Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2024, 17:14
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
07a8d38379a8a192df5edca402568d6c927550268933f6e5ab7e82d397aa1ce5.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
07a8d38379a8a192df5edca402568d6c927550268933f6e5ab7e82d397aa1ce5.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
07a8d38379a8a192df5edca402568d6c927550268933f6e5ab7e82d397aa1ce5.exe
-
Size
88KB
-
MD5
0e94732c395e1eca486b7c5a619b4b86
-
SHA1
0bd96661f1f96056fb3d217b0b6f0831713c9c44
-
SHA256
07a8d38379a8a192df5edca402568d6c927550268933f6e5ab7e82d397aa1ce5
-
SHA512
079d620b0b6963538e75aba497134b872ed23a43572b0e39201b36ee83123ac1bd4bdc0f21fedaf892645c8d159d9e0ded77f6cd588459e2c2c5889eaa7ccc3e
-
SSDEEP
1536:tYS6iWfAMhS+4nV4ZtPEPm2q2w1zMkPGDEjj1dnouy8L:zfCV4nwPEO2ozVPLVloutL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgjhpcmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klekfinp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kofdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjoankoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haafcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcdjbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqdpgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjmnoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkgeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdojjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdpmbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnbcgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nblolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ommceclc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqpgdfnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adgbpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bchomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eiobceef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnqfcbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipdqba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhihdcbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kelalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmfeidbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nglhld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbmohmoh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gghdaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jifecp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hopnqdan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmjdjgjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaonjngh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeocna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbgoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Palklf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlhih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdlkdhnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ganldgib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqknig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfajjoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inpccihl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmechmip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mminhceb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dndgfpbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhknpmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gacepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fonnop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fajbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfnhfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ganldgib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hldiinke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adgbpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkckeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iloidijb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecefqnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Damfao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joekag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgllfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fajnfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkmgblok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmhijd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heocnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfoiokfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbpedjnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqdqof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekpmbddq.exe -
UPX dump on OEP (original entry point) 44 IoCs
resource yara_rule behavioral2/files/0x000800000002332c-7.dat UPX behavioral2/files/0x000700000002332f-14.dat UPX behavioral2/files/0x0007000000023332-22.dat UPX behavioral2/files/0x0007000000023334-30.dat UPX behavioral2/files/0x0007000000023336-38.dat UPX behavioral2/files/0x0007000000023338-46.dat UPX behavioral2/files/0x000700000002333a-54.dat UPX behavioral2/files/0x000700000002333c-62.dat UPX behavioral2/files/0x000700000002333e-70.dat UPX behavioral2/files/0x0007000000023340-78.dat UPX behavioral2/files/0x000800000002332a-86.dat UPX behavioral2/files/0x0007000000023343-94.dat UPX behavioral2/files/0x0007000000023345-102.dat UPX behavioral2/files/0x0007000000023347-105.dat UPX behavioral2/files/0x0007000000023349-118.dat UPX behavioral2/files/0x000700000002334b-126.dat UPX behavioral2/files/0x000700000002334d-134.dat UPX behavioral2/files/0x000700000002334f-142.dat UPX behavioral2/files/0x0007000000023351-151.dat UPX behavioral2/files/0x0007000000023353-158.dat UPX behavioral2/files/0x0007000000023356-166.dat UPX behavioral2/files/0x0007000000023358-174.dat UPX behavioral2/files/0x000700000002335a-183.dat UPX behavioral2/files/0x000700000002335c-191.dat UPX behavioral2/files/0x000700000002335e-198.dat UPX behavioral2/files/0x0007000000023360-206.dat UPX behavioral2/files/0x0007000000023362-214.dat UPX behavioral2/files/0x0007000000023364-222.dat UPX behavioral2/files/0x0007000000023366-230.dat UPX behavioral2/files/0x0007000000023368-238.dat UPX behavioral2/files/0x000700000002336a-246.dat UPX behavioral2/files/0x000700000002336c-254.dat UPX behavioral2/files/0x000700000002337a-293.dat UPX behavioral2/files/0x0007000000023384-323.dat UPX behavioral2/files/0x0007000000023394-371.dat UPX behavioral2/files/0x00070000000233bd-503.dat UPX behavioral2/files/0x00070000000233d3-574.dat UPX behavioral2/files/0x00070000000234a0-1262.dat UPX behavioral2/files/0x00070000000234dc-1486.dat UPX behavioral2/files/0x000700000002358c-2557.dat UPX behavioral2/files/0x00070000000235a0-2618.dat UPX behavioral2/files/0x00070000000235b2-2672.dat UPX behavioral2/files/0x00070000000236d4-3661.dat UPX behavioral2/files/0x00070000000236d8-3675.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 4608 Hopnqdan.exe 2304 Helfik32.exe 4800 Hkfoeega.exe 4580 Heocnk32.exe 1980 Hodgkc32.exe 3048 Himldi32.exe 3584 Hcbpab32.exe 1828 Hmjdjgjo.exe 4692 Hbgmcnhf.exe 2264 Ikpaldog.exe 1004 Ibjjhn32.exe 1172 Icifbang.exe 2604 Iifokh32.exe 3992 Iemppiab.exe 5064 Icnpmp32.exe 4972 Iikhfg32.exe 3220 Ipdqba32.exe 1096 Jfoiokfb.exe 4940 Jlkagbej.exe 4600 Lpebpm32.exe 4556 Lllcen32.exe 2588 Medgncoe.exe 3328 Mchhggno.exe 3052 Mlampmdo.exe 924 Mckemg32.exe 4884 Mcmabg32.exe 4328 Mlefklpj.exe 4964 Mgkjhe32.exe 3252 Ndokbi32.exe 5044 Nepgjaeg.exe 5032 Nljofl32.exe 4112 Njnpppkn.exe 1356 Ndcdmikd.exe 4864 Neeqea32.exe 1776 Npjebj32.exe 2152 Ngdmod32.exe 5008 Nlaegk32.exe 4856 Nggjdc32.exe 2068 Oponmilc.exe 4188 Ogifjcdp.exe 1592 Oncofm32.exe 4756 Odmgcgbi.exe 2776 Ofnckp32.exe 3100 Olhlhjpd.exe 4484 Ofqpqo32.exe 4440 Olkhmi32.exe 3884 Ocdqjceo.exe 5156 Ojoign32.exe 5196 Ocgmpccl.exe 5236 Ojaelm32.exe 5280 Pqknig32.exe 5324 Pgefeajb.exe 5364 Pjcbbmif.exe 5404 Pclgkb32.exe 5448 Pnakhkol.exe 5500 Pqpgdfnp.exe 5540 Pflplnlg.exe 5580 Pmfhig32.exe 5620 Pgllfp32.exe 5664 Pqdqof32.exe 5708 Pgnilpah.exe 5752 Qnhahj32.exe 5824 Qjoankoi.exe 5864 Qddfkd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cnindhpg.exe Bohbhmfm.exe File created C:\Windows\SysWOW64\Kpjbdk32.dll Dhgonidg.exe File created C:\Windows\SysWOW64\Ccegpn32.dll Eqncnj32.exe File created C:\Windows\SysWOW64\Gijmad32.exe Gacepg32.exe File created C:\Windows\SysWOW64\Hbnaeh32.exe Hnbeeiji.exe File opened for modification C:\Windows\SysWOW64\Adgbpc32.exe Ampkof32.exe File created C:\Windows\SysWOW64\Aaccdk32.dll Jkmgblok.exe File opened for modification C:\Windows\SysWOW64\Omcjep32.exe Olanmgig.exe File created C:\Windows\SysWOW64\Ekbngp32.dll Ealadnik.exe File created C:\Windows\SysWOW64\Ljgmjm32.dll Opbean32.exe File created C:\Windows\SysWOW64\Chjjqebm.dll Piocecgj.exe File opened for modification C:\Windows\SysWOW64\Fonnop32.exe Fajnfl32.exe File created C:\Windows\SysWOW64\Fechomko.exe Fbpchb32.exe File opened for modification C:\Windows\SysWOW64\Conanfli.exe Cggimh32.exe File opened for modification C:\Windows\SysWOW64\Jidinqpb.exe Ihdldn32.exe File created C:\Windows\SysWOW64\Hobbfhjl.dll Loacdc32.exe File created C:\Windows\SysWOW64\Pgefeajb.exe Pqknig32.exe File created C:\Windows\SysWOW64\Pkejdahi.dll Afhohlbj.exe File created C:\Windows\SysWOW64\Echdno32.dll Cnicfe32.exe File opened for modification C:\Windows\SysWOW64\Dndgfpbo.exe Dkekjdck.exe File created C:\Windows\SysWOW64\Flpoofmk.dll Gegkpf32.exe File created C:\Windows\SysWOW64\Kkcmfmhk.dll Eachem32.exe File opened for modification C:\Windows\SysWOW64\Hfningai.exe Hkhdqoac.exe File opened for modification C:\Windows\SysWOW64\Inpccihl.exe Ikaggmii.exe File opened for modification C:\Windows\SysWOW64\Jkhgmf32.exe Igedlh32.exe File created C:\Windows\SysWOW64\Nbcpja32.dll Acokhc32.exe File created C:\Windows\SysWOW64\Haodle32.exe Hbldphde.exe File opened for modification C:\Windows\SysWOW64\Bchomn32.exe Bmngqdpj.exe File created C:\Windows\SysWOW64\Kelalp32.exe Kldmckic.exe File created C:\Windows\SysWOW64\Locbfd32.exe Lldfjh32.exe File created C:\Windows\SysWOW64\Iojkeh32.exe Ilkoim32.exe File opened for modification C:\Windows\SysWOW64\Jhplpl32.exe Jbccge32.exe File opened for modification C:\Windows\SysWOW64\Kemooo32.exe Kocgbend.exe File created C:\Windows\SysWOW64\Piocecgj.exe Pfagighf.exe File opened for modification C:\Windows\SysWOW64\Cpfcfmlp.exe Coegoe32.exe File created C:\Windows\SysWOW64\Ekppjn32.dll Dddllkbf.exe File created C:\Windows\SysWOW64\Begfqa32.dll Eiekog32.exe File opened for modification C:\Windows\SysWOW64\Khbdikip.exe Kfqgab32.exe File created C:\Windows\SysWOW64\Oblknjim.dll Cgqlcg32.exe File opened for modification C:\Windows\SysWOW64\Fqgedh32.exe Fofilp32.exe File opened for modification C:\Windows\SysWOW64\Gokbgpeg.exe Fgcjfbed.exe File created C:\Windows\SysWOW64\Qffbbldm.exe Qddfkd32.exe File created C:\Windows\SysWOW64\Bjagjhnc.exe Bchomn32.exe File opened for modification C:\Windows\SysWOW64\Bnpppgdj.exe Bfhhoi32.exe File created C:\Windows\SysWOW64\Mgfhfd32.dll Kocgbend.exe File opened for modification C:\Windows\SysWOW64\Pbcncibp.exe Oikjkc32.exe File opened for modification C:\Windows\SysWOW64\Ogifjcdp.exe Oponmilc.exe File opened for modification C:\Windows\SysWOW64\Eglgbdep.exe Eaonjngh.exe File created C:\Windows\SysWOW64\Ghehjh32.dll Ekcgkb32.exe File opened for modification C:\Windows\SysWOW64\Indmnh32.exe Ikfabm32.exe File opened for modification C:\Windows\SysWOW64\Dbqqkkbo.exe Bbnkonbd.exe File created C:\Windows\SysWOW64\Ahofoogd.exe Ahmjjoig.exe File opened for modification C:\Windows\SysWOW64\Fbbicl32.exe Fgmdec32.exe File created C:\Windows\SysWOW64\Fgoakc32.exe Fbbicl32.exe File created C:\Windows\SysWOW64\Nepgjaeg.exe Ndokbi32.exe File created C:\Windows\SysWOW64\Cdcoim32.exe Cnffqf32.exe File opened for modification C:\Windows\SysWOW64\Igcoqocb.exe Ifbbig32.exe File opened for modification C:\Windows\SysWOW64\Mhckcgpj.exe Mcfbkpab.exe File created C:\Windows\SysWOW64\Keblci32.dll Ikpaldog.exe File opened for modification C:\Windows\SysWOW64\Fojedapj.exe Fhpmgg32.exe File created C:\Windows\SysWOW64\Qdhogopn.dll Adkgje32.exe File created C:\Windows\SysWOW64\Qhbepcmd.dll Pjcbbmif.exe File created C:\Windows\SysWOW64\Hikemehi.dll Cggimh32.exe File created C:\Windows\SysWOW64\Gicgpelg.exe Gegkpf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7036 9204 WerFault.exe 576 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oqmhqapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhkcaln.dll" Hopnqdan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehdmlhcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdlndj32.dll" Famjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jldbpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbccge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klekfinp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhlfehjp.dll" Ikaggmii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmeigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecpfpo32.dll" Bacjdbch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlfmfbi.dll" Cdmfllhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnckpmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfklhhcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pddhbipj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qodeajbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkikinpo.dll" Ddnobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdding32.dll" Foapaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmafajfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgcjfbed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 07a8d38379a8a192df5edca402568d6c927550268933f6e5ab7e82d397aa1ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngdmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocgmpccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmalnp32.dll" Hhlejcpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffkclmbd.dll" Lhkgoiqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmechmip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pqknig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekpmbddq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjnnje32.dll" Fafdkmap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kebkgjkg.dll" Nmhijd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phgibp32.dll" Ommceclc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eklajcmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkfoeega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll" Cnffqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgabkoee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hienlpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnqfcbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgiiiidd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgaiiq32.dll" Hginecde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhphmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mchhggno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pflplnlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll" Cagobalc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnckpmql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klifnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhknpmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlkfgena.dll" Kflnfcgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikkpgafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gicaifkq.dll" Ikkpgafg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klndfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kadpdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhpmgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igmagnkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edbnqkga.dll" Lnnikdnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlcjhkdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agdcpkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Helbbkkj.dll" Fgjhpcmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afomjffg.dll" Iikhfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgnilpah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idgojc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inmpcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djhimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmafajfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmaciefp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4588 wrote to memory of 4608 4588 07a8d38379a8a192df5edca402568d6c927550268933f6e5ab7e82d397aa1ce5.exe 94 PID 4588 wrote to memory of 4608 4588 07a8d38379a8a192df5edca402568d6c927550268933f6e5ab7e82d397aa1ce5.exe 94 PID 4588 wrote to memory of 4608 4588 07a8d38379a8a192df5edca402568d6c927550268933f6e5ab7e82d397aa1ce5.exe 94 PID 4608 wrote to memory of 2304 4608 Hopnqdan.exe 95 PID 4608 wrote to memory of 2304 4608 Hopnqdan.exe 95 PID 4608 wrote to memory of 2304 4608 Hopnqdan.exe 95 PID 2304 wrote to memory of 4800 2304 Helfik32.exe 96 PID 2304 wrote to memory of 4800 2304 Helfik32.exe 96 PID 2304 wrote to memory of 4800 2304 Helfik32.exe 96 PID 4800 wrote to memory of 4580 4800 Hkfoeega.exe 97 PID 4800 wrote to memory of 4580 4800 Hkfoeega.exe 97 PID 4800 wrote to memory of 4580 4800 Hkfoeega.exe 97 PID 4580 wrote to memory of 1980 4580 Heocnk32.exe 98 PID 4580 wrote to memory of 1980 4580 Heocnk32.exe 98 PID 4580 wrote to memory of 1980 4580 Heocnk32.exe 98 PID 1980 wrote to memory of 3048 1980 Hodgkc32.exe 99 PID 1980 wrote to memory of 3048 1980 Hodgkc32.exe 99 PID 1980 wrote to memory of 3048 1980 Hodgkc32.exe 99 PID 3048 wrote to memory of 3584 3048 Himldi32.exe 100 PID 3048 wrote to memory of 3584 3048 Himldi32.exe 100 PID 3048 wrote to memory of 3584 3048 Himldi32.exe 100 PID 3584 wrote to memory of 1828 3584 Hcbpab32.exe 101 PID 3584 wrote to memory of 1828 3584 Hcbpab32.exe 101 PID 3584 wrote to memory of 1828 3584 Hcbpab32.exe 101 PID 1828 wrote to memory of 4692 1828 Hmjdjgjo.exe 103 PID 1828 wrote to memory of 4692 1828 Hmjdjgjo.exe 103 PID 1828 wrote to memory of 4692 1828 Hmjdjgjo.exe 103 PID 4692 wrote to memory of 2264 4692 Hbgmcnhf.exe 104 PID 4692 wrote to memory of 2264 4692 Hbgmcnhf.exe 104 PID 4692 wrote to memory of 2264 4692 Hbgmcnhf.exe 104 PID 2264 wrote to memory of 1004 2264 Ikpaldog.exe 105 PID 2264 wrote to memory of 1004 2264 Ikpaldog.exe 105 PID 2264 wrote to memory of 1004 2264 Ikpaldog.exe 105 PID 1004 wrote to memory of 1172 1004 Ibjjhn32.exe 106 PID 1004 wrote to memory of 1172 1004 Ibjjhn32.exe 106 PID 1004 wrote to memory of 1172 1004 Ibjjhn32.exe 106 PID 1172 wrote to memory of 2604 1172 Icifbang.exe 107 PID 1172 wrote to memory of 2604 1172 Icifbang.exe 107 PID 1172 wrote to memory of 2604 1172 Icifbang.exe 107 PID 2604 wrote to memory of 3992 2604 Iifokh32.exe 108 PID 2604 wrote to memory of 3992 2604 Iifokh32.exe 108 PID 2604 wrote to memory of 3992 2604 Iifokh32.exe 108 PID 3992 wrote to memory of 5064 3992 Iemppiab.exe 109 PID 3992 wrote to memory of 5064 3992 Iemppiab.exe 109 PID 3992 wrote to memory of 5064 3992 Iemppiab.exe 109 PID 5064 wrote to memory of 4972 5064 Icnpmp32.exe 110 PID 5064 wrote to memory of 4972 5064 Icnpmp32.exe 110 PID 5064 wrote to memory of 4972 5064 Icnpmp32.exe 110 PID 4972 wrote to memory of 3220 4972 Iikhfg32.exe 112 PID 4972 wrote to memory of 3220 4972 Iikhfg32.exe 112 PID 4972 wrote to memory of 3220 4972 Iikhfg32.exe 112 PID 3220 wrote to memory of 1096 3220 Ipdqba32.exe 113 PID 3220 wrote to memory of 1096 3220 Ipdqba32.exe 113 PID 3220 wrote to memory of 1096 3220 Ipdqba32.exe 113 PID 1096 wrote to memory of 4940 1096 Jfoiokfb.exe 114 PID 1096 wrote to memory of 4940 1096 Jfoiokfb.exe 114 PID 1096 wrote to memory of 4940 1096 Jfoiokfb.exe 114 PID 4940 wrote to memory of 4600 4940 Jlkagbej.exe 115 PID 4940 wrote to memory of 4600 4940 Jlkagbej.exe 115 PID 4940 wrote to memory of 4600 4940 Jlkagbej.exe 115 PID 4600 wrote to memory of 4556 4600 Lpebpm32.exe 116 PID 4600 wrote to memory of 4556 4600 Lpebpm32.exe 116 PID 4600 wrote to memory of 4556 4600 Lpebpm32.exe 116 PID 4556 wrote to memory of 2588 4556 Lllcen32.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\07a8d38379a8a192df5edca402568d6c927550268933f6e5ab7e82d397aa1ce5.exe"C:\Users\Admin\AppData\Local\Temp\07a8d38379a8a192df5edca402568d6c927550268933f6e5ab7e82d397aa1ce5.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Hopnqdan.exeC:\Windows\system32\Hopnqdan.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Helfik32.exeC:\Windows\system32\Helfik32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Heocnk32.exeC:\Windows\system32\Heocnk32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Himldi32.exeC:\Windows\system32\Himldi32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Hcbpab32.exeC:\Windows\system32\Hcbpab32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Hmjdjgjo.exeC:\Windows\system32\Hmjdjgjo.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Icifbang.exeC:\Windows\system32\Icifbang.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Iifokh32.exeC:\Windows\system32\Iifokh32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Iemppiab.exeC:\Windows\system32\Iemppiab.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\Icnpmp32.exeC:\Windows\system32\Icnpmp32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\Iikhfg32.exeC:\Windows\system32\Iikhfg32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Ipdqba32.exeC:\Windows\system32\Ipdqba32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Jfoiokfb.exeC:\Windows\system32\Jfoiokfb.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Jlkagbej.exeC:\Windows\system32\Jlkagbej.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Lpebpm32.exeC:\Windows\system32\Lpebpm32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Lllcen32.exeC:\Windows\system32\Lllcen32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Medgncoe.exeC:\Windows\system32\Medgncoe.exe23⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Mchhggno.exeC:\Windows\system32\Mchhggno.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:3328 -
C:\Windows\SysWOW64\Mlampmdo.exeC:\Windows\system32\Mlampmdo.exe25⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Mckemg32.exeC:\Windows\system32\Mckemg32.exe26⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Mcmabg32.exeC:\Windows\system32\Mcmabg32.exe27⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Mlefklpj.exeC:\Windows\system32\Mlefklpj.exe28⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Mgkjhe32.exeC:\Windows\system32\Mgkjhe32.exe29⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Ndokbi32.exeC:\Windows\system32\Ndokbi32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3252 -
C:\Windows\SysWOW64\Nepgjaeg.exeC:\Windows\system32\Nepgjaeg.exe31⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Nljofl32.exeC:\Windows\system32\Nljofl32.exe32⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Njnpppkn.exeC:\Windows\system32\Njnpppkn.exe33⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Ndcdmikd.exeC:\Windows\system32\Ndcdmikd.exe34⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Neeqea32.exeC:\Windows\system32\Neeqea32.exe35⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Npjebj32.exeC:\Windows\system32\Npjebj32.exe36⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Ngdmod32.exeC:\Windows\system32\Ngdmod32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Nlaegk32.exeC:\Windows\system32\Nlaegk32.exe38⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Nggjdc32.exeC:\Windows\system32\Nggjdc32.exe39⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Oponmilc.exeC:\Windows\system32\Oponmilc.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Ogifjcdp.exeC:\Windows\system32\Ogifjcdp.exe41⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe42⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Odmgcgbi.exeC:\Windows\system32\Odmgcgbi.exe43⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Ofnckp32.exeC:\Windows\system32\Ofnckp32.exe44⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe45⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Ofqpqo32.exeC:\Windows\system32\Ofqpqo32.exe46⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Olkhmi32.exeC:\Windows\system32\Olkhmi32.exe47⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Ocdqjceo.exeC:\Windows\system32\Ocdqjceo.exe48⤵
- Executes dropped EXE
PID:3884 -
C:\Windows\SysWOW64\Ojoign32.exeC:\Windows\system32\Ojoign32.exe49⤵
- Executes dropped EXE
PID:5156 -
C:\Windows\SysWOW64\Ocgmpccl.exeC:\Windows\system32\Ocgmpccl.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:5196 -
C:\Windows\SysWOW64\Ojaelm32.exeC:\Windows\system32\Ojaelm32.exe51⤵
- Executes dropped EXE
PID:5236 -
C:\Windows\SysWOW64\Pqknig32.exeC:\Windows\system32\Pqknig32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5280 -
C:\Windows\SysWOW64\Pgefeajb.exeC:\Windows\system32\Pgefeajb.exe53⤵
- Executes dropped EXE
PID:5324 -
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5364 -
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe55⤵
- Executes dropped EXE
PID:5404 -
C:\Windows\SysWOW64\Pnakhkol.exeC:\Windows\system32\Pnakhkol.exe56⤵
- Executes dropped EXE
PID:5448 -
C:\Windows\SysWOW64\Pqpgdfnp.exeC:\Windows\system32\Pqpgdfnp.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5500 -
C:\Windows\SysWOW64\Pflplnlg.exeC:\Windows\system32\Pflplnlg.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:5540 -
C:\Windows\SysWOW64\Pmfhig32.exeC:\Windows\system32\Pmfhig32.exe59⤵
- Executes dropped EXE
PID:5580 -
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5620 -
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5664 -
C:\Windows\SysWOW64\Pgnilpah.exeC:\Windows\system32\Pgnilpah.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:5708 -
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe63⤵
- Executes dropped EXE
PID:5752 -
C:\Windows\SysWOW64\Qjoankoi.exeC:\Windows\system32\Qjoankoi.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5824 -
C:\Windows\SysWOW64\Qddfkd32.exeC:\Windows\system32\Qddfkd32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5864 -
C:\Windows\SysWOW64\Qffbbldm.exeC:\Windows\system32\Qffbbldm.exe66⤵PID:5904
-
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe67⤵
- Drops file in System32 directory
PID:5944 -
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5984 -
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe69⤵
- Drops file in System32 directory
PID:6024 -
C:\Windows\SysWOW64\Aqncedbp.exeC:\Windows\system32\Aqncedbp.exe70⤵PID:6068
-
C:\Windows\SysWOW64\Agglboim.exeC:\Windows\system32\Agglboim.exe71⤵PID:6108
-
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe72⤵PID:5124
-
C:\Windows\SysWOW64\Ajhddjfn.exeC:\Windows\system32\Ajhddjfn.exe73⤵PID:5184
-
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe74⤵PID:5288
-
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe75⤵PID:5332
-
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe76⤵PID:5400
-
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5476 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe78⤵PID:5548
-
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe79⤵PID:5628
-
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5692 -
C:\Windows\SysWOW64\Bmngqdpj.exeC:\Windows\system32\Bmngqdpj.exe81⤵
- Drops file in System32 directory
PID:5764 -
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5844 -
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe83⤵PID:5964
-
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe84⤵PID:6032
-
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe85⤵
- Drops file in System32 directory
PID:6092 -
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe86⤵PID:5188
-
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe87⤵PID:5260
-
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe88⤵PID:5384
-
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe89⤵PID:5532
-
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe90⤵PID:5652
-
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe91⤵PID:5852
-
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe92⤵PID:5968
-
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:6104 -
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe94⤵PID:5164
-
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe95⤵
- Drops file in System32 directory
PID:5388 -
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe96⤵
- Modifies registry class
PID:5568 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe97⤵
- Modifies registry class
PID:5860 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe98⤵PID:6004
-
C:\Windows\SysWOW64\Cmnpgb32.exeC:\Windows\system32\Cmnpgb32.exe99⤵PID:4092
-
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe100⤵PID:5520
-
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe101⤵PID:5900
-
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe102⤵PID:5220
-
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe103⤵PID:5928
-
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe104⤵PID:5832
-
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6136 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe106⤵PID:6168
-
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe107⤵PID:6200
-
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe108⤵PID:6260
-
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe109⤵PID:6304
-
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe110⤵PID:6352
-
C:\Windows\SysWOW64\Eecdjmfi.exeC:\Windows\system32\Eecdjmfi.exe111⤵PID:6396
-
C:\Windows\SysWOW64\Ekpmbddq.exeC:\Windows\system32\Ekpmbddq.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6448 -
C:\Windows\SysWOW64\Eajeon32.exeC:\Windows\system32\Eajeon32.exe113⤵PID:6492
-
C:\Windows\SysWOW64\Ehdmlhcj.exeC:\Windows\system32\Ehdmlhcj.exe114⤵
- Modifies registry class
PID:6552 -
C:\Windows\SysWOW64\Ekbihd32.exeC:\Windows\system32\Ekbihd32.exe115⤵PID:6604
-
C:\Windows\SysWOW64\Ealadnik.exeC:\Windows\system32\Ealadnik.exe116⤵
- Drops file in System32 directory
PID:6668 -
C:\Windows\SysWOW64\Ehfjah32.exeC:\Windows\system32\Ehfjah32.exe117⤵PID:6712
-
C:\Windows\SysWOW64\Ekefmc32.exeC:\Windows\system32\Ekefmc32.exe118⤵PID:6756
-
C:\Windows\SysWOW64\Eaonjngh.exeC:\Windows\system32\Eaonjngh.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6800 -
C:\Windows\SysWOW64\Eglgbdep.exeC:\Windows\system32\Eglgbdep.exe120⤵PID:6844
-
C:\Windows\SysWOW64\Eobocb32.exeC:\Windows\system32\Eobocb32.exe121⤵PID:6892
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-