Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12/03/2024, 17:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0b67c15fb2dae76c5e408cba25f57415a142edc7c5069fc66e8c1f346bfc21ea.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0b67c15fb2dae76c5e408cba25f57415a142edc7c5069fc66e8c1f346bfc21ea.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0b67c15fb2dae76c5e408cba25f57415a142edc7c5069fc66e8c1f346bfc21ea.exe
-
Size
90KB
-
MD5
e98c9c16d64fd12f7e9a4b56223f0bde
-
SHA1
07135fb355081c972ef50d2c7e68009763028ffa
-
SHA256
0b67c15fb2dae76c5e408cba25f57415a142edc7c5069fc66e8c1f346bfc21ea
-
SHA512
e245341c55fb8fa5a3968cc7f20ff3b6d14a578235e6f823a34fcb3730a36d03e06624b70adaf70a9e7c4af87425f97cbd8e369ab54c52a163bec0e3f1eaf82e
-
SSDEEP
1536:CdzNkzxdtIYBUH/sAuePxyFdgKOn/8eiXZcanaGvu/Ub0VkVNK:JnubHmuad1O/RGvu/Ub0+NK
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngipjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akipic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ablahjhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqakln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlljnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfaaebnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqlbqlmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dekapfke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glbapoqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocnabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peodcmeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfodpbpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jeaidn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emgblc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mihikgod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Geoapenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jafaem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ickcaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apcead32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahkffqdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpijgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ongijo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkeipk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jacnegep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnjhhpgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddnmeejo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nepgcgje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fklcbocl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbgdef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glinjqhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbgafqla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjkgkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbgljf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ondleo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Malefbkc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apcead32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odbgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhikci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plgpjhnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhkgnkoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mihikgod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khimhefk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbmfig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beqljn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lehhqg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefmgogl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqhpjohb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkajnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmodfqhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npfchkop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhonpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpijgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giokid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnnmogae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndbefkjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbgkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbgiibja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfpkhjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoocfegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjnjjlog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgalelin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iljpgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdaonmdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhpjbgne.exe -
Executes dropped EXE 64 IoCs
pid Process 4440 Nopfpgip.exe 4272 Nadleilm.exe 3536 Nnhmnn32.exe 5032 Oplfkeob.exe 4612 Opeiadfg.exe 456 Pmnbfhal.exe 4684 Qodeajbg.exe 1728 Adfgdpmi.exe 4656 Bobabg32.exe 1500 Bdojjo32.exe 4712 Baegibae.exe 2320 Bpkdjofm.exe 1912 Cdimqm32.exe 3056 Caojpaij.exe 4340 Ckgohf32.exe 1988 Dpiplm32.exe 4044 Ddkbmj32.exe 2588 Dhikci32.exe 2240 Edplhjhi.exe 4784 Ekonpckp.exe 4996 Foapaa32.exe 4940 Fkhpfbce.exe 1644 Fqgedh32.exe 2820 Gghdaa32.exe 1144 Geoapenf.exe 2660 Gngeik32.exe 1044 Iacngdgj.exe 1416 Ibgdlg32.exe 2924 Jhgiim32.exe 4620 Jihbip32.exe 2304 Joekag32.exe 4192 Jllhpkfk.exe 3504 Kibeoo32.exe 832 Kapfiqoj.exe 3676 Klggli32.exe 776 Lohqnd32.exe 4144 Ledepn32.exe 1928 Ljbnfleo.exe 1268 Lhgkgijg.exe 2260 Mofmobmo.exe 4860 Mlljnf32.exe 3220 Nfgklkoc.exe 4516 Nmcpoedn.exe 1788 Nimmifgo.exe 4252 Nqfbpb32.exe 5140 Omopjcjp.exe 5188 Oihmedma.exe 5232 Ocnabm32.exe 5272 Pqbala32.exe 5312 Padnaq32.exe 5352 Pbhgoh32.exe 5400 Piapkbeg.exe 5448 Pidlqb32.exe 5504 Afockelf.exe 5544 Aaiqcnhg.exe 5588 Apnndj32.exe 5640 Bpqjjjjl.exe 5700 Bbfmgd32.exe 5744 Cienon32.exe 5788 Cmedjl32.exe 5828 Cildom32.exe 5868 Ddcebe32.exe 5908 Dggkipii.exe 5952 Dalofi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kkmijf32.exe Kfpqap32.exe File created C:\Windows\SysWOW64\Befkma32.dll Pijiif32.exe File opened for modification C:\Windows\SysWOW64\Cbjogmlf.exe Cbhbbn32.exe File created C:\Windows\SysWOW64\Emjfif32.dll Cbglgg32.exe File created C:\Windows\SysWOW64\Mbiapehp.dll Hommhi32.exe File created C:\Windows\SysWOW64\Mmodfqhf.exe Megldcgd.exe File created C:\Windows\SysWOW64\Idjmfmgp.exe Impeib32.exe File created C:\Windows\SysWOW64\Okeinn32.exe Odkaac32.exe File created C:\Windows\SysWOW64\Qhfaig32.dll Afnlpohj.exe File created C:\Windows\SysWOW64\Qmlmjq32.exe Pdchakoo.exe File opened for modification C:\Windows\SysWOW64\Eaklcj32.exe Ekqcfpmj.exe File opened for modification C:\Windows\SysWOW64\Jondojna.exe Jhdlbp32.exe File created C:\Windows\SysWOW64\Pijiif32.exe Ppbepp32.exe File created C:\Windows\SysWOW64\Lijdbofo.exe Ldmlih32.exe File created C:\Windows\SysWOW64\Edpogbee.dll Ligglo32.exe File created C:\Windows\SysWOW64\Aoibcl32.dll Ddkbmj32.exe File created C:\Windows\SysWOW64\Idbepmok.dll Pihmcflg.exe File created C:\Windows\SysWOW64\Emhmkh32.exe Efnennjc.exe File created C:\Windows\SysWOW64\Ibqpio32.dll Nohicdia.exe File created C:\Windows\SysWOW64\Noabkh32.dll Fjeibc32.exe File opened for modification C:\Windows\SysWOW64\Fhefmjlp.exe Fbhnec32.exe File created C:\Windows\SysWOW64\Gcgndf32.exe Gmnfglcd.exe File created C:\Windows\SysWOW64\Fkngbb32.dll Gfaaebnj.exe File opened for modification C:\Windows\SysWOW64\Pgdgodhj.exe Oajoaj32.exe File created C:\Windows\SysWOW64\Jdaficop.dll Pfjcpc32.exe File opened for modification C:\Windows\SysWOW64\Klnkoc32.exe Kbigajfc.exe File created C:\Windows\SysWOW64\Nacboi32.exe Nkijbooo.exe File created C:\Windows\SysWOW64\Kingpj32.dll Ipmjkh32.exe File opened for modification C:\Windows\SysWOW64\Glinjqhb.exe Omgabj32.exe File created C:\Windows\SysWOW64\Mldhacpj.exe Mcggga32.exe File opened for modification C:\Windows\SysWOW64\Dncehk32.exe Dgjmkqke.exe File opened for modification C:\Windows\SysWOW64\Deiblamk.exe Coojpg32.exe File created C:\Windows\SysWOW64\Cogllb32.dll Mcdepd32.exe File created C:\Windows\SysWOW64\Dlefhe32.dll Bhaeli32.exe File created C:\Windows\SysWOW64\Iaffkdlc.dll Nepgcgje.exe File opened for modification C:\Windows\SysWOW64\Lahbei32.exe Logicn32.exe File created C:\Windows\SysWOW64\Obnnnc32.exe Nlgbon32.exe File created C:\Windows\SysWOW64\Pgdgodhj.exe Oajoaj32.exe File created C:\Windows\SysWOW64\Plhhcc32.dll Qmkfoj32.exe File created C:\Windows\SysWOW64\Lglopjkg.exe Laofhbmp.exe File created C:\Windows\SysWOW64\Mnojcb32.exe Mdgejmdi.exe File created C:\Windows\SysWOW64\Bkibdp32.dll Efdbhpbn.exe File opened for modification C:\Windows\SysWOW64\Goconkah.exe Gfkjef32.exe File opened for modification C:\Windows\SysWOW64\Kapfiqoj.exe Kibeoo32.exe File created C:\Windows\SysWOW64\Gofndo32.dll Bpemkcck.exe File created C:\Windows\SysWOW64\Ljglnmdi.exe Kkdoje32.exe File created C:\Windows\SysWOW64\Ofbmdj32.dll Icogcjde.exe File opened for modification C:\Windows\SysWOW64\Mkegbfgp.exe Mqpcdn32.exe File created C:\Windows\SysWOW64\Kdkkha32.dll Kmbkfp32.exe File created C:\Windows\SysWOW64\Pnfbpbof.dll Mkdagm32.exe File created C:\Windows\SysWOW64\Bgqedh32.dll Mhenpk32.exe File created C:\Windows\SysWOW64\Mcgpbknd.dll Panhmi32.exe File created C:\Windows\SysWOW64\Donjdabe.dll Nqaipgal.exe File created C:\Windows\SysWOW64\Hmkfnp32.dll Pkhokkel.exe File created C:\Windows\SysWOW64\Gpdkpe32.dll Lehhqg32.exe File opened for modification C:\Windows\SysWOW64\Piceflpi.exe Pmjhlklg.exe File created C:\Windows\SysWOW64\Jaejqa32.dll Aljmal32.exe File created C:\Windows\SysWOW64\Hapgkmbf.dll Goconkah.exe File opened for modification C:\Windows\SysWOW64\Jhmhpfmi.exe Janghmia.exe File created C:\Windows\SysWOW64\Banlia32.dll Hoiihcde.exe File opened for modification C:\Windows\SysWOW64\Nqaipgal.exe Mjhqcmjo.exe File created C:\Windows\SysWOW64\Kahpgcch.exe Kacgld32.exe File created C:\Windows\SysWOW64\Cmedjl32.exe Cienon32.exe File opened for modification C:\Windows\SysWOW64\Epjfehbd.exe Efdbhpbn.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6768 6956 WerFault.exe 904 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdmngm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imkbooff.dll" Jacnegep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obnlpnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pihmcflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qajhigcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abqjci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abqjci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aaiqcnhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qaegcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdbmge32.dll" Odidld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nacboi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdpnpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdkkha32.dll" Kmbkfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imofip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhehcge.dll" Ppeipfdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecblbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcafjf32.dll" Kbocng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akipic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppbepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfmilknm.dll" Deiblamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clfdcgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hijohoki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dqdnjfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogcho32.dll" Pilpfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmdfcmid.dll" Llmbqdfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kingpj32.dll" Ipmjkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lohqnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Andlfi32.dll" Cggpfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejjakmcg.dll" Kkmijf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chpnfc32.dll" Fcmnkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obqopddf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflhco32.dll" Aonhblad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apnndj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nacboi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qigefl32.dll" Eoocfegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipllghgi.dll" Ednajepe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojopki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkmapc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcgndf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imbaobmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nekfnbbc.dll" Dngobghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnhhmog.dll" Ceppfbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfchlb32.dll" Bhdbaihi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehpnnpl.dll" Jhdlbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Deagoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Achmpagb.dll" Glqkefff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecoiapdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmpfcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qaegcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnmdil32.dll" Hqddqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emanepld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmqggncn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmqggncn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkaijl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fklcbocl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghnpmqef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgafin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbghhkmq.dll" Nmmqgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohiajebm.dll" Coegih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfhij32.dll" Mcklac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhddce32.dll" Jafaem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbhbbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkmijf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgjmkqke.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3472 wrote to memory of 4440 3472 0b67c15fb2dae76c5e408cba25f57415a142edc7c5069fc66e8c1f346bfc21ea.exe 98 PID 3472 wrote to memory of 4440 3472 0b67c15fb2dae76c5e408cba25f57415a142edc7c5069fc66e8c1f346bfc21ea.exe 98 PID 3472 wrote to memory of 4440 3472 0b67c15fb2dae76c5e408cba25f57415a142edc7c5069fc66e8c1f346bfc21ea.exe 98 PID 4440 wrote to memory of 4272 4440 Nopfpgip.exe 99 PID 4440 wrote to memory of 4272 4440 Nopfpgip.exe 99 PID 4440 wrote to memory of 4272 4440 Nopfpgip.exe 99 PID 4272 wrote to memory of 3536 4272 Nadleilm.exe 100 PID 4272 wrote to memory of 3536 4272 Nadleilm.exe 100 PID 4272 wrote to memory of 3536 4272 Nadleilm.exe 100 PID 3536 wrote to memory of 5032 3536 Nnhmnn32.exe 101 PID 3536 wrote to memory of 5032 3536 Nnhmnn32.exe 101 PID 3536 wrote to memory of 5032 3536 Nnhmnn32.exe 101 PID 5032 wrote to memory of 4612 5032 Oplfkeob.exe 102 PID 5032 wrote to memory of 4612 5032 Oplfkeob.exe 102 PID 5032 wrote to memory of 4612 5032 Oplfkeob.exe 102 PID 4612 wrote to memory of 456 4612 Opeiadfg.exe 103 PID 4612 wrote to memory of 456 4612 Opeiadfg.exe 103 PID 4612 wrote to memory of 456 4612 Opeiadfg.exe 103 PID 456 wrote to memory of 4684 456 Pmnbfhal.exe 104 PID 456 wrote to memory of 4684 456 Pmnbfhal.exe 104 PID 456 wrote to memory of 4684 456 Pmnbfhal.exe 104 PID 4684 wrote to memory of 1728 4684 Qodeajbg.exe 105 PID 4684 wrote to memory of 1728 4684 Qodeajbg.exe 105 PID 4684 wrote to memory of 1728 4684 Qodeajbg.exe 105 PID 1728 wrote to memory of 4656 1728 Adfgdpmi.exe 106 PID 1728 wrote to memory of 4656 1728 Adfgdpmi.exe 106 PID 1728 wrote to memory of 4656 1728 Adfgdpmi.exe 106 PID 4656 wrote to memory of 1500 4656 Bobabg32.exe 107 PID 4656 wrote to memory of 1500 4656 Bobabg32.exe 107 PID 4656 wrote to memory of 1500 4656 Bobabg32.exe 107 PID 1500 wrote to memory of 4712 1500 Bdojjo32.exe 108 PID 1500 wrote to memory of 4712 1500 Bdojjo32.exe 108 PID 1500 wrote to memory of 4712 1500 Bdojjo32.exe 108 PID 4712 wrote to memory of 2320 4712 Baegibae.exe 109 PID 4712 wrote to memory of 2320 4712 Baegibae.exe 109 PID 4712 wrote to memory of 2320 4712 Baegibae.exe 109 PID 2320 wrote to memory of 1912 2320 Bpkdjofm.exe 110 PID 2320 wrote to memory of 1912 2320 Bpkdjofm.exe 110 PID 2320 wrote to memory of 1912 2320 Bpkdjofm.exe 110 PID 1912 wrote to memory of 3056 1912 Cdimqm32.exe 111 PID 1912 wrote to memory of 3056 1912 Cdimqm32.exe 111 PID 1912 wrote to memory of 3056 1912 Cdimqm32.exe 111 PID 3056 wrote to memory of 4340 3056 Caojpaij.exe 112 PID 3056 wrote to memory of 4340 3056 Caojpaij.exe 112 PID 3056 wrote to memory of 4340 3056 Caojpaij.exe 112 PID 4340 wrote to memory of 1988 4340 Ckgohf32.exe 113 PID 4340 wrote to memory of 1988 4340 Ckgohf32.exe 113 PID 4340 wrote to memory of 1988 4340 Ckgohf32.exe 113 PID 1988 wrote to memory of 4044 1988 Dpiplm32.exe 114 PID 1988 wrote to memory of 4044 1988 Dpiplm32.exe 114 PID 1988 wrote to memory of 4044 1988 Dpiplm32.exe 114 PID 4044 wrote to memory of 2588 4044 Ddkbmj32.exe 115 PID 4044 wrote to memory of 2588 4044 Ddkbmj32.exe 115 PID 4044 wrote to memory of 2588 4044 Ddkbmj32.exe 115 PID 2588 wrote to memory of 2240 2588 Dhikci32.exe 116 PID 2588 wrote to memory of 2240 2588 Dhikci32.exe 116 PID 2588 wrote to memory of 2240 2588 Dhikci32.exe 116 PID 2240 wrote to memory of 4784 2240 Edplhjhi.exe 117 PID 2240 wrote to memory of 4784 2240 Edplhjhi.exe 117 PID 2240 wrote to memory of 4784 2240 Edplhjhi.exe 117 PID 4784 wrote to memory of 4996 4784 Ekonpckp.exe 118 PID 4784 wrote to memory of 4996 4784 Ekonpckp.exe 118 PID 4784 wrote to memory of 4996 4784 Ekonpckp.exe 118 PID 4996 wrote to memory of 4940 4996 Foapaa32.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b67c15fb2dae76c5e408cba25f57415a142edc7c5069fc66e8c1f346bfc21ea.exe"C:\Users\Admin\AppData\Local\Temp\0b67c15fb2dae76c5e408cba25f57415a142edc7c5069fc66e8c1f346bfc21ea.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\Nopfpgip.exeC:\Windows\system32\Nopfpgip.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Nadleilm.exeC:\Windows\system32\Nadleilm.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\Nnhmnn32.exeC:\Windows\system32\Nnhmnn32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Oplfkeob.exeC:\Windows\system32\Oplfkeob.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Opeiadfg.exeC:\Windows\system32\Opeiadfg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\Pmnbfhal.exeC:\Windows\system32\Pmnbfhal.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Qodeajbg.exeC:\Windows\system32\Qodeajbg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\Adfgdpmi.exeC:\Windows\system32\Adfgdpmi.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Bobabg32.exeC:\Windows\system32\Bobabg32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Bdojjo32.exeC:\Windows\system32\Bdojjo32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Baegibae.exeC:\Windows\system32\Baegibae.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Bpkdjofm.exeC:\Windows\system32\Bpkdjofm.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Cdimqm32.exeC:\Windows\system32\Cdimqm32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Caojpaij.exeC:\Windows\system32\Caojpaij.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Ckgohf32.exeC:\Windows\system32\Ckgohf32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\Dpiplm32.exeC:\Windows\system32\Dpiplm32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Ddkbmj32.exeC:\Windows\system32\Ddkbmj32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\Dhikci32.exeC:\Windows\system32\Dhikci32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Edplhjhi.exeC:\Windows\system32\Edplhjhi.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Ekonpckp.exeC:\Windows\system32\Ekonpckp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Foapaa32.exeC:\Windows\system32\Foapaa32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Fkhpfbce.exeC:\Windows\system32\Fkhpfbce.exe23⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Fqgedh32.exeC:\Windows\system32\Fqgedh32.exe24⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Gghdaa32.exeC:\Windows\system32\Gghdaa32.exe25⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Geoapenf.exeC:\Windows\system32\Geoapenf.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Gngeik32.exeC:\Windows\system32\Gngeik32.exe27⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Hicpgc32.exeC:\Windows\system32\Hicpgc32.exe28⤵PID:2160
-
C:\Windows\SysWOW64\Iacngdgj.exeC:\Windows\system32\Iacngdgj.exe29⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Ibgdlg32.exeC:\Windows\system32\Ibgdlg32.exe30⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Jhgiim32.exeC:\Windows\system32\Jhgiim32.exe31⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Jihbip32.exeC:\Windows\system32\Jihbip32.exe32⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Joekag32.exeC:\Windows\system32\Joekag32.exe33⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Jllhpkfk.exeC:\Windows\system32\Jllhpkfk.exe34⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Kibeoo32.exeC:\Windows\system32\Kibeoo32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3504 -
C:\Windows\SysWOW64\Kapfiqoj.exeC:\Windows\system32\Kapfiqoj.exe36⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Klggli32.exeC:\Windows\system32\Klggli32.exe37⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Lohqnd32.exeC:\Windows\system32\Lohqnd32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:776 -
C:\Windows\SysWOW64\Ledepn32.exeC:\Windows\system32\Ledepn32.exe39⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Ljbnfleo.exeC:\Windows\system32\Ljbnfleo.exe40⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Lhgkgijg.exeC:\Windows\system32\Lhgkgijg.exe41⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Mofmobmo.exeC:\Windows\system32\Mofmobmo.exe42⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Mlljnf32.exeC:\Windows\system32\Mlljnf32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Nfgklkoc.exeC:\Windows\system32\Nfgklkoc.exe44⤵
- Executes dropped EXE
PID:3220 -
C:\Windows\SysWOW64\Nmcpoedn.exeC:\Windows\system32\Nmcpoedn.exe45⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Nimmifgo.exeC:\Windows\system32\Nimmifgo.exe46⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Nqfbpb32.exeC:\Windows\system32\Nqfbpb32.exe47⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Omopjcjp.exeC:\Windows\system32\Omopjcjp.exe48⤵
- Executes dropped EXE
PID:5140 -
C:\Windows\SysWOW64\Oihmedma.exeC:\Windows\system32\Oihmedma.exe49⤵
- Executes dropped EXE
PID:5188 -
C:\Windows\SysWOW64\Ocnabm32.exeC:\Windows\system32\Ocnabm32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5232 -
C:\Windows\SysWOW64\Pqbala32.exeC:\Windows\system32\Pqbala32.exe51⤵
- Executes dropped EXE
PID:5272 -
C:\Windows\SysWOW64\Padnaq32.exeC:\Windows\system32\Padnaq32.exe52⤵
- Executes dropped EXE
PID:5312 -
C:\Windows\SysWOW64\Pbhgoh32.exeC:\Windows\system32\Pbhgoh32.exe53⤵
- Executes dropped EXE
PID:5352 -
C:\Windows\SysWOW64\Piapkbeg.exeC:\Windows\system32\Piapkbeg.exe54⤵
- Executes dropped EXE
PID:5400 -
C:\Windows\SysWOW64\Pidlqb32.exeC:\Windows\system32\Pidlqb32.exe55⤵
- Executes dropped EXE
PID:5448 -
C:\Windows\SysWOW64\Afockelf.exeC:\Windows\system32\Afockelf.exe56⤵
- Executes dropped EXE
PID:5504 -
C:\Windows\SysWOW64\Aaiqcnhg.exeC:\Windows\system32\Aaiqcnhg.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:5544 -
C:\Windows\SysWOW64\Apnndj32.exeC:\Windows\system32\Apnndj32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:5588 -
C:\Windows\SysWOW64\Bpqjjjjl.exeC:\Windows\system32\Bpqjjjjl.exe59⤵
- Executes dropped EXE
PID:5640 -
C:\Windows\SysWOW64\Bbfmgd32.exeC:\Windows\system32\Bbfmgd32.exe60⤵
- Executes dropped EXE
PID:5700 -
C:\Windows\SysWOW64\Cienon32.exeC:\Windows\system32\Cienon32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5744 -
C:\Windows\SysWOW64\Cmedjl32.exeC:\Windows\system32\Cmedjl32.exe62⤵
- Executes dropped EXE
PID:5788 -
C:\Windows\SysWOW64\Cildom32.exeC:\Windows\system32\Cildom32.exe63⤵
- Executes dropped EXE
PID:5828 -
C:\Windows\SysWOW64\Ddcebe32.exeC:\Windows\system32\Ddcebe32.exe64⤵
- Executes dropped EXE
PID:5868 -
C:\Windows\SysWOW64\Dggkipii.exeC:\Windows\system32\Dggkipii.exe65⤵
- Executes dropped EXE
PID:5908 -
C:\Windows\SysWOW64\Dalofi32.exeC:\Windows\system32\Dalofi32.exe66⤵
- Executes dropped EXE
PID:5952 -
C:\Windows\SysWOW64\Eahobg32.exeC:\Windows\system32\Eahobg32.exe67⤵PID:5992
-
C:\Windows\SysWOW64\Egegjn32.exeC:\Windows\system32\Egegjn32.exe68⤵PID:6036
-
C:\Windows\SysWOW64\Fdpnda32.exeC:\Windows\system32\Fdpnda32.exe69⤵PID:6084
-
C:\Windows\SysWOW64\Fklcgk32.exeC:\Windows\system32\Fklcgk32.exe70⤵PID:5128
-
C:\Windows\SysWOW64\Gqpapacd.exeC:\Windows\system32\Gqpapacd.exe71⤵PID:5184
-
C:\Windows\SysWOW64\Hqghqpnl.exeC:\Windows\system32\Hqghqpnl.exe72⤵PID:5260
-
C:\Windows\SysWOW64\Hegmlnbp.exeC:\Windows\system32\Hegmlnbp.exe73⤵PID:5348
-
C:\Windows\SysWOW64\Hnpaec32.exeC:\Windows\system32\Hnpaec32.exe74⤵PID:5416
-
C:\Windows\SysWOW64\Icogcjde.exeC:\Windows\system32\Icogcjde.exe75⤵
- Drops file in System32 directory
PID:5540 -
C:\Windows\SysWOW64\Ieqpbm32.exeC:\Windows\system32\Ieqpbm32.exe76⤵PID:5392
-
C:\Windows\SysWOW64\Janghmia.exeC:\Windows\system32\Janghmia.exe77⤵
- Drops file in System32 directory
PID:5664 -
C:\Windows\SysWOW64\Jhmhpfmi.exeC:\Windows\system32\Jhmhpfmi.exe78⤵PID:5772
-
C:\Windows\SysWOW64\Kdhbpf32.exeC:\Windows\system32\Kdhbpf32.exe79⤵PID:5836
-
C:\Windows\SysWOW64\Kaaldjil.exeC:\Windows\system32\Kaaldjil.exe80⤵PID:5892
-
C:\Windows\SysWOW64\Lkiamp32.exeC:\Windows\system32\Lkiamp32.exe81⤵PID:5960
-
C:\Windows\SysWOW64\Logicn32.exeC:\Windows\system32\Logicn32.exe82⤵
- Drops file in System32 directory
PID:6032 -
C:\Windows\SysWOW64\Lahbei32.exeC:\Windows\system32\Lahbei32.exe83⤵PID:6120
-
C:\Windows\SysWOW64\Lolcnman.exeC:\Windows\system32\Lolcnman.exe84⤵PID:5172
-
C:\Windows\SysWOW64\Lehhqg32.exeC:\Windows\system32\Lehhqg32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4820 -
C:\Windows\SysWOW64\Mkepineo.exeC:\Windows\system32\Mkepineo.exe86⤵PID:5476
-
C:\Windows\SysWOW64\Mojopk32.exeC:\Windows\system32\Mojopk32.exe87⤵PID:5388
-
C:\Windows\SysWOW64\Ndlacapp.exeC:\Windows\system32\Ndlacapp.exe88⤵PID:5732
-
C:\Windows\SysWOW64\Nkeipk32.exeC:\Windows\system32\Nkeipk32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5896 -
C:\Windows\SysWOW64\Nlgbon32.exeC:\Windows\system32\Nlgbon32.exe90⤵
- Drops file in System32 directory
PID:6044 -
C:\Windows\SysWOW64\Obnnnc32.exeC:\Windows\system32\Obnnnc32.exe91⤵PID:5180
-
C:\Windows\SysWOW64\Ohhfknjf.exeC:\Windows\system32\Ohhfknjf.exe92⤵PID:5212
-
C:\Windows\SysWOW64\Ooangh32.exeC:\Windows\system32\Ooangh32.exe93⤵PID:5576
-
C:\Windows\SysWOW64\Pilpfm32.exeC:\Windows\system32\Pilpfm32.exe94⤵
- Modifies registry class
PID:5848 -
C:\Windows\SysWOW64\Pmjhlklg.exeC:\Windows\system32\Pmjhlklg.exe95⤵
- Drops file in System32 directory
PID:5976 -
C:\Windows\SysWOW64\Piceflpi.exeC:\Windows\system32\Piceflpi.exe96⤵PID:4540
-
C:\Windows\SysWOW64\Pcijce32.exeC:\Windows\system32\Pcijce32.exe97⤵PID:5680
-
C:\Windows\SysWOW64\Afnlpohj.exeC:\Windows\system32\Afnlpohj.exe98⤵
- Drops file in System32 directory
PID:5752 -
C:\Windows\SysWOW64\Bpemkcck.exeC:\Windows\system32\Bpemkcck.exe99⤵
- Drops file in System32 directory
PID:5308 -
C:\Windows\SysWOW64\Bbefln32.exeC:\Windows\system32\Bbefln32.exe100⤵PID:4296
-
C:\Windows\SysWOW64\Cbhbbn32.exeC:\Windows\system32\Cbhbbn32.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:3816 -
C:\Windows\SysWOW64\Cbjogmlf.exeC:\Windows\system32\Cbjogmlf.exe102⤵PID:5196
-
C:\Windows\SysWOW64\Dinjjf32.exeC:\Windows\system32\Dinjjf32.exe103⤵PID:4364
-
C:\Windows\SysWOW64\Dgdgijhp.exeC:\Windows\system32\Dgdgijhp.exe104⤵PID:5076
-
C:\Windows\SysWOW64\Dmplkd32.exeC:\Windows\system32\Dmplkd32.exe105⤵PID:3452
-
C:\Windows\SysWOW64\Dekapfke.exeC:\Windows\system32\Dekapfke.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2248 -
C:\Windows\SysWOW64\Eleimp32.exeC:\Windows\system32\Eleimp32.exe107⤵PID:6188
-
C:\Windows\SysWOW64\Epcbbohh.exeC:\Windows\system32\Epcbbohh.exe108⤵PID:6232
-
C:\Windows\SysWOW64\Emgblc32.exeC:\Windows\system32\Emgblc32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6288 -
C:\Windows\SysWOW64\Ecfhji32.exeC:\Windows\system32\Ecfhji32.exe110⤵PID:6356
-
C:\Windows\SysWOW64\Fjeibc32.exeC:\Windows\system32\Fjeibc32.exe111⤵
- Drops file in System32 directory
PID:6396 -
C:\Windows\SysWOW64\Fcmnkh32.exeC:\Windows\system32\Fcmnkh32.exe112⤵
- Modifies registry class
PID:6448 -
C:\Windows\SysWOW64\Fncbha32.exeC:\Windows\system32\Fncbha32.exe113⤵PID:6496
-
C:\Windows\SysWOW64\Fnglcqio.exeC:\Windows\system32\Fnglcqio.exe114⤵PID:6540
-
C:\Windows\SysWOW64\Gnjhhpgl.exeC:\Windows\system32\Gnjhhpgl.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6580 -
C:\Windows\SysWOW64\Ggbmafnm.exeC:\Windows\system32\Ggbmafnm.exe116⤵PID:6636
-
C:\Windows\SysWOW64\Gfgjbb32.exeC:\Windows\system32\Gfgjbb32.exe117⤵PID:6680
-
C:\Windows\SysWOW64\Gjebiq32.exeC:\Windows\system32\Gjebiq32.exe118⤵PID:6732
-
C:\Windows\SysWOW64\Gnckooob.exeC:\Windows\system32\Gnckooob.exe119⤵PID:6780
-
C:\Windows\SysWOW64\Gdmcki32.exeC:\Windows\system32\Gdmcki32.exe120⤵PID:6824
-
C:\Windows\SysWOW64\Hjjldpdf.exeC:\Windows\system32\Hjjldpdf.exe121⤵PID:6868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-