Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12/03/2024, 00:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9f8c09991a92061dfb7ae335a947e840f223003e528d6d049af2a86106806a7d.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
9f8c09991a92061dfb7ae335a947e840f223003e528d6d049af2a86106806a7d.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
9f8c09991a92061dfb7ae335a947e840f223003e528d6d049af2a86106806a7d.exe
-
Size
488KB
-
MD5
a5ed0e4ffc25394b4f9b774e95df81cf
-
SHA1
e6919006ca8ae67fa695e52810ad2ca04171fbf3
-
SHA256
9f8c09991a92061dfb7ae335a947e840f223003e528d6d049af2a86106806a7d
-
SHA512
32bd35013e54b037d8ae214619b94fc7d607a710c787cc1e2f82504cbf869904b40dd5e4ad4fe45e14038990e798a2b5cb77f7ab9e1a246ecabe3e5862dd6ad7
-
SSDEEP
6144:maY4Yfon/TNId/1fon/T9P7GSon/TNId/1fon/T2oI0YokOsfY7Uon2KO:LYaNIVyeNIVy2oIvPKiKO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jniood32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahdpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egened32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lafmjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqphic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baadiiif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jofalmmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqncnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiacacpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obpkcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbiejoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnnbqnjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqnbkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlmdbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhblllfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldfjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Midfokpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpaihooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkaicd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkjeomld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipkdek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gndbie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpnga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfadkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikqqlgem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enlcahgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gclafmej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocfdgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Podkmgop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ledepn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpjmph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddfbgelh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkabbgol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihgnkkbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlpfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eppjfgcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdciiec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfkkqmiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkkaiphj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjolie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igfkfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhoipb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqnejaff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkohchko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkabbgol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpcja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iohjlmeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgogbgei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odalmibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqkondfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdngpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kniieo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncofplba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpnmbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feenjgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acppddig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbnpcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emkndc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmeoqlpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qemhbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfbcke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjecpkcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpfbcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiacacpg.exe -
Executes dropped EXE 64 IoCs
pid Process 2008 Iohjlmeg.exe 2384 Ifbbig32.exe 4124 Iokgal32.exe 2352 Ifdonfka.exe 2928 Igfkfo32.exe 3712 Ibkpcg32.exe 4476 Ioopml32.exe 1296 Iigdfa32.exe 2888 Ioambknl.exe 1552 Ibpiogmp.exe 4884 Jnnpdg32.exe 2404 Lldfjh32.exe 1756 Midfokpm.exe 1388 Nbadcpbh.exe 1624 Oidofh32.exe 4504 Oiihahme.exe 4692 Ocamjm32.exe 2804 Ocdjpmac.exe 3812 Ocffempp.exe 3692 Pedbahod.exe 4516 Pcicklnn.exe 4676 Phjenbhp.exe 1564 Ppamophb.exe 2212 Pofjpl32.exe 932 Aqoiqn32.exe 3128 Aijnep32.exe 2020 Ajjjocap.exe 4256 Bqdblmhl.exe 4356 Bfqkddfd.exe 2808 Bfedoc32.exe 5108 Bpnihiio.exe 4872 Bfjnjcni.exe 876 Cfadkb32.exe 8 Cceddf32.exe 4960 Caienjfd.exe 3124 Cidjbmcp.exe 3500 Dgejpd32.exe 4092 Diffglam.exe 1948 Djfcaohp.exe 3972 Dapkni32.exe 552 Dcogje32.exe 2584 Dikpbl32.exe 2380 Dpehof32.exe 4264 Djklmo32.exe 2028 Dmihij32.exe 4472 Djmibn32.exe 2748 Eagaoh32.exe 632 Efdjgo32.exe 4836 Emnbdioi.exe 312 Eplnpeol.exe 2708 Epokedmj.exe 1532 Efhcbodf.exe 3684 Embkoi32.exe 4372 Epagkd32.exe 760 Emehdh32.exe 3600 Edopabqn.exe 1788 Filiii32.exe 568 Fdamgb32.exe 3984 Fkkeclfh.exe 3700 Hkjjlhle.exe 4288 Ikqqlgem.exe 4996 Iqmidndd.exe 3676 Iggaah32.exe 2852 Iqpfjnba.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gjcmngnj.exe Gcjdam32.exe File created C:\Windows\SysWOW64\Bkoigdom.exe Bhamkipi.exe File created C:\Windows\SysWOW64\Jacpcl32.exe Jjihfbno.exe File created C:\Windows\SysWOW64\Hfibjl32.dll Ghojbq32.exe File opened for modification C:\Windows\SysWOW64\Nghekkmn.exe Manmoq32.exe File created C:\Windows\SysWOW64\Adnbpqkj.dll Bkibgh32.exe File created C:\Windows\SysWOW64\Kikdcj32.dll Mkohaj32.exe File opened for modification C:\Windows\SysWOW64\Bfendmoc.exe Bcfahbpo.exe File created C:\Windows\SysWOW64\Gbabigfj.exe Glengm32.exe File created C:\Windows\SysWOW64\Dodfed32.dll Eqkondfl.exe File opened for modification C:\Windows\SysWOW64\Qppkhfec.exe Qifbll32.exe File created C:\Windows\SysWOW64\Jecffa32.dll Mbbagk32.exe File created C:\Windows\SysWOW64\Fniihmpf.exe Fkjmlaac.exe File created C:\Windows\SysWOW64\Acppddig.exe Akihcfid.exe File created C:\Windows\SysWOW64\Ncabfkqo.exe Nabfjpak.exe File created C:\Windows\SysWOW64\Coiaiakf.exe Cioilg32.exe File opened for modification C:\Windows\SysWOW64\Dfjpfj32.exe Diccgfpd.exe File created C:\Windows\SysWOW64\Ndnljbeg.dll Lgdidgjg.exe File created C:\Windows\SysWOW64\Hlppno32.exe Hiacacpg.exe File created C:\Windows\SysWOW64\Jpgdai32.exe Jafdcbge.exe File created C:\Windows\SysWOW64\Oihoif32.dll Emehdh32.exe File opened for modification C:\Windows\SysWOW64\Hkjjlhle.exe Fkkeclfh.exe File created C:\Windows\SysWOW64\Eeccjdie.dll Klhnfo32.exe File created C:\Windows\SysWOW64\Daollh32.exe Dalofi32.exe File opened for modification C:\Windows\SysWOW64\Fdbkja32.exe Fbdnne32.exe File created C:\Windows\SysWOW64\Caienjfd.exe Cceddf32.exe File created C:\Windows\SysWOW64\Eehnaq32.dll Bajqda32.exe File opened for modification C:\Windows\SysWOW64\Cnaaib32.exe Ckbemgcp.exe File created C:\Windows\SysWOW64\Okhbek32.dll Cdkifmjq.exe File created C:\Windows\SysWOW64\Gjecbd32.dll Bmjkic32.exe File opened for modification C:\Windows\SysWOW64\Jekqmhia.exe Joahqn32.exe File created C:\Windows\SysWOW64\Ekfkeh32.dll Keimof32.exe File created C:\Windows\SysWOW64\Djmibn32.exe Dmihij32.exe File opened for modification C:\Windows\SysWOW64\Akffafgg.exe Njiegl32.exe File created C:\Windows\SysWOW64\Cqglioac.dll Nnbnhedj.exe File created C:\Windows\SysWOW64\Pmpockdl.dll Afbgkl32.exe File created C:\Windows\SysWOW64\Jpbhgp32.dll Ehpadhll.exe File opened for modification C:\Windows\SysWOW64\Jlikkkhn.exe Jadgnb32.exe File created C:\Windows\SysWOW64\Aijnep32.exe Aqoiqn32.exe File created C:\Windows\SysWOW64\Hjjcnl32.dll Hbdgec32.exe File created C:\Windows\SysWOW64\Nbadcpbh.exe Midfokpm.exe File created C:\Windows\SysWOW64\Fjadje32.exe Fdglmkeg.exe File created C:\Windows\SysWOW64\Jjdejk32.dll Hmnmgnoh.exe File created C:\Windows\SysWOW64\Kngekilj.dll Ieagmcmq.exe File created C:\Windows\SysWOW64\Kiejmi32.exe Kqnbkl32.exe File opened for modification C:\Windows\SysWOW64\Kcbfcigf.exe Klhnfo32.exe File opened for modification C:\Windows\SysWOW64\Lkabjbih.exe Lnnbqnjn.exe File opened for modification C:\Windows\SysWOW64\Aojefobm.exe Aogiap32.exe File created C:\Windows\SysWOW64\Ldldehjm.dll Hedafk32.exe File created C:\Windows\SysWOW64\Ejlgio32.dll Lmbhgd32.exe File opened for modification C:\Windows\SysWOW64\Qifbll32.exe Qfgfpp32.exe File opened for modification C:\Windows\SysWOW64\Fohfbpgi.exe Fniihmpf.exe File created C:\Windows\SysWOW64\Emphocjj.exe Efepbi32.exe File created C:\Windows\SysWOW64\Lkchelci.exe Lqndhcdc.exe File created C:\Windows\SysWOW64\Ndflak32.exe Nagpeo32.exe File created C:\Windows\SysWOW64\Nlefjnno.exe Napameoi.exe File opened for modification C:\Windows\SysWOW64\Bombmcec.exe Bmofagfp.exe File opened for modification C:\Windows\SysWOW64\Diccgfpd.exe Ccgjopal.exe File created C:\Windows\SysWOW64\Bajqda32.exe Bkphhgfc.exe File opened for modification C:\Windows\SysWOW64\Cdmfllhn.exe Coqncejg.exe File created C:\Windows\SysWOW64\Llnnmhfe.exe Ledepn32.exe File created C:\Windows\SysWOW64\Leoema32.dll Fkkeclfh.exe File created C:\Windows\SysWOW64\Malpia32.exe Mkohaj32.exe File created C:\Windows\SysWOW64\Oeehkn32.exe Nmnqjp32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hejqldci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkkaiphj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjolie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnajppda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcjjhdjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcghkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiciojhd.dll" Khgbqkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdnjfojj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jacpcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djklmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbgihaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nefdbekh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbplml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geoapenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jafdcbge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohogfgd.dll" Ddhomdje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hchqbkkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qemhbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hedafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfjcc32.dll" Iliinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcnobqph.dll" Jglklggl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejojljqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enabbk32.dll" Ecefqnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmfbkh32.dll" Gnmlhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnbnhedj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnmlhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijiopd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqgkec32.dll" Igfkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iicfkknk.dll" Pcicklnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phjenbhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epdime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhbjnc32.dll" Eddnic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neqopnhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahcld32.dll" Ibhkfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enfckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gimqajgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlelal32.dll" Iomoenej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjgeedch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggkqgaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdokpl32.dll" Mifljdjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbhijepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckgofgjn.dll" Aefjii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccfme32.dll" Dkkaiphj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigbqakg.dll" Emmdom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilpfgkh.dll" Dhphmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcfidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbbeh32.dll" Bqdblmhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkohaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgkfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjecbd32.dll" Bmjkic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbdgec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncabfkqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnnccl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jadgnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfadkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkgillpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilhkigcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkqol32.dll" Jddiegbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipjam32.dll" Nfnjbdep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbbgicnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgfcle32.dll" Bkoigdom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlpfhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgifbhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anfjipgp.dll" Ccpdoqgd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4032 wrote to memory of 2008 4032 9f8c09991a92061dfb7ae335a947e840f223003e528d6d049af2a86106806a7d.exe 87 PID 4032 wrote to memory of 2008 4032 9f8c09991a92061dfb7ae335a947e840f223003e528d6d049af2a86106806a7d.exe 87 PID 4032 wrote to memory of 2008 4032 9f8c09991a92061dfb7ae335a947e840f223003e528d6d049af2a86106806a7d.exe 87 PID 2008 wrote to memory of 2384 2008 Iohjlmeg.exe 88 PID 2008 wrote to memory of 2384 2008 Iohjlmeg.exe 88 PID 2008 wrote to memory of 2384 2008 Iohjlmeg.exe 88 PID 2384 wrote to memory of 4124 2384 Ifbbig32.exe 89 PID 2384 wrote to memory of 4124 2384 Ifbbig32.exe 89 PID 2384 wrote to memory of 4124 2384 Ifbbig32.exe 89 PID 4124 wrote to memory of 2352 4124 Iokgal32.exe 90 PID 4124 wrote to memory of 2352 4124 Iokgal32.exe 90 PID 4124 wrote to memory of 2352 4124 Iokgal32.exe 90 PID 2352 wrote to memory of 2928 2352 Ifdonfka.exe 91 PID 2352 wrote to memory of 2928 2352 Ifdonfka.exe 91 PID 2352 wrote to memory of 2928 2352 Ifdonfka.exe 91 PID 2928 wrote to memory of 3712 2928 Igfkfo32.exe 92 PID 2928 wrote to memory of 3712 2928 Igfkfo32.exe 92 PID 2928 wrote to memory of 3712 2928 Igfkfo32.exe 92 PID 3712 wrote to memory of 4476 3712 Ibkpcg32.exe 93 PID 3712 wrote to memory of 4476 3712 Ibkpcg32.exe 93 PID 3712 wrote to memory of 4476 3712 Ibkpcg32.exe 93 PID 4476 wrote to memory of 1296 4476 Ioopml32.exe 94 PID 4476 wrote to memory of 1296 4476 Ioopml32.exe 94 PID 4476 wrote to memory of 1296 4476 Ioopml32.exe 94 PID 1296 wrote to memory of 2888 1296 Iigdfa32.exe 95 PID 1296 wrote to memory of 2888 1296 Iigdfa32.exe 95 PID 1296 wrote to memory of 2888 1296 Iigdfa32.exe 95 PID 2888 wrote to memory of 1552 2888 Ioambknl.exe 96 PID 2888 wrote to memory of 1552 2888 Ioambknl.exe 96 PID 2888 wrote to memory of 1552 2888 Ioambknl.exe 96 PID 1552 wrote to memory of 4884 1552 Ibpiogmp.exe 98 PID 1552 wrote to memory of 4884 1552 Ibpiogmp.exe 98 PID 1552 wrote to memory of 4884 1552 Ibpiogmp.exe 98 PID 4884 wrote to memory of 2404 4884 Jnnpdg32.exe 100 PID 4884 wrote to memory of 2404 4884 Jnnpdg32.exe 100 PID 4884 wrote to memory of 2404 4884 Jnnpdg32.exe 100 PID 2404 wrote to memory of 1756 2404 Lldfjh32.exe 101 PID 2404 wrote to memory of 1756 2404 Lldfjh32.exe 101 PID 2404 wrote to memory of 1756 2404 Lldfjh32.exe 101 PID 1756 wrote to memory of 1388 1756 Midfokpm.exe 102 PID 1756 wrote to memory of 1388 1756 Midfokpm.exe 102 PID 1756 wrote to memory of 1388 1756 Midfokpm.exe 102 PID 1388 wrote to memory of 1624 1388 Nbadcpbh.exe 103 PID 1388 wrote to memory of 1624 1388 Nbadcpbh.exe 103 PID 1388 wrote to memory of 1624 1388 Nbadcpbh.exe 103 PID 1624 wrote to memory of 4504 1624 Oidofh32.exe 105 PID 1624 wrote to memory of 4504 1624 Oidofh32.exe 105 PID 1624 wrote to memory of 4504 1624 Oidofh32.exe 105 PID 4504 wrote to memory of 4692 4504 Oiihahme.exe 106 PID 4504 wrote to memory of 4692 4504 Oiihahme.exe 106 PID 4504 wrote to memory of 4692 4504 Oiihahme.exe 106 PID 4692 wrote to memory of 2804 4692 Ocamjm32.exe 107 PID 4692 wrote to memory of 2804 4692 Ocamjm32.exe 107 PID 4692 wrote to memory of 2804 4692 Ocamjm32.exe 107 PID 2804 wrote to memory of 3812 2804 Ocdjpmac.exe 108 PID 2804 wrote to memory of 3812 2804 Ocdjpmac.exe 108 PID 2804 wrote to memory of 3812 2804 Ocdjpmac.exe 108 PID 3812 wrote to memory of 3692 3812 Ocffempp.exe 109 PID 3812 wrote to memory of 3692 3812 Ocffempp.exe 109 PID 3812 wrote to memory of 3692 3812 Ocffempp.exe 109 PID 3692 wrote to memory of 4516 3692 Pedbahod.exe 110 PID 3692 wrote to memory of 4516 3692 Pedbahod.exe 110 PID 3692 wrote to memory of 4516 3692 Pedbahod.exe 110 PID 4516 wrote to memory of 4676 4516 Pcicklnn.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f8c09991a92061dfb7ae335a947e840f223003e528d6d049af2a86106806a7d.exe"C:\Users\Admin\AppData\Local\Temp\9f8c09991a92061dfb7ae335a947e840f223003e528d6d049af2a86106806a7d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\Ioopml32.exeC:\Windows\system32\Ioopml32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:4676 -
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe24⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe25⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Aqoiqn32.exeC:\Windows\system32\Aqoiqn32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:932 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe27⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe28⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4256 -
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe30⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe31⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe32⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe33⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:8 -
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe36⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe37⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe38⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe39⤵
- Executes dropped EXE
PID:4092 -
C:\Windows\SysWOW64\Djfcaohp.exeC:\Windows\system32\Djfcaohp.exe40⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Dapkni32.exeC:\Windows\system32\Dapkni32.exe41⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe42⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe43⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe44⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Djklmo32.exeC:\Windows\system32\Djklmo32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4264 -
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Djmibn32.exeC:\Windows\system32\Djmibn32.exe47⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe48⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Efdjgo32.exeC:\Windows\system32\Efdjgo32.exe49⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Emnbdioi.exeC:\Windows\system32\Emnbdioi.exe50⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe51⤵
- Executes dropped EXE
PID:312 -
C:\Windows\SysWOW64\Epokedmj.exeC:\Windows\system32\Epokedmj.exe52⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Efhcbodf.exeC:\Windows\system32\Efhcbodf.exe53⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Embkoi32.exeC:\Windows\system32\Embkoi32.exe54⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe55⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:760 -
C:\Windows\SysWOW64\Edopabqn.exeC:\Windows\system32\Edopabqn.exe57⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe58⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Fdamgb32.exeC:\Windows\system32\Fdamgb32.exe59⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Fkkeclfh.exeC:\Windows\system32\Fkkeclfh.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3984 -
C:\Windows\SysWOW64\Hkjjlhle.exeC:\Windows\system32\Hkjjlhle.exe61⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Ikqqlgem.exeC:\Windows\system32\Ikqqlgem.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Iqmidndd.exeC:\Windows\system32\Iqmidndd.exe63⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Iggaah32.exeC:\Windows\system32\Iggaah32.exe64⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Iqpfjnba.exeC:\Windows\system32\Iqpfjnba.exe65⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Ihgnkkbd.exeC:\Windows\system32\Ihgnkkbd.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2976 -
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe67⤵PID:1764
-
C:\Windows\SysWOW64\Jglklggl.exeC:\Windows\system32\Jglklggl.exe68⤵
- Modifies registry class
PID:4600 -
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe69⤵PID:5140
-
C:\Windows\SysWOW64\Jgogbgei.exeC:\Windows\system32\Jgogbgei.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5200 -
C:\Windows\SysWOW64\Jjmcnbdm.exeC:\Windows\system32\Jjmcnbdm.exe71⤵PID:5252
-
C:\Windows\SysWOW64\Jdbhkk32.exeC:\Windows\system32\Jdbhkk32.exe72⤵PID:5292
-
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe73⤵PID:5360
-
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5396 -
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe75⤵PID:5448
-
C:\Windows\SysWOW64\Jkaicd32.exeC:\Windows\system32\Jkaicd32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5488 -
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5536 -
C:\Windows\SysWOW64\Kiejmi32.exeC:\Windows\system32\Kiejmi32.exe78⤵PID:5596
-
C:\Windows\SysWOW64\Knbbep32.exeC:\Windows\system32\Knbbep32.exe79⤵PID:5636
-
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe80⤵PID:5676
-
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe81⤵PID:5716
-
C:\Windows\SysWOW64\Kkhpdcab.exeC:\Windows\system32\Kkhpdcab.exe82⤵PID:5756
-
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe83⤵PID:5796
-
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5836 -
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe85⤵PID:5876
-
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe86⤵PID:5916
-
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5956 -
C:\Windows\SysWOW64\Lkabjbih.exeC:\Windows\system32\Lkabjbih.exe88⤵PID:6000
-
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe89⤵PID:6040
-
C:\Windows\SysWOW64\Lghcocol.exeC:\Windows\system32\Lghcocol.exe90⤵PID:6080
-
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe91⤵PID:6120
-
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe92⤵PID:5124
-
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe93⤵
- Drops file in System32 directory
PID:5232 -
C:\Windows\SysWOW64\Mhoipb32.exeC:\Windows\system32\Mhoipb32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4956 -
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe95⤵PID:5392
-
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe96⤵PID:5472
-
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe97⤵PID:5572
-
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe98⤵PID:5644
-
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe99⤵PID:5728
-
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe100⤵PID:5828
-
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe101⤵
- Modifies registry class
PID:5904 -
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe102⤵PID:5980
-
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6064 -
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe104⤵PID:6128
-
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe105⤵
- Drops file in System32 directory
PID:5328 -
C:\Windows\SysWOW64\Akffafgg.exeC:\Windows\system32\Akffafgg.exe106⤵PID:5620
-
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe107⤵PID:5804
-
C:\Windows\SysWOW64\Bcahmb32.exeC:\Windows\system32\Bcahmb32.exe108⤵PID:5884
-
C:\Windows\SysWOW64\Bfpdin32.exeC:\Windows\system32\Bfpdin32.exe109⤵PID:5952
-
C:\Windows\SysWOW64\Bfbaonae.exeC:\Windows\system32\Bfbaonae.exe110⤵PID:6068
-
C:\Windows\SysWOW64\Bhamkipi.exeC:\Windows\system32\Bhamkipi.exe111⤵
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Bkoigdom.exeC:\Windows\system32\Bkoigdom.exe112⤵
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Bcfahbpo.exeC:\Windows\system32\Bcfahbpo.exe113⤵
- Drops file in System32 directory
PID:5128 -
C:\Windows\SysWOW64\Bfendmoc.exeC:\Windows\system32\Bfendmoc.exe114⤵PID:5436
-
C:\Windows\SysWOW64\Bmofagfp.exeC:\Windows\system32\Bmofagfp.exe115⤵
- Drops file in System32 directory
PID:5632 -
C:\Windows\SysWOW64\Bombmcec.exeC:\Windows\system32\Bombmcec.exe116⤵PID:5848
-
C:\Windows\SysWOW64\Bfgjjm32.exeC:\Windows\system32\Bfgjjm32.exe117⤵PID:6028
-
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe118⤵PID:4060
-
C:\Windows\SysWOW64\Bopocbcq.exeC:\Windows\system32\Bopocbcq.exe119⤵PID:5380
-
C:\Windows\SysWOW64\Bbnkonbd.exeC:\Windows\system32\Bbnkonbd.exe120⤵PID:5780
-
C:\Windows\SysWOW64\Cjecpkcg.exeC:\Windows\system32\Cjecpkcg.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1512
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-