Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
125s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/03/2024, 22:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
99240f7ad7467e3b455cbe1d383b3ce584c766358b04b4bc37a361914ec2287d.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
99240f7ad7467e3b455cbe1d383b3ce584c766358b04b4bc37a361914ec2287d.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
99240f7ad7467e3b455cbe1d383b3ce584c766358b04b4bc37a361914ec2287d.exe
-
Size
124KB
-
MD5
18b5eeee9a70df69722fa2643b2084ed
-
SHA1
d2509b0cb843a1702f492b242e0a0b709d302c3d
-
SHA256
99240f7ad7467e3b455cbe1d383b3ce584c766358b04b4bc37a361914ec2287d
-
SHA512
9358e55ce8376130131e6d4c4f43d541767d5f586d68f7470e180340b95599ef1a56fe894ce3bab0ae6b227253f299b3e350e4b44ef52e648a9d5d855abe8310
-
SSDEEP
3072:Y+f1OprkRzsREhj5avj6+JB8M6m9jqLsFmsr:YSdRUEhlavj6MB8Mhjwszr
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gepmlimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkomneim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgneampk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cafigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foqkdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gochjpho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afjlnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohgoaehe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmnlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfjmgdlf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kedoge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eonehbjg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igqkqiai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elgfgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oepifi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cafpanem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkdggmlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abngjnmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpofpdgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eonehbjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eibfck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bganhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfdfgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giofnacd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeklag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klfjijgq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djpnohej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidbflcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkkojgao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Andgoobc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghpendjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbmhlihl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgagbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibqpimpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipdqba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeaikh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blgkdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqciba32.exe -
Executes dropped EXE 64 IoCs
pid Process 2344 Bbhqjchp.exe 3232 Befmfngc.exe 3952 Blpechop.exe 3620 Booaodnd.exe 4388 Bammlomg.exe 2944 Blbaihmn.exe 4836 Boanecla.exe 4780 Bifbbllg.exe 2872 Blennh32.exe 468 Bbofkbbh.exe 2204 Bemcgmak.exe 1048 Blgkdg32.exe 1924 Bbacqape.exe 1928 Bikkml32.exe 4108 Cpedjf32.exe 5040 Cohdebfi.exe 1104 Cafpanem.exe 4676 Chphoh32.exe 4008 Cpgqpe32.exe 4864 Ccfmla32.exe 2468 Chbedh32.exe 4072 Commqb32.exe 2520 Cefemliq.exe 3420 Clqnjf32.exe 3732 Ccjfgphj.exe 1040 Cidncj32.exe 4568 Cpofpdgd.exe 4460 Ccmclp32.exe 1648 Cekohk32.exe 4416 Doccaall.exe 4896 Denlnk32.exe 4020 Dhlhjf32.exe 4616 Dpcpkc32.exe 1536 Dcalgo32.exe 2248 Djlddi32.exe 992 Dljqpd32.exe 4772 Dohmlp32.exe 4356 Dagiil32.exe 4632 Dhqaefng.exe 1412 Dphifcoi.exe 4004 Dokjbp32.exe 232 Daifnk32.exe 4768 Djpnohej.exe 4888 Dlojkddn.exe 636 Domfgpca.exe 1776 Dakbckbe.exe 1716 Ejbkehcg.exe 2580 Epmcab32.exe 4696 Ebnoikqb.exe 2996 Elccfc32.exe 4900 Eoapbo32.exe 1856 Ebploj32.exe 1088 Ejgdpg32.exe 4296 Eleplc32.exe 4824 Ecphimfb.exe 4828 Efneehef.exe 4328 Ehlaaddj.exe 3088 Eqciba32.exe 4964 Ebeejijj.exe 2368 Ejlmkgkl.exe 1840 Eqfeha32.exe 4148 Ecdbdl32.exe 608 Fjnjqfij.exe 1828 Fmmfmbhn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Addjcmqn.dll Ndidbn32.exe File created C:\Windows\SysWOW64\Eaacilcc.dll Qgallfcq.exe File created C:\Windows\SysWOW64\Nconcm32.dll Bdmpcdfm.exe File created C:\Windows\SysWOW64\Mjbogmdb.exe Process not Found File created C:\Windows\SysWOW64\Linhgilm.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pnkbkk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hclakimb.exe Gameonno.exe File created C:\Windows\SysWOW64\Ldaeka32.exe Lpfijcfl.exe File opened for modification C:\Windows\SysWOW64\Nnjbke32.exe Njogjfoj.exe File opened for modification C:\Windows\SysWOW64\Cdiooblp.exe Cbgbgj32.exe File created C:\Windows\SysWOW64\Nnjlpo32.exe Ngpccdlj.exe File created C:\Windows\SysWOW64\Cikglnkj.exe Cjhfpa32.exe File created C:\Windows\SysWOW64\Jqlefl32.exe Jbiejoaj.exe File opened for modification C:\Windows\SysWOW64\Mmbanbmg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jgmjmjnb.exe Process not Found File created C:\Windows\SysWOW64\Phfkqkek.dll Acocaf32.exe File created C:\Windows\SysWOW64\Dhkjej32.exe Dmefhako.exe File created C:\Windows\SysWOW64\Kbekqdjh.exe Klkcdj32.exe File created C:\Windows\SysWOW64\Mbmcqa32.dll Dhomfc32.exe File created C:\Windows\SysWOW64\Iaejbl32.dll Kjmmepfj.exe File opened for modification C:\Windows\SysWOW64\Jokkgl32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qeemej32.exe Qbgqio32.exe File created C:\Windows\SysWOW64\Nkenegog.dll Ngmgne32.exe File created C:\Windows\SysWOW64\Daconoae.exe Dmgbnq32.exe File created C:\Windows\SysWOW64\Amodep32.exe Aokcklid.exe File created C:\Windows\SysWOW64\Ggnedlao.exe Ghkeio32.exe File created C:\Windows\SysWOW64\Gmlfmg32.dll Hfachc32.exe File created C:\Windows\SysWOW64\Bjddphlq.exe Beglgani.exe File created C:\Windows\SysWOW64\Khacqh32.dll Process not Found File created C:\Windows\SysWOW64\Qdaniq32.exe Process not Found File created C:\Windows\SysWOW64\Jilpfgkh.dll Process not Found File created C:\Windows\SysWOW64\Ijhkffjm.dll Clpgpp32.exe File created C:\Windows\SysWOW64\Ldfgeigq.dll Agoabn32.exe File created C:\Windows\SysWOW64\Cmeafpab.dll Ppjgoaoj.exe File opened for modification C:\Windows\SysWOW64\Gahcmd32.exe Gnlgleef.exe File created C:\Windows\SysWOW64\Eadpldgf.dll Kinmcg32.exe File opened for modification C:\Windows\SysWOW64\Oodcdb32.exe Process not Found File created C:\Windows\SysWOW64\Acbmpm32.dll Ednaqo32.exe File created C:\Windows\SysWOW64\Agoabn32.exe Accfbokl.exe File created C:\Windows\SysWOW64\Kbmoen32.exe Kiejmi32.exe File created C:\Windows\SysWOW64\Hdmoohbo.exe Process not Found File created C:\Windows\SysWOW64\Fnmqcaaj.dll Cpedjf32.exe File opened for modification C:\Windows\SysWOW64\Jbkjjblm.exe Idacmfkj.exe File created C:\Windows\SysWOW64\Ocmconhk.exe Ooagno32.exe File created C:\Windows\SysWOW64\Bepdhaek.dll Cpbbch32.exe File created C:\Windows\SysWOW64\Njghbl32.exe Process not Found File created C:\Windows\SysWOW64\Ajggomog.exe Process not Found File created C:\Windows\SysWOW64\Lcglnp32.dll Fijmbb32.exe File created C:\Windows\SysWOW64\Angddopp.exe Alhhhcal.exe File opened for modification C:\Windows\SysWOW64\Mejpje32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Idhnkf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bhaebcen.exe Becifhfj.exe File created C:\Windows\SysWOW64\Cnmqme32.dll Ihbdplfi.exe File opened for modification C:\Windows\SysWOW64\Dbicpfdk.exe Process not Found File created C:\Windows\SysWOW64\Oebflhaf.exe Oepifi32.exe File created C:\Windows\SysWOW64\Mlmbfqoj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dmdhcddh.exe Process not Found File created C:\Windows\SysWOW64\Ggpdhj32.dll Process not Found File created C:\Windows\SysWOW64\Jgenbfoa.exe Jqlefl32.exe File created C:\Windows\SysWOW64\Ddhnoefl.dll Process not Found File opened for modification C:\Windows\SysWOW64\Efccmidp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jifhaenk.exe Jeklag32.exe File created C:\Windows\SysWOW64\Nojjcj32.exe Process not Found File created C:\Windows\SysWOW64\Kdcijcke.exe Kaemnhla.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1832 17636 Process not Found 1854 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccjfgphj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knceql32.dll" Dhqaefng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laopdgcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijhkffjm.dll" Clpgpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Folaiqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kijchhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcfgpga.dll" Knkekn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aldomc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hflcbngh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cipqnf32.dll" Fojedapj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkjjlhle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll" Ndghmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgfqmfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfedoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgejpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbcicn32.dll" Blpechop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbpnkama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkaejf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcqelac.dll" Gidphq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeklkchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfllfd32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooagno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnlhc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hemqgjog.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbecoe32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kepelfam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miiflecc.dll" Jgonlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmdjdfgl.dll" Fkihnmhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aglnbhal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpeaedjn.dll" Hdmein32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbnhno32.dll" Ccfmla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgpagm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjkombfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ippggbck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqplhmkl.dll" Jfcbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll" Cfbkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbiipkjk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odjjif32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmmocpjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kagichjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcdmga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmbjqfjb.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpedjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghaliknf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjhchjo.dll" Ikcdlmgf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5100 wrote to memory of 2344 5100 99240f7ad7467e3b455cbe1d383b3ce584c766358b04b4bc37a361914ec2287d.exe 86 PID 5100 wrote to memory of 2344 5100 99240f7ad7467e3b455cbe1d383b3ce584c766358b04b4bc37a361914ec2287d.exe 86 PID 5100 wrote to memory of 2344 5100 99240f7ad7467e3b455cbe1d383b3ce584c766358b04b4bc37a361914ec2287d.exe 86 PID 2344 wrote to memory of 3232 2344 Bbhqjchp.exe 87 PID 2344 wrote to memory of 3232 2344 Bbhqjchp.exe 87 PID 2344 wrote to memory of 3232 2344 Bbhqjchp.exe 87 PID 3232 wrote to memory of 3952 3232 Befmfngc.exe 88 PID 3232 wrote to memory of 3952 3232 Befmfngc.exe 88 PID 3232 wrote to memory of 3952 3232 Befmfngc.exe 88 PID 3952 wrote to memory of 3620 3952 Blpechop.exe 89 PID 3952 wrote to memory of 3620 3952 Blpechop.exe 89 PID 3952 wrote to memory of 3620 3952 Blpechop.exe 89 PID 3620 wrote to memory of 4388 3620 Booaodnd.exe 90 PID 3620 wrote to memory of 4388 3620 Booaodnd.exe 90 PID 3620 wrote to memory of 4388 3620 Booaodnd.exe 90 PID 4388 wrote to memory of 2944 4388 Bammlomg.exe 91 PID 4388 wrote to memory of 2944 4388 Bammlomg.exe 91 PID 4388 wrote to memory of 2944 4388 Bammlomg.exe 91 PID 2944 wrote to memory of 4836 2944 Blbaihmn.exe 93 PID 2944 wrote to memory of 4836 2944 Blbaihmn.exe 93 PID 2944 wrote to memory of 4836 2944 Blbaihmn.exe 93 PID 4836 wrote to memory of 4780 4836 Boanecla.exe 94 PID 4836 wrote to memory of 4780 4836 Boanecla.exe 94 PID 4836 wrote to memory of 4780 4836 Boanecla.exe 94 PID 4780 wrote to memory of 2872 4780 Bifbbllg.exe 95 PID 4780 wrote to memory of 2872 4780 Bifbbllg.exe 95 PID 4780 wrote to memory of 2872 4780 Bifbbllg.exe 95 PID 2872 wrote to memory of 468 2872 Blennh32.exe 96 PID 2872 wrote to memory of 468 2872 Blennh32.exe 96 PID 2872 wrote to memory of 468 2872 Blennh32.exe 96 PID 468 wrote to memory of 2204 468 Bbofkbbh.exe 97 PID 468 wrote to memory of 2204 468 Bbofkbbh.exe 97 PID 468 wrote to memory of 2204 468 Bbofkbbh.exe 97 PID 2204 wrote to memory of 1048 2204 Bemcgmak.exe 98 PID 2204 wrote to memory of 1048 2204 Bemcgmak.exe 98 PID 2204 wrote to memory of 1048 2204 Bemcgmak.exe 98 PID 1048 wrote to memory of 1924 1048 Blgkdg32.exe 99 PID 1048 wrote to memory of 1924 1048 Blgkdg32.exe 99 PID 1048 wrote to memory of 1924 1048 Blgkdg32.exe 99 PID 1924 wrote to memory of 1928 1924 Bbacqape.exe 100 PID 1924 wrote to memory of 1928 1924 Bbacqape.exe 100 PID 1924 wrote to memory of 1928 1924 Bbacqape.exe 100 PID 1928 wrote to memory of 4108 1928 Bikkml32.exe 101 PID 1928 wrote to memory of 4108 1928 Bikkml32.exe 101 PID 1928 wrote to memory of 4108 1928 Bikkml32.exe 101 PID 4108 wrote to memory of 5040 4108 Cpedjf32.exe 102 PID 4108 wrote to memory of 5040 4108 Cpedjf32.exe 102 PID 4108 wrote to memory of 5040 4108 Cpedjf32.exe 102 PID 5040 wrote to memory of 1104 5040 Cohdebfi.exe 103 PID 5040 wrote to memory of 1104 5040 Cohdebfi.exe 103 PID 5040 wrote to memory of 1104 5040 Cohdebfi.exe 103 PID 1104 wrote to memory of 4676 1104 Cafpanem.exe 104 PID 1104 wrote to memory of 4676 1104 Cafpanem.exe 104 PID 1104 wrote to memory of 4676 1104 Cafpanem.exe 104 PID 4676 wrote to memory of 4008 4676 Chphoh32.exe 105 PID 4676 wrote to memory of 4008 4676 Chphoh32.exe 105 PID 4676 wrote to memory of 4008 4676 Chphoh32.exe 105 PID 4008 wrote to memory of 4864 4008 Cpgqpe32.exe 106 PID 4008 wrote to memory of 4864 4008 Cpgqpe32.exe 106 PID 4008 wrote to memory of 4864 4008 Cpgqpe32.exe 106 PID 4864 wrote to memory of 2468 4864 Ccfmla32.exe 107 PID 4864 wrote to memory of 2468 4864 Ccfmla32.exe 107 PID 4864 wrote to memory of 2468 4864 Ccfmla32.exe 107 PID 2468 wrote to memory of 4072 2468 Chbedh32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\99240f7ad7467e3b455cbe1d383b3ce584c766358b04b4bc37a361914ec2287d.exe"C:\Users\Admin\AppData\Local\Temp\99240f7ad7467e3b455cbe1d383b3ce584c766358b04b4bc37a361914ec2287d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Bbhqjchp.exeC:\Windows\system32\Bbhqjchp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Befmfngc.exeC:\Windows\system32\Befmfngc.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\Blpechop.exeC:\Windows\system32\Blpechop.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\Booaodnd.exeC:\Windows\system32\Booaodnd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\Bammlomg.exeC:\Windows\system32\Bammlomg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\Blbaihmn.exeC:\Windows\system32\Blbaihmn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Boanecla.exeC:\Windows\system32\Boanecla.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Bifbbllg.exeC:\Windows\system32\Bifbbllg.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Blennh32.exeC:\Windows\system32\Blennh32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Bbofkbbh.exeC:\Windows\system32\Bbofkbbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Bemcgmak.exeC:\Windows\system32\Bemcgmak.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Blgkdg32.exeC:\Windows\system32\Blgkdg32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Bbacqape.exeC:\Windows\system32\Bbacqape.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Bikkml32.exeC:\Windows\system32\Bikkml32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Cpedjf32.exeC:\Windows\system32\Cpedjf32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\Cohdebfi.exeC:\Windows\system32\Cohdebfi.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Cafpanem.exeC:\Windows\system32\Cafpanem.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Chphoh32.exeC:\Windows\system32\Chphoh32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Cpgqpe32.exeC:\Windows\system32\Cpgqpe32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\Ccfmla32.exeC:\Windows\system32\Ccfmla32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Chbedh32.exeC:\Windows\system32\Chbedh32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Commqb32.exeC:\Windows\system32\Commqb32.exe23⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Cefemliq.exeC:\Windows\system32\Cefemliq.exe24⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Clqnjf32.exeC:\Windows\system32\Clqnjf32.exe25⤵
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Ccjfgphj.exeC:\Windows\system32\Ccjfgphj.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:3732 -
C:\Windows\SysWOW64\Cidncj32.exeC:\Windows\system32\Cidncj32.exe27⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Cpofpdgd.exeC:\Windows\system32\Cpofpdgd.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Ccmclp32.exeC:\Windows\system32\Ccmclp32.exe29⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Cekohk32.exeC:\Windows\system32\Cekohk32.exe30⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Doccaall.exeC:\Windows\system32\Doccaall.exe31⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Denlnk32.exeC:\Windows\system32\Denlnk32.exe32⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Dhlhjf32.exeC:\Windows\system32\Dhlhjf32.exe33⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Dpcpkc32.exeC:\Windows\system32\Dpcpkc32.exe34⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Dcalgo32.exeC:\Windows\system32\Dcalgo32.exe35⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Djlddi32.exeC:\Windows\system32\Djlddi32.exe36⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Dljqpd32.exeC:\Windows\system32\Dljqpd32.exe37⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe38⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Dagiil32.exeC:\Windows\system32\Dagiil32.exe39⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Dhqaefng.exeC:\Windows\system32\Dhqaefng.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:4632 -
C:\Windows\SysWOW64\Dphifcoi.exeC:\Windows\system32\Dphifcoi.exe41⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Dokjbp32.exeC:\Windows\system32\Dokjbp32.exe42⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Daifnk32.exeC:\Windows\system32\Daifnk32.exe43⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Djpnohej.exeC:\Windows\system32\Djpnohej.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Dlojkddn.exeC:\Windows\system32\Dlojkddn.exe45⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Domfgpca.exeC:\Windows\system32\Domfgpca.exe46⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe47⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe48⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Epmcab32.exeC:\Windows\system32\Epmcab32.exe49⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe50⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Elccfc32.exeC:\Windows\system32\Elccfc32.exe51⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Eoapbo32.exeC:\Windows\system32\Eoapbo32.exe52⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Ebploj32.exeC:\Windows\system32\Ebploj32.exe53⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Ejgdpg32.exeC:\Windows\system32\Ejgdpg32.exe54⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe55⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Ecphimfb.exeC:\Windows\system32\Ecphimfb.exe56⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe57⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe58⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Ebeejijj.exeC:\Windows\system32\Ebeejijj.exe60⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Ejlmkgkl.exeC:\Windows\system32\Ejlmkgkl.exe61⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Eqfeha32.exeC:\Windows\system32\Eqfeha32.exe62⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe63⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Fjnjqfij.exeC:\Windows\system32\Fjnjqfij.exe64⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Fmmfmbhn.exeC:\Windows\system32\Fmmfmbhn.exe65⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe66⤵PID:4504
-
C:\Windows\SysWOW64\Fbioei32.exeC:\Windows\system32\Fbioei32.exe67⤵PID:2424
-
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe68⤵PID:2020
-
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe69⤵PID:4428
-
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe70⤵PID:2604
-
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe71⤵PID:4952
-
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe72⤵PID:3520
-
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe73⤵PID:732
-
C:\Windows\SysWOW64\Fckhdk32.exeC:\Windows\system32\Fckhdk32.exe74⤵PID:1148
-
C:\Windows\SysWOW64\Fjepaecb.exeC:\Windows\system32\Fjepaecb.exe75⤵PID:2348
-
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe76⤵PID:3140
-
C:\Windows\SysWOW64\Fcnejk32.exeC:\Windows\system32\Fcnejk32.exe77⤵PID:4452
-
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe78⤵PID:2612
-
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe79⤵
- Drops file in System32 directory
PID:1196 -
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe80⤵PID:3256
-
C:\Windows\SysWOW64\Gbcakg32.exeC:\Windows\system32\Gbcakg32.exe81⤵PID:972
-
C:\Windows\SysWOW64\Gfnnlffc.exeC:\Windows\system32\Gfnnlffc.exe82⤵PID:2276
-
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe83⤵PID:2632
-
C:\Windows\SysWOW64\Gmhfhp32.exeC:\Windows\system32\Gmhfhp32.exe84⤵PID:3968
-
C:\Windows\SysWOW64\Gogbdl32.exeC:\Windows\system32\Gogbdl32.exe85⤵PID:3920
-
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe86⤵PID:3248
-
C:\Windows\SysWOW64\Giofnacd.exeC:\Windows\system32\Giofnacd.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1644 -
C:\Windows\SysWOW64\Gqfooodg.exeC:\Windows\system32\Gqfooodg.exe88⤵PID:5128
-
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe89⤵PID:5172
-
C:\Windows\SysWOW64\Gbgkfg32.exeC:\Windows\system32\Gbgkfg32.exe90⤵PID:5224
-
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe91⤵PID:5264
-
C:\Windows\SysWOW64\Gmmocpjk.exeC:\Windows\system32\Gmmocpjk.exe92⤵
- Modifies registry class
PID:5308 -
C:\Windows\SysWOW64\Gpklpkio.exeC:\Windows\system32\Gpklpkio.exe93⤵PID:5348
-
C:\Windows\SysWOW64\Gcggpj32.exeC:\Windows\system32\Gcggpj32.exe94⤵PID:5396
-
C:\Windows\SysWOW64\Gidphq32.exeC:\Windows\system32\Gidphq32.exe95⤵
- Modifies registry class
PID:5440 -
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe96⤵PID:5476
-
C:\Windows\SysWOW64\Gcidfi32.exeC:\Windows\system32\Gcidfi32.exe97⤵PID:5528
-
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe98⤵PID:5576
-
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe99⤵PID:5628
-
C:\Windows\SysWOW64\Gameonno.exeC:\Windows\system32\Gameonno.exe100⤵
- Drops file in System32 directory
PID:5664 -
C:\Windows\SysWOW64\Hclakimb.exeC:\Windows\system32\Hclakimb.exe101⤵PID:5708
-
C:\Windows\SysWOW64\Hfjmgdlf.exeC:\Windows\system32\Hfjmgdlf.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5748 -
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe103⤵PID:5796
-
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe104⤵PID:5848
-
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe105⤵PID:5884
-
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe106⤵PID:5928
-
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe107⤵PID:5984
-
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe108⤵PID:6028
-
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe109⤵PID:6064
-
C:\Windows\SysWOW64\Hpgkkioa.exeC:\Windows\system32\Hpgkkioa.exe110⤵PID:6116
-
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe111⤵PID:4804
-
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe112⤵
- Drops file in System32 directory
PID:5164 -
C:\Windows\SysWOW64\Hjmoibog.exeC:\Windows\system32\Hjmoibog.exe113⤵PID:5248
-
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe114⤵PID:5316
-
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe115⤵PID:5376
-
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe116⤵PID:5460
-
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe117⤵PID:5516
-
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe118⤵PID:5568
-
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe119⤵PID:5672
-
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe120⤵PID:5756
-
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe121⤵PID:5840
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-