Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2024, 03:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e0a19455c8d43d962890dbd5e05eb5b9.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
e0a19455c8d43d962890dbd5e05eb5b9.exe
Resource
win10v2004-20240319-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
e0a19455c8d43d962890dbd5e05eb5b9.exe
-
Size
72KB
-
MD5
e0a19455c8d43d962890dbd5e05eb5b9
-
SHA1
18335076020b3ba3502413fa1d02971e02de206c
-
SHA256
975ce795a67de53a1d6f083d6bbce09e63271a6dbcfe0de228322f60f6c1bc17
-
SHA512
a5d3755a2b8f17846224423e75d240d279555e9b23277ce15134e28ddd7977a7771e21c5e90941aa1abb3fb97ebf817d55423144623b059a9e593413e23062ec
-
SSDEEP
768:Rxq+UVyQnwBJd1uxPHAEWNrEQwXJkKXK8/xtr1RCvXzHu3zSWEtnGNlyMspXbAvd:RxPS2EWO+Ka8wqjLNUpi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poodpmca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnbklm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjffpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Noehba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmniml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kijchhbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajpqnneo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iakiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbinam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffnknafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnljkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccmgiaig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mchppmij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgehfkop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmcpoedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkodhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcpikkge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbnngbbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dckdjomg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flpmagqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmfplibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfaemp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mniallpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcnqpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgbjbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fflohaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmaamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbbpmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgmjmjnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Papfgbmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qoelkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elpkep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemqih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iinjhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jebfng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbebilli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aadifclh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdfoio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojcpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ielfgmnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgoeep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nahgoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imgicgca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplobcpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aknbkjfh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kahinkaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pajeam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abmjqe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbjelc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjjlhle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aakebqbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anaomkdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpgpgfmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbjoeojc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkndie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Daeifj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hheoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbjelc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knflpoqf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nihipdhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbhmbdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfepdg32.exe -
Executes dropped EXE 64 IoCs
pid Process 4968 Afjlnk32.exe 1548 Agjhgngj.exe 5092 Andqdh32.exe 452 Aeniabfd.exe 1796 Afoeiklb.exe 4136 Aadifclh.exe 3900 Bnhjohkb.exe 1940 Bebblb32.exe 796 Bjokdipf.exe 1808 Bnmcjg32.exe 732 Bfhhoi32.exe 2368 Beihma32.exe 1064 Bnbmefbg.exe 4276 Bcoenmao.exe 400 Cndikf32.exe 2548 Cdabcm32.exe 2632 Cmiflbel.exe 3248 Cnicfe32.exe 4512 Cagobalc.exe 3468 Cfdhkhjj.exe 3356 Cajlhqjp.exe 116 Cffdpghg.exe 4000 Dhfajjoj.exe 2276 Dopigd32.exe 3964 Ddmaok32.exe 568 Dmefhako.exe 1436 Dkifae32.exe 3496 Dmgbnq32.exe 2708 Dhmgki32.exe 4104 Dmjocp32.exe 5036 Dddhpjof.exe 928 Dknpmdfc.exe 5080 Eecdjmfi.exe 4432 Ekpmbddq.exe 3752 Ehdmlhcj.exe 4192 Ekbihd32.exe 5000 Ealadnik.exe 1340 Eejjjl32.exe 4332 Emeoooml.exe 1356 Ehkclgmb.exe 3808 Fdbdah32.exe 4132 Fkllnbjc.exe 5160 Fnmepn32.exe 5204 Fgeihcme.exe 5248 Fnobem32.exe 5288 Fnckpmql.exe 5328 Gnfhfl32.exe 5368 Gepmlimi.exe 5412 Gnkaalkd.exe 5452 Ghpendjj.exe 5492 Gojnko32.exe 5532 Gkaopp32.exe 5572 Hheoid32.exe 5612 Hoogfnnb.exe 5652 Hfipbh32.exe 5692 Hnddgjbj.exe 5736 Hhihdcbp.exe 5784 Hnfamjqg.exe 5824 Hgoeep32.exe 5868 Hkmnln32.exe 5924 Ifbbig32.exe 5964 Igcoqocb.exe 6008 Ifdonfka.exe 6052 Ieliebnf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nobdka32.dll Gnkaalkd.exe File opened for modification C:\Windows\SysWOW64\Kiggbhda.exe Kqpoakco.exe File opened for modification C:\Windows\SysWOW64\Knkekn32.exe Kgamnded.exe File created C:\Windows\SysWOW64\Gjecbd32.dll Bhmbqm32.exe File opened for modification C:\Windows\SysWOW64\Fncibg32.exe Fcneeo32.exe File created C:\Windows\SysWOW64\Jkodhk32.exe Jkmgblok.exe File created C:\Windows\SysWOW64\Ohnebd32.exe Oofaiokl.exe File created C:\Windows\SysWOW64\Nbkdke32.dll Kmdlffhj.exe File created C:\Windows\SysWOW64\Odhifjkg.exe Neqopnhb.exe File created C:\Windows\SysWOW64\Hmkigh32.exe Hfaajnfb.exe File created C:\Windows\SysWOW64\Phjenbhp.exe Pcmlfl32.exe File created C:\Windows\SysWOW64\Nfenigce.dll Mfpell32.exe File opened for modification C:\Windows\SysWOW64\Pbjddh32.exe Pplhhm32.exe File opened for modification C:\Windows\SysWOW64\Ckggnp32.exe Cgklmacf.exe File created C:\Windows\SysWOW64\Ohgohiia.dll Ggepalof.exe File opened for modification C:\Windows\SysWOW64\Klmnkdal.exe Kahinkaf.exe File opened for modification C:\Windows\SysWOW64\Igcoqocb.exe Ifbbig32.exe File opened for modification C:\Windows\SysWOW64\Hcljmj32.exe Hkaeih32.exe File created C:\Windows\SysWOW64\Bgnkhg32.exe Bogcgj32.exe File created C:\Windows\SysWOW64\Okedcjcm.exe Nhdlao32.exe File created C:\Windows\SysWOW64\Lknojl32.exe Lqikmc32.exe File created C:\Windows\SysWOW64\Ndikch32.dll Bphgeo32.exe File opened for modification C:\Windows\SysWOW64\Dnajppda.exe Dakikoom.exe File opened for modification C:\Windows\SysWOW64\Fbdnne32.exe Fcbnpnme.exe File opened for modification C:\Windows\SysWOW64\Igmoih32.exe Iabglnco.exe File opened for modification C:\Windows\SysWOW64\Kbbhqn32.exe Knflpoqf.exe File created C:\Windows\SysWOW64\Hgfapd32.exe Hibafp32.exe File opened for modification C:\Windows\SysWOW64\Eiokinbk.exe Enigke32.exe File opened for modification C:\Windows\SysWOW64\Oikjkc32.exe Ocnabm32.exe File created C:\Windows\SysWOW64\Cmiflbel.exe Cdabcm32.exe File opened for modification C:\Windows\SysWOW64\Mnlnbl32.exe Mahnhhod.exe File created C:\Windows\SysWOW64\Jmheim32.dll Elgaeolp.exe File created C:\Windows\SysWOW64\Eqkondfl.exe Enlcahgh.exe File created C:\Windows\SysWOW64\Pdggmekl.dll Hnfamjqg.exe File created C:\Windows\SysWOW64\Clfabmda.dll Epcdqd32.exe File created C:\Windows\SysWOW64\Bjpjel32.exe Bmlilh32.exe File opened for modification C:\Windows\SysWOW64\Ljbnfleo.exe Lhcali32.exe File opened for modification C:\Windows\SysWOW64\Mhoipb32.exe Meamcg32.exe File created C:\Windows\SysWOW64\Mieced32.dll Mbighjdd.exe File created C:\Windows\SysWOW64\Ddooacnk.dll Igpdfb32.exe File created C:\Windows\SysWOW64\Emjgim32.exe Eiokinbk.exe File opened for modification C:\Windows\SysWOW64\Flkdfh32.exe Ffnknafg.exe File created C:\Windows\SysWOW64\Dahcld32.dll Igdgglfl.exe File opened for modification C:\Windows\SysWOW64\Lobjni32.exe Lfjfecno.exe File created C:\Windows\SysWOW64\Fcbnpnme.exe Fdpnda32.exe File created C:\Windows\SysWOW64\Fineoi32.exe Ffpicn32.exe File opened for modification C:\Windows\SysWOW64\Iahlcaol.exe Ikndgg32.exe File created C:\Windows\SysWOW64\Mcecjmkl.exe Maggnali.exe File opened for modification C:\Windows\SysWOW64\Amnlme32.exe Apjkcadp.exe File created C:\Windows\SysWOW64\Oikjkc32.exe Ocnabm32.exe File created C:\Windows\SysWOW64\Fbfkceca.exe Fnjocf32.exe File opened for modification C:\Windows\SysWOW64\Nlleaeff.exe Nebmekoi.exe File opened for modification C:\Windows\SysWOW64\Pmaffnce.exe Phdnngdn.exe File created C:\Windows\SysWOW64\Pjldplpd.dll Bochmn32.exe File opened for modification C:\Windows\SysWOW64\Chnlgjlb.exe Cpfcfmlp.exe File created C:\Windows\SysWOW64\Ghnllm32.dll Nmcpoedn.exe File created C:\Windows\SysWOW64\Caaimlpo.dll Bdlfjh32.exe File created C:\Windows\SysWOW64\Ephbhd32.exe Egpnooan.exe File created C:\Windows\SysWOW64\Ccmgiaig.exe Cfigpm32.exe File opened for modification C:\Windows\SysWOW64\Hgkkkcbc.exe Hgfapd32.exe File created C:\Windows\SysWOW64\Jojdlfeo.exe Jhplpl32.exe File opened for modification C:\Windows\SysWOW64\Abmjqe32.exe Apnndj32.exe File created C:\Windows\SysWOW64\Gblnkg32.dll Bfhhoi32.exe File created C:\Windows\SysWOW64\Hnddgjbj.exe Hfipbh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10948 9848 WerFault.exe 988 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plhnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfapnkp.dll" Bcghch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbbhqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdgdeppb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddmaok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmqgpgoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cobhcgin.dll" Mniallpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knhcpa32.dll" Oldamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmncbodd.dll" Oboijgbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcoenmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knbbep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aajohjon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iinjhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmaamn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bemqih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgflqkdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdccbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmdjapgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nelfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qeodhjmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdilnojp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpgpgfmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbojlfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Affikdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kamjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbekii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijmhkchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpdboimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbom32.dll" Poodpmca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phaahggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlhkf32.dll" Cbbnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlobem32.dll" Chdialdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll" Cdabcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajcdnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qodeajbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgijpe32.dll" Bddcenpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bggnof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ampaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcnnllcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ledoegkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebafce32.dll" Efmmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll" Dopigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgobjmp.dll" Nlfnaicd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eokqkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khbiello.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieliebnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glldgljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkaobnio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gflonn32.dll" Oqmhqapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jaonbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Piapkbeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbeejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcanll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnjgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nadleilm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihcbd32.dll" Onkidm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnbjama.dll" Ppolhcnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkmnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgklej32.dll" Hncmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igliicdk.dll" Akcjkfij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qhmqdemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hefnkkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll" Ddmaok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iafonaao.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3328 wrote to memory of 4968 3328 e0a19455c8d43d962890dbd5e05eb5b9.exe 93 PID 3328 wrote to memory of 4968 3328 e0a19455c8d43d962890dbd5e05eb5b9.exe 93 PID 3328 wrote to memory of 4968 3328 e0a19455c8d43d962890dbd5e05eb5b9.exe 93 PID 4968 wrote to memory of 1548 4968 Afjlnk32.exe 94 PID 4968 wrote to memory of 1548 4968 Afjlnk32.exe 94 PID 4968 wrote to memory of 1548 4968 Afjlnk32.exe 94 PID 1548 wrote to memory of 5092 1548 Agjhgngj.exe 95 PID 1548 wrote to memory of 5092 1548 Agjhgngj.exe 95 PID 1548 wrote to memory of 5092 1548 Agjhgngj.exe 95 PID 5092 wrote to memory of 452 5092 Andqdh32.exe 96 PID 5092 wrote to memory of 452 5092 Andqdh32.exe 96 PID 5092 wrote to memory of 452 5092 Andqdh32.exe 96 PID 452 wrote to memory of 1796 452 Aeniabfd.exe 97 PID 452 wrote to memory of 1796 452 Aeniabfd.exe 97 PID 452 wrote to memory of 1796 452 Aeniabfd.exe 97 PID 1796 wrote to memory of 4136 1796 Afoeiklb.exe 98 PID 1796 wrote to memory of 4136 1796 Afoeiklb.exe 98 PID 1796 wrote to memory of 4136 1796 Afoeiklb.exe 98 PID 4136 wrote to memory of 3900 4136 Aadifclh.exe 99 PID 4136 wrote to memory of 3900 4136 Aadifclh.exe 99 PID 4136 wrote to memory of 3900 4136 Aadifclh.exe 99 PID 3900 wrote to memory of 1940 3900 Bnhjohkb.exe 100 PID 3900 wrote to memory of 1940 3900 Bnhjohkb.exe 100 PID 3900 wrote to memory of 1940 3900 Bnhjohkb.exe 100 PID 1940 wrote to memory of 796 1940 Bebblb32.exe 101 PID 1940 wrote to memory of 796 1940 Bebblb32.exe 101 PID 1940 wrote to memory of 796 1940 Bebblb32.exe 101 PID 796 wrote to memory of 1808 796 Bjokdipf.exe 103 PID 796 wrote to memory of 1808 796 Bjokdipf.exe 103 PID 796 wrote to memory of 1808 796 Bjokdipf.exe 103 PID 1808 wrote to memory of 732 1808 Bnmcjg32.exe 104 PID 1808 wrote to memory of 732 1808 Bnmcjg32.exe 104 PID 1808 wrote to memory of 732 1808 Bnmcjg32.exe 104 PID 732 wrote to memory of 2368 732 Bfhhoi32.exe 105 PID 732 wrote to memory of 2368 732 Bfhhoi32.exe 105 PID 732 wrote to memory of 2368 732 Bfhhoi32.exe 105 PID 2368 wrote to memory of 1064 2368 Beihma32.exe 106 PID 2368 wrote to memory of 1064 2368 Beihma32.exe 106 PID 2368 wrote to memory of 1064 2368 Beihma32.exe 106 PID 1064 wrote to memory of 4276 1064 Bnbmefbg.exe 107 PID 1064 wrote to memory of 4276 1064 Bnbmefbg.exe 107 PID 1064 wrote to memory of 4276 1064 Bnbmefbg.exe 107 PID 4276 wrote to memory of 400 4276 Bcoenmao.exe 109 PID 4276 wrote to memory of 400 4276 Bcoenmao.exe 109 PID 4276 wrote to memory of 400 4276 Bcoenmao.exe 109 PID 400 wrote to memory of 2548 400 Cndikf32.exe 110 PID 400 wrote to memory of 2548 400 Cndikf32.exe 110 PID 400 wrote to memory of 2548 400 Cndikf32.exe 110 PID 2548 wrote to memory of 2632 2548 Cdabcm32.exe 111 PID 2548 wrote to memory of 2632 2548 Cdabcm32.exe 111 PID 2548 wrote to memory of 2632 2548 Cdabcm32.exe 111 PID 2632 wrote to memory of 3248 2632 Cmiflbel.exe 113 PID 2632 wrote to memory of 3248 2632 Cmiflbel.exe 113 PID 2632 wrote to memory of 3248 2632 Cmiflbel.exe 113 PID 3248 wrote to memory of 4512 3248 Cnicfe32.exe 114 PID 3248 wrote to memory of 4512 3248 Cnicfe32.exe 114 PID 3248 wrote to memory of 4512 3248 Cnicfe32.exe 114 PID 4512 wrote to memory of 3468 4512 Cagobalc.exe 115 PID 4512 wrote to memory of 3468 4512 Cagobalc.exe 115 PID 4512 wrote to memory of 3468 4512 Cagobalc.exe 115 PID 3468 wrote to memory of 3356 3468 Cfdhkhjj.exe 116 PID 3468 wrote to memory of 3356 3468 Cfdhkhjj.exe 116 PID 3468 wrote to memory of 3356 3468 Cfdhkhjj.exe 116 PID 3356 wrote to memory of 116 3356 Cajlhqjp.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0a19455c8d43d962890dbd5e05eb5b9.exe"C:\Users\Admin\AppData\Local\Temp\e0a19455c8d43d962890dbd5e05eb5b9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\Bebblb32.exeC:\Windows\system32\Bebblb32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe23⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe24⤵PID:2236
-
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe25⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3964 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe28⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe29⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe30⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe31⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe32⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe33⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe34⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Eecdjmfi.exeC:\Windows\system32\Eecdjmfi.exe35⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Ekpmbddq.exeC:\Windows\system32\Ekpmbddq.exe36⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Ehdmlhcj.exeC:\Windows\system32\Ehdmlhcj.exe37⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Ekbihd32.exeC:\Windows\system32\Ekbihd32.exe38⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Ealadnik.exeC:\Windows\system32\Ealadnik.exe39⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Eejjjl32.exeC:\Windows\system32\Eejjjl32.exe40⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Emeoooml.exeC:\Windows\system32\Emeoooml.exe41⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Ehkclgmb.exeC:\Windows\system32\Ehkclgmb.exe42⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Fdbdah32.exeC:\Windows\system32\Fdbdah32.exe43⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Fkllnbjc.exeC:\Windows\system32\Fkllnbjc.exe44⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe45⤵
- Executes dropped EXE
PID:5160 -
C:\Windows\SysWOW64\Fgeihcme.exeC:\Windows\system32\Fgeihcme.exe46⤵
- Executes dropped EXE
PID:5204 -
C:\Windows\SysWOW64\Fnobem32.exeC:\Windows\system32\Fnobem32.exe47⤵
- Executes dropped EXE
PID:5248 -
C:\Windows\SysWOW64\Fnckpmql.exeC:\Windows\system32\Fnckpmql.exe48⤵
- Executes dropped EXE
PID:5288 -
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe49⤵
- Executes dropped EXE
PID:5328 -
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe50⤵
- Executes dropped EXE
PID:5368 -
C:\Windows\SysWOW64\Gnkaalkd.exeC:\Windows\system32\Gnkaalkd.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5412 -
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe52⤵
- Executes dropped EXE
PID:5452 -
C:\Windows\SysWOW64\Gojnko32.exeC:\Windows\system32\Gojnko32.exe53⤵
- Executes dropped EXE
PID:5492 -
C:\Windows\SysWOW64\Gkaopp32.exeC:\Windows\system32\Gkaopp32.exe54⤵
- Executes dropped EXE
PID:5532 -
C:\Windows\SysWOW64\Hheoid32.exeC:\Windows\system32\Hheoid32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5572 -
C:\Windows\SysWOW64\Hoogfnnb.exeC:\Windows\system32\Hoogfnnb.exe56⤵
- Executes dropped EXE
PID:5612 -
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5652 -
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe58⤵
- Executes dropped EXE
PID:5692 -
C:\Windows\SysWOW64\Hhihdcbp.exeC:\Windows\system32\Hhihdcbp.exe59⤵
- Executes dropped EXE
PID:5736 -
C:\Windows\SysWOW64\Hnfamjqg.exeC:\Windows\system32\Hnfamjqg.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5784 -
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5824 -
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:5868 -
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5924 -
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe64⤵
- Executes dropped EXE
PID:5964 -
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe65⤵
- Executes dropped EXE
PID:6008 -
C:\Windows\SysWOW64\Ieliebnf.exeC:\Windows\system32\Ieliebnf.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:6052 -
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe67⤵PID:6092
-
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe68⤵PID:6132
-
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe69⤵PID:5168
-
C:\Windows\SysWOW64\Jfnbdecg.exeC:\Windows\system32\Jfnbdecg.exe70⤵PID:5228
-
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe71⤵PID:5300
-
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe72⤵PID:5356
-
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe73⤵
- Drops file in System32 directory
PID:5436 -
C:\Windows\SysWOW64\Jkodhk32.exeC:\Windows\system32\Jkodhk32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5504 -
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe75⤵PID:5552
-
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe76⤵PID:5588
-
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe77⤵PID:5728
-
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe78⤵PID:5820
-
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe79⤵PID:5860
-
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe80⤵PID:5952
-
C:\Windows\SysWOW64\Keonap32.exeC:\Windows\system32\Keonap32.exe81⤵PID:6036
-
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe82⤵
- Modifies registry class
PID:4816 -
C:\Windows\SysWOW64\Kfnkkb32.exeC:\Windows\system32\Kfnkkb32.exe83⤵PID:5144
-
C:\Windows\SysWOW64\Khpgckkb.exeC:\Windows\system32\Khpgckkb.exe84⤵PID:5276
-
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5408 -
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe86⤵PID:5500
-
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe87⤵PID:5600
-
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5768 -
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe89⤵PID:5908
-
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe90⤵PID:6024
-
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe91⤵PID:3012
-
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe92⤵PID:5340
-
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe93⤵PID:5476
-
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe94⤵PID:5680
-
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe95⤵PID:5852
-
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe96⤵PID:2404
-
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe97⤵PID:4232
-
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe98⤵PID:5772
-
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe99⤵PID:5480
-
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe100⤵PID:1056
-
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4984 -
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe102⤵PID:6176
-
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe103⤵
- Drops file in System32 directory
PID:6228 -
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe104⤵PID:6292
-
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe105⤵PID:6360
-
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe106⤵PID:6420
-
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe107⤵PID:6464
-
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe108⤵PID:6512
-
C:\Windows\SysWOW64\Nplkmckj.exeC:\Windows\system32\Nplkmckj.exe109⤵PID:6556
-
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe110⤵PID:6604
-
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe111⤵PID:6648
-
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe112⤵PID:6700
-
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe113⤵PID:6740
-
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe114⤵PID:6788
-
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe115⤵PID:6848
-
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe116⤵PID:6892
-
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe117⤵PID:6936
-
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe118⤵
- Drops file in System32 directory
PID:6980 -
C:\Windows\SysWOW64\Ohnebd32.exeC:\Windows\system32\Ohnebd32.exe119⤵PID:7020
-
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe120⤵PID:7068
-
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe121⤵PID:7108
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-