Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2024, 02:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f2f9af168a820e533edcac38d4a75ca6738b63d4e7666625b5b37558a298073f.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
f2f9af168a820e533edcac38d4a75ca6738b63d4e7666625b5b37558a298073f.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
f2f9af168a820e533edcac38d4a75ca6738b63d4e7666625b5b37558a298073f.exe
-
Size
71KB
-
MD5
dde0fd6207db1a16ec790dff7fc8d0fe
-
SHA1
b66ccf60a605fac3ef3c997a8d72315f5495c17f
-
SHA256
f2f9af168a820e533edcac38d4a75ca6738b63d4e7666625b5b37558a298073f
-
SHA512
1c70aaeb0d3dc873e145cc93a54d4af370bf0d3cdc3cd5bc9f8208e64c5a4a7f88a1bb1e2d7179e95e66adcf666da60261e6d3d0e5b87f1fc187fc57267cab81
-
SSDEEP
1536:QBg2vv/Px4BMB6Nv2OT91v8wsih6ONvUlvfMOHo3RQZK1P+ATT:0vMMB6Nv2kUws+6ONv2o3eIP+A3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igfkfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnhnaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oblmdhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdenmbkk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqpbglno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iafonaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibffhhek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblijebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Noehba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nchjdo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpnihiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcnleb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgabkoee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbdbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jiokfpph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlklkgei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gaamlecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jilnqqbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijpepcfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kenggi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nihipdhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noaeqjpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffkhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdnldd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkjkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghkeio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qqhcpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Debnjgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eobocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccgajfeh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkpma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnbgaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nchhfild.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjpckf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eglgbdep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mejpje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qofcff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhpnlclc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eobocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmkcqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epjajeqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehailbaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpeafcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofdqcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohhfknjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jehhaaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bgbdcgld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjmcnbdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knflpoqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fehfljca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpieqeko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpgeee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggbook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Keakgpko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eibfck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loemnnhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpnihiio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilfodgeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loopdmpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbfoclai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gekcaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mimpolee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nipekiep.exe -
Executes dropped EXE 64 IoCs
pid Process 4616 Pnakhkol.exe 2124 Pmfhig32.exe 5000 Pgllfp32.exe 3688 Pmidog32.exe 1656 Pfaigm32.exe 880 Qqfmde32.exe 2948 Qgqeappe.exe 2712 Qnjnnj32.exe 3380 Qffbbldm.exe 3512 Aqkgpedc.exe 2652 Anogiicl.exe 1452 Aeiofcji.exe 4652 Amddjegd.exe 1372 Aeklkchg.exe 2496 Andqdh32.exe 3724 Acqimo32.exe 3816 Anfmjhmd.exe 4840 Bfabnjjp.exe 844 Bmkjkd32.exe 1988 Bganhm32.exe 4444 Bnkgeg32.exe 316 Bchomn32.exe 1912 Bfhhoi32.exe 2504 Bnbmefbg.exe 4524 Cfmajipb.exe 4980 Cndikf32.exe 2144 Cenahpha.exe 4168 Chokikeb.exe 3348 Cagobalc.exe 1576 Cjpckf32.exe 1680 Cdhhdlid.exe 4848 Cjbpaf32.exe 3644 Ddjejl32.exe 1244 Dopigd32.exe 2160 Danecp32.exe 4060 Dhhnpjmh.exe 2252 Dmefhako.exe 4580 Ddonekbl.exe 1972 Dkifae32.exe 2796 Dmgbnq32.exe 3188 Dhmgki32.exe 1144 Dogogcpo.exe 3496 Deagdn32.exe 4408 Dknpmdfc.exe 2784 Dahhio32.exe 4140 Ehapfiem.exe 752 Edhakj32.exe 1472 Ekbihd32.exe 1016 Eehnem32.exe 5168 Edknqiho.exe 5208 Ekefmc32.exe 5248 Emcbio32.exe 5288 Eglgbdep.exe 5328 Eobocb32.exe 5372 Egnchd32.exe 5412 Eoekia32.exe 5456 Fdbdah32.exe 5496 Foghnabl.exe 5536 Fafdkmap.exe 5572 Fhpmgg32.exe 5616 Fknicb32.exe 5660 Fdfmlhna.exe 5704 Fkqeib32.exe 5744 Fefjfked.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pmoagk32.exe Pehjfm32.exe File created C:\Windows\SysWOW64\Mdphmfph.dll Bldgoeog.exe File created C:\Windows\SysWOW64\Dogogcpo.exe Dhmgki32.exe File opened for modification C:\Windows\SysWOW64\Jnkcogno.exe Jiokfpph.exe File opened for modification C:\Windows\SysWOW64\Jnbgaa32.exe Jhhodg32.exe File created C:\Windows\SysWOW64\Oijflc32.dll Pdngpo32.exe File created C:\Windows\SysWOW64\Naaqofgj.exe Nbnpcj32.exe File opened for modification C:\Windows\SysWOW64\Kalcik32.exe Kkbkmqed.exe File created C:\Windows\SysWOW64\Qopkop32.dll Bmkjkd32.exe File created C:\Windows\SysWOW64\Ahchda32.exe Afelhf32.exe File opened for modification C:\Windows\SysWOW64\Acpbbi32.exe Aqaffn32.exe File created C:\Windows\SysWOW64\Inmpcc32.exe Ikndgg32.exe File created C:\Windows\SysWOW64\Kaehljpj.exe Knflpoqf.exe File created C:\Windows\SysWOW64\Kbjodaqj.dll Eecphp32.exe File created C:\Windows\SysWOW64\Ehapfiem.exe Dahhio32.exe File opened for modification C:\Windows\SysWOW64\Ikokan32.exe Ibffhhek.exe File created C:\Windows\SysWOW64\Kaaial32.dll Njghbl32.exe File opened for modification C:\Windows\SysWOW64\Lhpnlclc.exe Laffpi32.exe File created C:\Windows\SysWOW64\Ocmconhk.exe Opogbbig.exe File created C:\Windows\SysWOW64\Algpao32.dll Jpkphjeb.exe File created C:\Windows\SysWOW64\Fgdbnmji.exe Fdffbake.exe File created C:\Windows\SysWOW64\Ojgjndno.exe Ohhnbhok.exe File created C:\Windows\SysWOW64\Hpdlhkad.dll Emcbio32.exe File created C:\Windows\SysWOW64\Fmqopc32.dll Eglgbdep.exe File created C:\Windows\SysWOW64\Hkehkocf.exe Hfipbh32.exe File created C:\Windows\SysWOW64\Gdokakcj.dll Aealll32.exe File opened for modification C:\Windows\SysWOW64\Kpgodhkd.exe Keakgpko.exe File opened for modification C:\Windows\SysWOW64\Opogbbig.exe Ohgoaehe.exe File created C:\Windows\SysWOW64\Ploknb32.exe Pedbahod.exe File opened for modification C:\Windows\SysWOW64\Hpfcdojl.exe Hjlkge32.exe File created C:\Windows\SysWOW64\Poomegpf.exe Plndcl32.exe File created C:\Windows\SysWOW64\Ilkhog32.exe Ibbcfa32.exe File opened for modification C:\Windows\SysWOW64\Jhhodg32.exe Jnpjlajn.exe File created C:\Windows\SysWOW64\Mmalnp32.dll Hbbmmi32.exe File created C:\Windows\SysWOW64\Ljqhkckn.exe Jmbhoeid.exe File opened for modification C:\Windows\SysWOW64\Qnjnnj32.exe Qgqeappe.exe File created C:\Windows\SysWOW64\Lmeffoid.dll Nhpiafnm.exe File created C:\Windows\SysWOW64\Nchjdo32.exe Npjnhc32.exe File opened for modification C:\Windows\SysWOW64\Pedbahod.exe Ocdjpmac.exe File opened for modification C:\Windows\SysWOW64\Okchnk32.exe Nhbolp32.exe File created C:\Windows\SysWOW64\Pmmlla32.exe Jimldogg.exe File created C:\Windows\SysWOW64\Mqkbjk32.dll Qfjcep32.exe File created C:\Windows\SysWOW64\Fnaokmco.exe Fhdfbfdh.exe File opened for modification C:\Windows\SysWOW64\Gekcaj32.exe Fkeodaai.exe File created C:\Windows\SysWOW64\Nofoidko.dll Kbpbed32.exe File created C:\Windows\SysWOW64\Lcafnn32.dll Hbpphi32.exe File created C:\Windows\SysWOW64\Kbpbed32.exe Kgknhl32.exe File created C:\Windows\SysWOW64\Nincmhle.dll Leoghn32.exe File opened for modification C:\Windows\SysWOW64\Fpkibf32.exe Eecphp32.exe File created C:\Windows\SysWOW64\Pnfceopp.dll Hebcao32.exe File opened for modification C:\Windows\SysWOW64\Lolcnman.exe Llngbabj.exe File opened for modification C:\Windows\SysWOW64\Qqfmde32.exe Pfaigm32.exe File opened for modification C:\Windows\SysWOW64\Bmkjkd32.exe Bfabnjjp.exe File created C:\Windows\SysWOW64\Npchgdcd.exe Nhlpfgbb.exe File created C:\Windows\SysWOW64\Hkjmbk32.dll Qadoba32.exe File created C:\Windows\SysWOW64\Olicnfco.exe Odalmibl.exe File created C:\Windows\SysWOW64\Lajokiaa.exe Lolcnman.exe File opened for modification C:\Windows\SysWOW64\Pkabbgol.exe Pmoagk32.exe File created C:\Windows\SysWOW64\Ljbncc32.dll Acqimo32.exe File created C:\Windows\SysWOW64\Ncfmno32.exe Nhpiafnm.exe File created C:\Windows\SysWOW64\Bciehh32.exe Bpnihiio.exe File created C:\Windows\SysWOW64\Cibkohef.exe Cfcoblfb.exe File created C:\Windows\SysWOW64\Ijogmdqm.exe Ihnkel32.exe File created C:\Windows\SysWOW64\Efficj32.dll Kelkaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4056 5788 WerFault.exe 663 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll" Pgllfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdhhdlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkbkmqed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnbmefbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dogogcpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bbcignbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndpjnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhpmgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgjjdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mehcdfch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfgbakef.dll" Jimldogg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbejk32.dll" Hdnldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajjjof32.dll" Oblmdhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggiipk32.dll" Ciiaogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eglgbdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjmpkqqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hifpcjin.dll" Facqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Egnchd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgadgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Niklpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlpokp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipjam32.dll" Nfpghccm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lhpnlclc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Omgcpokp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfniqp32.dll" Omgcpokp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcpgb32.dll" Hfhgkmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qgqeappe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Headjohq.dll" Mahnhhod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cimjkpjn.dll" Hihibbjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bciehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cglgjeci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihbdplfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cobhcgin.dll" Mhoipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Apkjddke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ngmpcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oljaccjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jecffa32.dll" Lkabjbih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Keonap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fpeafcfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghklce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpijjo32.dll" Jgdhgmep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ploknb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cqpbglno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfdnejf.dll" Jjmcnbdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfjbh32.dll" Cibkohef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkibb32.dll" Okchnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aompak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll" Bganhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qfjcep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojgjndno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhinoa32.dll" Qppkhfec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpngef32.dll" Dpefaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghipne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignmpke.dll" Ighhln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mplafeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Opogbbig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Poodpmca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebhcbe32.dll" Hkehkocf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmklglpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkenjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oheienli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohhfknjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efiopa32.dll" Bcbeqaia.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 452 wrote to memory of 4616 452 f2f9af168a820e533edcac38d4a75ca6738b63d4e7666625b5b37558a298073f.exe 93 PID 452 wrote to memory of 4616 452 f2f9af168a820e533edcac38d4a75ca6738b63d4e7666625b5b37558a298073f.exe 93 PID 452 wrote to memory of 4616 452 f2f9af168a820e533edcac38d4a75ca6738b63d4e7666625b5b37558a298073f.exe 93 PID 4616 wrote to memory of 2124 4616 Pnakhkol.exe 95 PID 4616 wrote to memory of 2124 4616 Pnakhkol.exe 95 PID 4616 wrote to memory of 2124 4616 Pnakhkol.exe 95 PID 2124 wrote to memory of 5000 2124 Pmfhig32.exe 96 PID 2124 wrote to memory of 5000 2124 Pmfhig32.exe 96 PID 2124 wrote to memory of 5000 2124 Pmfhig32.exe 96 PID 5000 wrote to memory of 3688 5000 Pgllfp32.exe 97 PID 5000 wrote to memory of 3688 5000 Pgllfp32.exe 97 PID 5000 wrote to memory of 3688 5000 Pgllfp32.exe 97 PID 3688 wrote to memory of 1656 3688 Pmidog32.exe 98 PID 3688 wrote to memory of 1656 3688 Pmidog32.exe 98 PID 3688 wrote to memory of 1656 3688 Pmidog32.exe 98 PID 1656 wrote to memory of 880 1656 Pfaigm32.exe 99 PID 1656 wrote to memory of 880 1656 Pfaigm32.exe 99 PID 1656 wrote to memory of 880 1656 Pfaigm32.exe 99 PID 880 wrote to memory of 2948 880 Qqfmde32.exe 100 PID 880 wrote to memory of 2948 880 Qqfmde32.exe 100 PID 880 wrote to memory of 2948 880 Qqfmde32.exe 100 PID 2948 wrote to memory of 2712 2948 Qgqeappe.exe 101 PID 2948 wrote to memory of 2712 2948 Qgqeappe.exe 101 PID 2948 wrote to memory of 2712 2948 Qgqeappe.exe 101 PID 2712 wrote to memory of 3380 2712 Qnjnnj32.exe 102 PID 2712 wrote to memory of 3380 2712 Qnjnnj32.exe 102 PID 2712 wrote to memory of 3380 2712 Qnjnnj32.exe 102 PID 3380 wrote to memory of 3512 3380 Qffbbldm.exe 103 PID 3380 wrote to memory of 3512 3380 Qffbbldm.exe 103 PID 3380 wrote to memory of 3512 3380 Qffbbldm.exe 103 PID 3512 wrote to memory of 2652 3512 Aqkgpedc.exe 104 PID 3512 wrote to memory of 2652 3512 Aqkgpedc.exe 104 PID 3512 wrote to memory of 2652 3512 Aqkgpedc.exe 104 PID 2652 wrote to memory of 1452 2652 Anogiicl.exe 105 PID 2652 wrote to memory of 1452 2652 Anogiicl.exe 105 PID 2652 wrote to memory of 1452 2652 Anogiicl.exe 105 PID 1452 wrote to memory of 4652 1452 Aeiofcji.exe 106 PID 1452 wrote to memory of 4652 1452 Aeiofcji.exe 106 PID 1452 wrote to memory of 4652 1452 Aeiofcji.exe 106 PID 4652 wrote to memory of 1372 4652 Amddjegd.exe 107 PID 4652 wrote to memory of 1372 4652 Amddjegd.exe 107 PID 4652 wrote to memory of 1372 4652 Amddjegd.exe 107 PID 1372 wrote to memory of 2496 1372 Aeklkchg.exe 108 PID 1372 wrote to memory of 2496 1372 Aeklkchg.exe 108 PID 1372 wrote to memory of 2496 1372 Aeklkchg.exe 108 PID 2496 wrote to memory of 3724 2496 Andqdh32.exe 109 PID 2496 wrote to memory of 3724 2496 Andqdh32.exe 109 PID 2496 wrote to memory of 3724 2496 Andqdh32.exe 109 PID 3724 wrote to memory of 3816 3724 Acqimo32.exe 110 PID 3724 wrote to memory of 3816 3724 Acqimo32.exe 110 PID 3724 wrote to memory of 3816 3724 Acqimo32.exe 110 PID 3816 wrote to memory of 4840 3816 Anfmjhmd.exe 111 PID 3816 wrote to memory of 4840 3816 Anfmjhmd.exe 111 PID 3816 wrote to memory of 4840 3816 Anfmjhmd.exe 111 PID 4840 wrote to memory of 844 4840 Bfabnjjp.exe 112 PID 4840 wrote to memory of 844 4840 Bfabnjjp.exe 112 PID 4840 wrote to memory of 844 4840 Bfabnjjp.exe 112 PID 844 wrote to memory of 1988 844 Bmkjkd32.exe 113 PID 844 wrote to memory of 1988 844 Bmkjkd32.exe 113 PID 844 wrote to memory of 1988 844 Bmkjkd32.exe 113 PID 1988 wrote to memory of 4444 1988 Bganhm32.exe 114 PID 1988 wrote to memory of 4444 1988 Bganhm32.exe 114 PID 1988 wrote to memory of 4444 1988 Bganhm32.exe 114 PID 4444 wrote to memory of 316 4444 Bnkgeg32.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2f9af168a820e533edcac38d4a75ca6738b63d4e7666625b5b37558a298073f.exe"C:\Users\Admin\AppData\Local\Temp\f2f9af168a820e533edcac38d4a75ca6738b63d4e7666625b5b37558a298073f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\Pnakhkol.exeC:\Windows\system32\Pnakhkol.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Pmfhig32.exeC:\Windows\system32\Pmfhig32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Pmidog32.exeC:\Windows\system32\Pmidog32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\Pfaigm32.exeC:\Windows\system32\Pfaigm32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Qgqeappe.exeC:\Windows\system32\Qgqeappe.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Qnjnnj32.exeC:\Windows\system32\Qnjnnj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Qffbbldm.exeC:\Windows\system32\Qffbbldm.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Bmkjkd32.exeC:\Windows\system32\Bmkjkd32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe23⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe24⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe26⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe27⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe28⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe29⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe30⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe33⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe34⤵
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe35⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe36⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe37⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe38⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe39⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe40⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe41⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3188 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1144 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe44⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe45⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Dahhio32.exeC:\Windows\system32\Dahhio32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Ehapfiem.exeC:\Windows\system32\Ehapfiem.exe47⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\Edhakj32.exeC:\Windows\system32\Edhakj32.exe48⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Ekbihd32.exeC:\Windows\system32\Ekbihd32.exe49⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Eehnem32.exeC:\Windows\system32\Eehnem32.exe50⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Edknqiho.exeC:\Windows\system32\Edknqiho.exe51⤵
- Executes dropped EXE
PID:5168 -
C:\Windows\SysWOW64\Ekefmc32.exeC:\Windows\system32\Ekefmc32.exe52⤵
- Executes dropped EXE
PID:5208 -
C:\Windows\SysWOW64\Emcbio32.exeC:\Windows\system32\Emcbio32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5248 -
C:\Windows\SysWOW64\Eglgbdep.exeC:\Windows\system32\Eglgbdep.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5288 -
C:\Windows\SysWOW64\Eobocb32.exeC:\Windows\system32\Eobocb32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5328 -
C:\Windows\SysWOW64\Egnchd32.exeC:\Windows\system32\Egnchd32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:5372 -
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe57⤵
- Executes dropped EXE
PID:5412 -
C:\Windows\SysWOW64\Fdbdah32.exeC:\Windows\system32\Fdbdah32.exe58⤵
- Executes dropped EXE
PID:5456 -
C:\Windows\SysWOW64\Foghnabl.exeC:\Windows\system32\Foghnabl.exe59⤵
- Executes dropped EXE
PID:5496 -
C:\Windows\SysWOW64\Fafdkmap.exeC:\Windows\system32\Fafdkmap.exe60⤵
- Executes dropped EXE
PID:5536 -
C:\Windows\SysWOW64\Fhpmgg32.exeC:\Windows\system32\Fhpmgg32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:5572 -
C:\Windows\SysWOW64\Fknicb32.exeC:\Windows\system32\Fknicb32.exe62⤵
- Executes dropped EXE
PID:5616 -
C:\Windows\SysWOW64\Fdfmlhna.exeC:\Windows\system32\Fdfmlhna.exe63⤵
- Executes dropped EXE
PID:5660 -
C:\Windows\SysWOW64\Fkqeib32.exeC:\Windows\system32\Fkqeib32.exe64⤵
- Executes dropped EXE
PID:5704 -
C:\Windows\SysWOW64\Fefjfked.exeC:\Windows\system32\Fefjfked.exe65⤵
- Executes dropped EXE
PID:5744 -
C:\Windows\SysWOW64\Fhdfbfdh.exeC:\Windows\system32\Fhdfbfdh.exe66⤵
- Drops file in System32 directory
PID:5784 -
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe67⤵PID:5828
-
C:\Windows\SysWOW64\Fehfljca.exeC:\Windows\system32\Fehfljca.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5868 -
C:\Windows\SysWOW64\Fhgbhfbe.exeC:\Windows\system32\Fhgbhfbe.exe69⤵PID:5908
-
C:\Windows\SysWOW64\Fkeodaai.exeC:\Windows\system32\Fkeodaai.exe70⤵
- Drops file in System32 directory
PID:5948 -
C:\Windows\SysWOW64\Gekcaj32.exeC:\Windows\system32\Gekcaj32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5988 -
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe72⤵
- Modifies registry class
PID:6028 -
C:\Windows\SysWOW64\Gaadfkgc.exeC:\Windows\system32\Gaadfkgc.exe73⤵PID:6068
-
C:\Windows\SysWOW64\Ghklce32.exeC:\Windows\system32\Ghklce32.exe74⤵
- Modifies registry class
PID:6108 -
C:\Windows\SysWOW64\Gkjhoq32.exeC:\Windows\system32\Gkjhoq32.exe75⤵PID:4760
-
C:\Windows\SysWOW64\Gadqlkep.exeC:\Windows\system32\Gadqlkep.exe76⤵PID:5200
-
C:\Windows\SysWOW64\Ghniielm.exeC:\Windows\system32\Ghniielm.exe77⤵PID:5236
-
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe78⤵PID:5312
-
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe79⤵PID:5380
-
C:\Windows\SysWOW64\Gddinf32.exeC:\Windows\system32\Gddinf32.exe80⤵PID:5444
-
C:\Windows\SysWOW64\Gkobjpin.exeC:\Windows\system32\Gkobjpin.exe81⤵PID:5524
-
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe82⤵PID:5580
-
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe83⤵PID:5672
-
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe84⤵PID:5764
-
C:\Windows\SysWOW64\Hnoklk32.exeC:\Windows\system32\Hnoklk32.exe85⤵PID:5836
-
C:\Windows\SysWOW64\Hffcmh32.exeC:\Windows\system32\Hffcmh32.exe86⤵PID:5896
-
C:\Windows\SysWOW64\Hoogfnnb.exeC:\Windows\system32\Hoogfnnb.exe87⤵PID:5976
-
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe88⤵
- Drops file in System32 directory
PID:6052 -
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe89⤵
- Modifies registry class
PID:6136 -
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe90⤵PID:4224
-
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe91⤵
- Drops file in System32 directory
PID:5276 -
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5424 -
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe93⤵PID:5596
-
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe94⤵
- Drops file in System32 directory
PID:5740 -
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5820 -
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe96⤵PID:5956
-
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe97⤵PID:6104
-
C:\Windows\SysWOW64\Hgabkoee.exeC:\Windows\system32\Hgabkoee.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4772 -
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe99⤵PID:5324
-
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5564 -
C:\Windows\SysWOW64\Ikokan32.exeC:\Windows\system32\Ikokan32.exe101⤵PID:5732
-
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe102⤵PID:5928
-
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6064 -
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe104⤵PID:5244
-
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe105⤵
- Modifies registry class
PID:3652 -
C:\Windows\SysWOW64\Ieliebnf.exeC:\Windows\system32\Ieliebnf.exe106⤵PID:5816
-
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe107⤵PID:6016
-
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe108⤵PID:5272
-
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe109⤵PID:3844
-
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5484 -
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe111⤵PID:5728
-
C:\Windows\SysWOW64\Jbdbjf32.exeC:\Windows\system32\Jbdbjf32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5492 -
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5144 -
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe114⤵PID:6156
-
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe115⤵
- Modifies registry class
PID:6216 -
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe116⤵
- Drops file in System32 directory
PID:6268 -
C:\Windows\SysWOW64\Jehhaaci.exeC:\Windows\system32\Jehhaaci.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6312 -
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe118⤵PID:6352
-
C:\Windows\SysWOW64\Jnpmjf32.exeC:\Windows\system32\Jnpmjf32.exe119⤵PID:6396
-
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6444 -
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe121⤵PID:6488
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-