Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/03/2024, 19:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3f94a978cac5cb55f97aa968893a9d1d720fa9042937b25266106980d2ad2a21.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
3f94a978cac5cb55f97aa968893a9d1d720fa9042937b25266106980d2ad2a21.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
3f94a978cac5cb55f97aa968893a9d1d720fa9042937b25266106980d2ad2a21.exe
-
Size
245KB
-
MD5
cc7ce4403d50190d7500c2f93df4d591
-
SHA1
783282ae92fd50065aeaefcdfe4ef5c4ff2e3743
-
SHA256
3f94a978cac5cb55f97aa968893a9d1d720fa9042937b25266106980d2ad2a21
-
SHA512
d1d32677e53c8b4c187ebcf543025085fd48eed05ac0093e25156ae38df5ae7babab3dee7d8383b30af90339a29b2d204316721a305b436fc72c61bc23ed394e
-
SSDEEP
1536:v5bKWjE/x//gBsX3bneLC0sgi5X/4cXeXvubKrFEwMEwKhbArEwKhQL4cXeXvubW:R+XYsnbnIEgi5Xwago+bAr+Qka
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jidbflcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckedalaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqfdnhfk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfkolkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidbflcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjghpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hckjacjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocpgod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpdelajl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqiogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkceffcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chghdqbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldoaklml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnlhfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikpaldog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfcfml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpcfdmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chdkoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fllpbldb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkkhqd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgopffec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbgqio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbgipldd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdabcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkbchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dceohhja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbdgfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jimekgff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiidgeki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Megdccmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aclpap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpcon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhdbhcck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddmhja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gofkje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbpgbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndokbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acjjfggb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibqpimpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leihbeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgmngglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cogmkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofqpqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjpaooda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeklag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojjffddl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdmga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmiciaaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbfkbhpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boepel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdfbibnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckcgkldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipdqba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbdolh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bchomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cabfga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkbebbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oboaabga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aniajnnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cddecc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkhbdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chokikeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhmgki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paegjl32.exe -
Executes dropped EXE 64 IoCs
pid Process 2428 Jfffjqdf.exe 4416 Jidbflcj.exe 2072 Jaljgidl.exe 4884 Jbmfoa32.exe 2240 Jfhbppbc.exe 1084 Jmbklj32.exe 3068 Jpaghf32.exe 4060 Jbocea32.exe 2036 Jkfkfohj.exe 4876 Kaqcbi32.exe 3168 Kdopod32.exe 4536 Kmgdgjek.exe 1516 Kpepcedo.exe 1544 Kmjqmi32.exe 4556 Kphmie32.exe 3112 Kipabjil.exe 3788 Kagichjo.exe 1564 Kgdbkohf.exe 4804 Kpmfddnf.exe 4220 Kckbqpnj.exe 5012 Liekmj32.exe 4920 Lgikfn32.exe 3952 Lmccchkn.exe 4836 Ldmlpbbj.exe 4404 Lijdhiaa.exe 3672 Ldohebqh.exe 424 Lilanioo.exe 720 Lpfijcfl.exe 1160 Lcdegnep.exe 768 Lnjjdgee.exe 1064 Lphfpbdi.exe 428 Lknjmkdo.exe 5076 Mpkbebbf.exe 2580 Mciobn32.exe 3872 Mkpgck32.exe 2524 Majopeii.exe 1360 Mkbchk32.exe 4312 Mjhqjg32.exe 4720 Mpaifalo.exe 1972 Mjjmog32.exe 2740 Mpdelajl.exe 432 Mgnnhk32.exe 1780 Ndbnboqb.exe 4316 Njogjfoj.exe 4036 Nqiogp32.exe 2160 Ngcgcjnc.exe 4924 Nbhkac32.exe 3620 Ndghmo32.exe 3200 Nkqpjidj.exe 1144 Nbkhfc32.exe 4472 Nqmhbpba.exe 2244 Nggqoj32.exe 3480 Njfmke32.exe 2512 Nqpego32.exe 1952 Okeieh32.exe 2224 Oboaabga.exe 1668 Ogljjiei.exe 3032 Ojjffddl.exe 4292 Oqdoboli.exe 2732 Occkojkm.exe 1148 Odbgim32.exe 5008 Onklabip.exe 2976 Oqihnn32.exe 4708 Ocgdji32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lcdegnep.exe Lpfijcfl.exe File created C:\Windows\SysWOW64\Mhkngh32.dll Klqcioba.exe File created C:\Windows\SysWOW64\Idodkeom.dll Mlhbal32.exe File created C:\Windows\SysWOW64\Mfilim32.dll Pfjcgn32.exe File created C:\Windows\SysWOW64\Ampkof32.exe Ajanck32.exe File opened for modification C:\Windows\SysWOW64\Bfdodjhm.exe Bcebhoii.exe File created C:\Windows\SysWOW64\Dhmgki32.exe Deokon32.exe File created C:\Windows\SysWOW64\Ahhblemi.exe Aejfpjne.exe File created C:\Windows\SysWOW64\Dhnnep32.exe Deoaid32.exe File created C:\Windows\SysWOW64\Ehimanbq.exe Eekaebcm.exe File created C:\Windows\SysWOW64\Hhhbcf32.dll Fbpnkama.exe File opened for modification C:\Windows\SysWOW64\Ncfdie32.exe Nphhmj32.exe File created C:\Windows\SysWOW64\Jeiooj32.dll Jaljgidl.exe File created C:\Windows\SysWOW64\Bjbndobo.exe Bhdbhcck.exe File created C:\Windows\SysWOW64\Eeanii32.dll Jcbihpel.exe File opened for modification C:\Windows\SysWOW64\Belebq32.exe Bmemac32.exe File created C:\Windows\SysWOW64\Ceckcp32.exe Cjmgfgdf.exe File opened for modification C:\Windows\SysWOW64\Njogjfoj.exe Ndbnboqb.exe File created C:\Windows\SysWOW64\Aklmno32.dll Abpcon32.exe File created C:\Windows\SysWOW64\Eocqqdjh.dll Dboigi32.exe File opened for modification C:\Windows\SysWOW64\Hofdacke.exe Hkkhqd32.exe File created C:\Windows\SysWOW64\Kjqkei32.dll Icifbang.exe File created C:\Windows\SysWOW64\Pflplnlg.exe Pcncpbmd.exe File created C:\Windows\SysWOW64\Bahmfj32.exe Aniajnnn.exe File created C:\Windows\SysWOW64\Bdhfhe32.exe Bajjli32.exe File opened for modification C:\Windows\SysWOW64\Lpebpm32.exe Lljfpnjg.exe File created C:\Windows\SysWOW64\Pfaigm32.exe Pgnilpah.exe File opened for modification C:\Windows\SysWOW64\Qeemej32.exe Qbgqio32.exe File created C:\Windows\SysWOW64\Bhdbhcck.exe Bdhfhe32.exe File opened for modification C:\Windows\SysWOW64\Fljcmlfd.exe Eepjpb32.exe File opened for modification C:\Windows\SysWOW64\Gofkje32.exe Gkkojgao.exe File created C:\Windows\SysWOW64\Jbeidl32.exe Jcbihpel.exe File created C:\Windows\SysWOW64\Ldjhpl32.exe Lmppcbjd.exe File created C:\Windows\SysWOW64\Gcgnkd32.dll Nnneknob.exe File created C:\Windows\SysWOW64\Amjknl32.dll Daekdooc.exe File created C:\Windows\SysWOW64\Gpnkgo32.dll Mkbchk32.exe File opened for modification C:\Windows\SysWOW64\Pgopffec.exe Paegjl32.exe File created C:\Windows\SysWOW64\Dahode32.exe Dceohhja.exe File created C:\Windows\SysWOW64\Ocgdji32.exe Oqihnn32.exe File created C:\Windows\SysWOW64\Nljofl32.exe Nepgjaeg.exe File opened for modification C:\Windows\SysWOW64\Ajanck32.exe Qffbbldm.exe File opened for modification C:\Windows\SysWOW64\Chcddk32.exe Cajlhqjp.exe File created C:\Windows\SysWOW64\Ddjejl32.exe Calhnpgn.exe File created C:\Windows\SysWOW64\Hnicfelf.dll Qecppkdm.exe File opened for modification C:\Windows\SysWOW64\Abkjdnoa.exe Anpncp32.exe File created C:\Windows\SysWOW64\Njkdbljm.dll Ecmeig32.exe File created C:\Windows\SysWOW64\Gmoeoidl.exe Gdhmnlcj.exe File created C:\Windows\SysWOW64\Kpihae32.dll Gmoeoidl.exe File created C:\Windows\SysWOW64\Hfgefhai.dll Hobkfd32.exe File opened for modification C:\Windows\SysWOW64\Chagok32.exe Cdfkolkf.exe File created C:\Windows\SysWOW64\Bejogg32.exe Bjdkjo32.exe File created C:\Windows\SysWOW64\Fhcpgmjf.exe Ffddka32.exe File opened for modification C:\Windows\SysWOW64\Mlcifmbl.exe Meiaib32.exe File created C:\Windows\SysWOW64\Hmmblqfc.dll Pdmpje32.exe File created C:\Windows\SysWOW64\Ndhkdnkh.dll Bhhdil32.exe File created C:\Windows\SysWOW64\Maickled.dll Chokikeb.exe File created C:\Windows\SysWOW64\Ndbnboqb.exe Mgnnhk32.exe File opened for modification C:\Windows\SysWOW64\Iemppiab.exe Ibnccmbo.exe File opened for modification C:\Windows\SysWOW64\Kdeoemeg.exe Klngdpdd.exe File opened for modification C:\Windows\SysWOW64\Pcbmka32.exe Pdpmpdbd.exe File created C:\Windows\SysWOW64\Qdldlm32.dll Pnfkma32.exe File created C:\Windows\SysWOW64\Mcgdgamg.dll Cefoce32.exe File created C:\Windows\SysWOW64\Gogiek32.dll Ehgqln32.exe File created C:\Windows\SysWOW64\Bcjlcn32.exe Balpgb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12200 12040 WerFault.exe 588 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cefoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogqnnn32.dll" Dhkapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ickchq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocgmpccl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pggbkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmidog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcaee32.dll" Ceoibflm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibcmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdgljmcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lphoelqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ognpebpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qceiaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lknjmkdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddpeoafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijcoimpn.dll" Gbdgfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfbploob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcfqfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll" Dfiafg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdopod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmfldb32.dll" Cdfbibnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nckndeni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll" Bnhjohkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll" Cdabcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbnpqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eolpmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eepjpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghlcnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnbnoffm.dll" Jfhlejnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcmabg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miifeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahhblemi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbddcoei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chdkoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipdqba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nniadn32.dll" Mbfkbhpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngbpidjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogljjiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgbkil.dll" Lenamdem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgefeajb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcbmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmdhh32.dll" Fafkecel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qegnoi32.dll" Hfcicmqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll" Oflgep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll" Ofnckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll" Anfmjhmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmemac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogljjiei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojjffddl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgopffec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qghlmgij.dll" Gdeqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpoefk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbmfoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cogmkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekcpbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilghlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kipkhdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndokbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nckndeni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdldlm32.dll" Pnfkma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkaejf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkblkg32.dll" Ibqpimpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdnidn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leihbeib.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4740 wrote to memory of 2428 4740 3f94a978cac5cb55f97aa968893a9d1d720fa9042937b25266106980d2ad2a21.exe 91 PID 4740 wrote to memory of 2428 4740 3f94a978cac5cb55f97aa968893a9d1d720fa9042937b25266106980d2ad2a21.exe 91 PID 4740 wrote to memory of 2428 4740 3f94a978cac5cb55f97aa968893a9d1d720fa9042937b25266106980d2ad2a21.exe 91 PID 2428 wrote to memory of 4416 2428 Jfffjqdf.exe 92 PID 2428 wrote to memory of 4416 2428 Jfffjqdf.exe 92 PID 2428 wrote to memory of 4416 2428 Jfffjqdf.exe 92 PID 4416 wrote to memory of 2072 4416 Jidbflcj.exe 93 PID 4416 wrote to memory of 2072 4416 Jidbflcj.exe 93 PID 4416 wrote to memory of 2072 4416 Jidbflcj.exe 93 PID 2072 wrote to memory of 4884 2072 Jaljgidl.exe 94 PID 2072 wrote to memory of 4884 2072 Jaljgidl.exe 94 PID 2072 wrote to memory of 4884 2072 Jaljgidl.exe 94 PID 4884 wrote to memory of 2240 4884 Jbmfoa32.exe 95 PID 4884 wrote to memory of 2240 4884 Jbmfoa32.exe 95 PID 4884 wrote to memory of 2240 4884 Jbmfoa32.exe 95 PID 2240 wrote to memory of 1084 2240 Jfhbppbc.exe 96 PID 2240 wrote to memory of 1084 2240 Jfhbppbc.exe 96 PID 2240 wrote to memory of 1084 2240 Jfhbppbc.exe 96 PID 1084 wrote to memory of 3068 1084 Jmbklj32.exe 97 PID 1084 wrote to memory of 3068 1084 Jmbklj32.exe 97 PID 1084 wrote to memory of 3068 1084 Jmbklj32.exe 97 PID 3068 wrote to memory of 4060 3068 Jpaghf32.exe 98 PID 3068 wrote to memory of 4060 3068 Jpaghf32.exe 98 PID 3068 wrote to memory of 4060 3068 Jpaghf32.exe 98 PID 4060 wrote to memory of 2036 4060 Jbocea32.exe 99 PID 4060 wrote to memory of 2036 4060 Jbocea32.exe 99 PID 4060 wrote to memory of 2036 4060 Jbocea32.exe 99 PID 2036 wrote to memory of 4876 2036 Jkfkfohj.exe 100 PID 2036 wrote to memory of 4876 2036 Jkfkfohj.exe 100 PID 2036 wrote to memory of 4876 2036 Jkfkfohj.exe 100 PID 4876 wrote to memory of 3168 4876 Kaqcbi32.exe 101 PID 4876 wrote to memory of 3168 4876 Kaqcbi32.exe 101 PID 4876 wrote to memory of 3168 4876 Kaqcbi32.exe 101 PID 3168 wrote to memory of 4536 3168 Kdopod32.exe 102 PID 3168 wrote to memory of 4536 3168 Kdopod32.exe 102 PID 3168 wrote to memory of 4536 3168 Kdopod32.exe 102 PID 4536 wrote to memory of 1516 4536 Kmgdgjek.exe 103 PID 4536 wrote to memory of 1516 4536 Kmgdgjek.exe 103 PID 4536 wrote to memory of 1516 4536 Kmgdgjek.exe 103 PID 1516 wrote to memory of 1544 1516 Kpepcedo.exe 104 PID 1516 wrote to memory of 1544 1516 Kpepcedo.exe 104 PID 1516 wrote to memory of 1544 1516 Kpepcedo.exe 104 PID 1544 wrote to memory of 4556 1544 Kmjqmi32.exe 105 PID 1544 wrote to memory of 4556 1544 Kmjqmi32.exe 105 PID 1544 wrote to memory of 4556 1544 Kmjqmi32.exe 105 PID 4556 wrote to memory of 3112 4556 Kphmie32.exe 106 PID 4556 wrote to memory of 3112 4556 Kphmie32.exe 106 PID 4556 wrote to memory of 3112 4556 Kphmie32.exe 106 PID 3112 wrote to memory of 3788 3112 Kipabjil.exe 107 PID 3112 wrote to memory of 3788 3112 Kipabjil.exe 107 PID 3112 wrote to memory of 3788 3112 Kipabjil.exe 107 PID 3788 wrote to memory of 1564 3788 Kagichjo.exe 109 PID 3788 wrote to memory of 1564 3788 Kagichjo.exe 109 PID 3788 wrote to memory of 1564 3788 Kagichjo.exe 109 PID 1564 wrote to memory of 4804 1564 Kgdbkohf.exe 111 PID 1564 wrote to memory of 4804 1564 Kgdbkohf.exe 111 PID 1564 wrote to memory of 4804 1564 Kgdbkohf.exe 111 PID 4804 wrote to memory of 4220 4804 Kpmfddnf.exe 112 PID 4804 wrote to memory of 4220 4804 Kpmfddnf.exe 112 PID 4804 wrote to memory of 4220 4804 Kpmfddnf.exe 112 PID 4220 wrote to memory of 5012 4220 Kckbqpnj.exe 113 PID 4220 wrote to memory of 5012 4220 Kckbqpnj.exe 113 PID 4220 wrote to memory of 5012 4220 Kckbqpnj.exe 113 PID 5012 wrote to memory of 4920 5012 Liekmj32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f94a978cac5cb55f97aa968893a9d1d720fa9042937b25266106980d2ad2a21.exe"C:\Users\Admin\AppData\Local\Temp\3f94a978cac5cb55f97aa968893a9d1d720fa9042937b25266106980d2ad2a21.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Jfhbppbc.exeC:\Windows\system32\Jfhbppbc.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Liekmj32.exeC:\Windows\system32\Liekmj32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe23⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe24⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe25⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe26⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe27⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe28⤵
- Executes dropped EXE
PID:424 -
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:720 -
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe30⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe31⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe32⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:428 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe35⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe36⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe37⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1360 -
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe39⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe40⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe41⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:432 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe45⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe47⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe48⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe49⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe50⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe51⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe52⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe53⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe54⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe55⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe56⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe60⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe61⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe62⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe63⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe65⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe66⤵PID:4908
-
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe67⤵PID:2008
-
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe68⤵PID:3496
-
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe69⤵PID:5096
-
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe70⤵PID:4872
-
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe71⤵PID:4384
-
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3144 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe73⤵PID:1440
-
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe74⤵PID:4448
-
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe75⤵PID:3008
-
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe76⤵PID:2308
-
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe77⤵PID:3024
-
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe78⤵PID:4600
-
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:4756 -
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3836 -
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe82⤵PID:2444
-
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe83⤵
- Modifies registry class
PID:4488 -
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe84⤵
- Drops file in System32 directory
PID:3216 -
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe85⤵PID:5128
-
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe86⤵PID:5168
-
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5212 -
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe88⤵PID:5252
-
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe89⤵PID:5292
-
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5328 -
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe91⤵
- Drops file in System32 directory
PID:5372 -
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe92⤵PID:5412
-
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe93⤵
- Drops file in System32 directory
PID:5456 -
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe94⤵
- Modifies registry class
PID:5492 -
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe95⤵PID:5536
-
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe96⤵PID:5576
-
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe97⤵PID:5616
-
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe98⤵PID:5652
-
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe99⤵PID:5696
-
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5732 -
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe101⤵PID:5776
-
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe102⤵PID:5816
-
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe103⤵PID:5856
-
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe104⤵PID:5900
-
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe105⤵PID:5940
-
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5976 -
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe107⤵PID:6020
-
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe108⤵PID:6060
-
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe109⤵PID:6096
-
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6132 -
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5164 -
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe112⤵
- Drops file in System32 directory
PID:5208 -
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe113⤵
- Drops file in System32 directory
PID:5300 -
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5368 -
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe115⤵PID:5424
-
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe116⤵PID:5488
-
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe117⤵PID:5548
-
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe118⤵
- Drops file in System32 directory
PID:5636 -
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe119⤵PID:5716
-
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe120⤵PID:5772
-
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-