\SysWOW64\Kjffdalb.exeC:\Windows\system32\Kjffdalb.exe72⤵PID:4784
-
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe73⤵PID:4032
-
C:\Windows\SysWOW64\Kiggbhda.exeC:\Windows\system32\Kiggbhda.exe74⤵PID:3332
-
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe75⤵PID:392
-
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe76⤵
- Drops file in System32 directory
PID:4928 -
C:\Windows\SysWOW64\Kijchhbo.exeC:\Windows\system32\Kijchhbo.exe77⤵PID:336
-
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe78⤵PID:1892
-
C:\Windows\SysWOW64\Kilpmh32.exeC:\Windows\system32\Kilpmh32.exe79⤵PID:2668
-
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe80⤵PID:4960
-
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe81⤵PID:2292
-
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:4816 -
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe83⤵PID:1308
-
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe84⤵PID:3364
-
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe85⤵PID:2288
-
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe86⤵PID:4668
-
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe87⤵PID:5132
-
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe88⤵PID:5176
-
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe89⤵PID:5332
-
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe90⤵PID:5380
-
C:\Windows\SysWOW64\Leopnglc.exeC:\Windows\system32\Leopnglc.exe91⤵PID:5424
-
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe92⤵PID:5468
-
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe93⤵PID:5508
-
C:\Windows\SysWOW64\Mjneln32.exeC:\Windows\system32\Mjneln32.exe94⤵PID:5556
-
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe95⤵PID:5600
-
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe96⤵PID:5644
-
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe97⤵
- Modifies registry class
PID:5688 -
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe98⤵PID:5732
-
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe99⤵PID:5776
-
C:\Windows\SysWOW64\Mehcdfch.exeC:\Windows\system32\Mehcdfch.exe100⤵PID:5820
-
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe101⤵PID:5864
-
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe102⤵PID:5908
-
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5952 -
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe104⤵PID:5992
-
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6040 -
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5140 -
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe107⤵
- Modifies registry class
PID:5296 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe108⤵
- Modifies registry class
PID:5252 -
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe109⤵PID:5216
-
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe110⤵PID:5340
-
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe111⤵
- Modifies registry class
PID:5416 -
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe112⤵PID:5496
-
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe113⤵PID:5544
-
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe114⤵PID:5640
-
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe115⤵PID:5696
-
C:\Windows\SysWOW64\Ohghgodi.exeC:\Windows\system32\Ohghgodi.exe116⤵PID:5752
-
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe117⤵PID:5832
-
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe118⤵PID:5904
-
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe119⤵PID:5972
-
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe120⤵
- Drops file in System32 directory
PID:6048 -
C:\Windows\SysWOW64\Oihagaji.exeC:\Windows\system32\Oihagaji.exe121⤵PID:6132
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-