Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2024, 21:27
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
6d71763b699f13abaca98582812c389523875c9183f2ac51da171c0e66b6101c.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
6d71763b699f13abaca98582812c389523875c9183f2ac51da171c0e66b6101c.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
6d71763b699f13abaca98582812c389523875c9183f2ac51da171c0e66b6101c.exe
-
Size
136KB
-
MD5
0ca961957b360d8ed1a4f24e955e32d1
-
SHA1
23dfa732ecdf69fdb59e634a5a901057a810a2b6
-
SHA256
6d71763b699f13abaca98582812c389523875c9183f2ac51da171c0e66b6101c
-
SHA512
a126205241dc5c7b84834b93beaa7e249b3356e072b012e9946da375595704a262d78b7d66b00c5be4d173e01475b9f6c37ebed6828ae65d6f0ab4d972b10d71
-
SSDEEP
3072:zf6zMwkDuBoBXFm6P6mTqIMF+AYoi/mjRrz3OT:zf64luBoB3PT06oi/GOT
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pihmjqfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqklmpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apekch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcdimopp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiolam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkihknfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmjqmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pldlqlgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppdbljkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbocea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbhkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjhmgeao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqikdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Haggelfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbofkbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epopgbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbocea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blennh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbmfoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgfoan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnmopdep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpikgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabgaklg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpepcedo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laalifad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fifdgblo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfachc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfffjqdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpolqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahkflk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoifcnid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnocof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkncdifl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 6d71763b699f13abaca98582812c389523875c9183f2ac51da171c0e66b6101c.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmhfhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpkhmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohdebfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ficgacna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iidipnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcdegnep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plfiflen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Piockppb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkihknfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kaemnhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmkbnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqikdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcggpj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liekmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pniomgpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dllmfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdemhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhfee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnolfdcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfljmdjc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haidklda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbckbepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpcpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjclbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liggbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjqjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkjjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngcgcjnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fopldmcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbfiep32.exe -
UPX dump on OEP (original entry point) 33 IoCs
resource yara_rule behavioral2/files/0x00090000000231d6-6.dat UPX behavioral2/files/0x00070000000231de-14.dat UPX behavioral2/files/0x00070000000231e0-23.dat UPX behavioral2/files/0x00070000000231e2-30.dat UPX behavioral2/files/0x00070000000231e4-38.dat UPX behavioral2/files/0x00070000000231e6-46.dat UPX behavioral2/files/0x00070000000231e8-54.dat UPX behavioral2/files/0x00070000000231ea-62.dat UPX behavioral2/files/0x00070000000231ec-70.dat UPX behavioral2/files/0x00070000000231ee-78.dat UPX behavioral2/files/0x00070000000231f0-86.dat UPX behavioral2/files/0x00070000000231f2-94.dat UPX behavioral2/files/0x00070000000231f4-102.dat UPX behavioral2/files/0x00070000000231f6-110.dat UPX behavioral2/files/0x00070000000231f8-118.dat UPX behavioral2/files/0x00070000000231fa-127.dat UPX behavioral2/files/0x00070000000231fc-134.dat UPX behavioral2/files/0x00070000000231fe-142.dat UPX behavioral2/files/0x0007000000023200-150.dat UPX behavioral2/files/0x0007000000023202-158.dat UPX behavioral2/files/0x0007000000023204-167.dat UPX behavioral2/files/0x0007000000023206-174.dat UPX behavioral2/files/0x0007000000023208-182.dat UPX behavioral2/files/0x000700000002320a-190.dat UPX behavioral2/files/0x000700000002320c-198.dat UPX behavioral2/files/0x000700000002320d-206.dat UPX behavioral2/files/0x000700000002320f-214.dat UPX behavioral2/files/0x0007000000023211-223.dat UPX behavioral2/files/0x0007000000023213-230.dat UPX behavioral2/files/0x0007000000023215-238.dat UPX behavioral2/files/0x0007000000023217-248.dat UPX behavioral2/files/0x0007000000023219-254.dat UPX behavioral2/files/0x00070000000233cc-1646.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 3464 Oiccoa32.exe 3672 Opmllk32.exe 436 Pblhhg32.exe 3340 Piepdahl.exe 4948 Pldlqlgp.exe 216 Paaeiceg.exe 2588 Pihmjqfj.exe 4884 Plfiflen.exe 4408 Pneebg32.exe 5132 Pacaoc32.exe 5124 Phmjkmka.exe 668 Ppdbljkd.exe 1172 Pbbnhfjh.exe 1660 Pimfep32.exe 1572 Pniomgpl.exe 4004 Pbekne32.exe 4092 Piockppb.exe 5008 Qpikgj32.exe 5348 Qajhobmm.exe 832 Qhdpll32.exe 2612 Qlpllkmc.exe 1952 Qpkhmi32.exe 2816 Qehqepcc.exe 556 Qiclfo32.exe 6080 Apndbici.exe 6024 Ablaodbm.exe 3964 Aldegj32.exe 4720 Appahiag.exe 5040 Aaanpa32.exe 1784 Ahkflk32.exe 2456 Algbmjgk.exe 5684 Aackeqeb.exe 4768 Aikbfnfd.exe 4224 Apekch32.exe 5848 Abcgoc32.exe 1364 Aeacko32.exe 2380 Ahppgjjl.exe 5536 Alkkhi32.exe 3444 Abedecjb.exe 3276 Aiolam32.exe 3908 Blnhni32.exe 4252 Boldjd32.exe 3508 Befmfngc.exe 4512 Bpladg32.exe 3500 Bammlomg.exe 5172 Behiln32.exe 5740 Blbaihmn.exe 4492 Boanecla.exe 2224 Baojaoke.exe 5068 Bifbbllg.exe 3820 Blennh32.exe 3724 Bbofkbbh.exe 5564 Biiohl32.exe 4992 Blgkdg32.exe 5304 Bikkml32.exe 1708 Chnlihnl.exe 1828 Cohdebfi.exe 5076 Ceblbm32.exe 5252 Chphoh32.exe 1080 Caimgncj.exe 1604 Cedihl32.exe 1228 Cpjmee32.exe 1256 Cefemliq.exe 1600 Chebighd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fcgoilpj.exe Fmmfmbhn.exe File created C:\Windows\SysWOW64\Hdgohg32.dll Fbqefhpm.exe File created C:\Windows\SysWOW64\Ifmcdblq.exe Ipckgh32.exe File opened for modification C:\Windows\SysWOW64\Jdhine32.exe Jmnaakne.exe File opened for modification C:\Windows\SysWOW64\Qlpllkmc.exe Qhdpll32.exe File opened for modification C:\Windows\SysWOW64\Camfbm32.exe Chebighd.exe File created C:\Windows\SysWOW64\Fqkocpod.exe Ficgacna.exe File created C:\Windows\SysWOW64\Fgpjnm32.dll Dpcpkc32.exe File created C:\Windows\SysWOW64\Gjlfbd32.exe Gbenqg32.exe File created C:\Windows\SysWOW64\Mghpbg32.dll Kgphpo32.exe File created C:\Windows\SysWOW64\Mgekbljc.exe Mciobn32.exe File created C:\Windows\SysWOW64\Gqdbiofi.exe Gmhfhp32.exe File created C:\Windows\SysWOW64\Hfljmdjc.exe Hcnnaikp.exe File created C:\Windows\SysWOW64\Bkankc32.dll Majopeii.exe File opened for modification C:\Windows\SysWOW64\Abedecjb.exe Alkkhi32.exe File opened for modification C:\Windows\SysWOW64\Chphoh32.exe Ceblbm32.exe File created C:\Windows\SysWOW64\Mkeebhjc.dll Kaemnhla.exe File created C:\Windows\SysWOW64\Oimhnoch.dll Kgdbkohf.exe File created C:\Windows\SysWOW64\Pihmjqfj.exe Paaeiceg.exe File created C:\Windows\SysWOW64\Cefemliq.exe Cpjmee32.exe File opened for modification C:\Windows\SysWOW64\Eflhoigi.exe Ecmlcmhe.exe File created C:\Windows\SysWOW64\Bademghm.dll Ficgacna.exe File created C:\Windows\SysWOW64\Hjfihc32.exe Gmaioo32.exe File created C:\Windows\SysWOW64\Ldobbkdk.dll Kacphh32.exe File created C:\Windows\SysWOW64\Bbgkjl32.dll Lcdegnep.exe File opened for modification C:\Windows\SysWOW64\Nkqpjidj.exe Nqklmpdd.exe File opened for modification C:\Windows\SysWOW64\Elhmablc.exe Ehlaaddj.exe File created C:\Windows\SysWOW64\Jdmaid32.dll Ehlaaddj.exe File created C:\Windows\SysWOW64\Lijiaonm.dll Hmmhjm32.exe File created C:\Windows\SysWOW64\Kbfiep32.exe Kphmie32.exe File opened for modification C:\Windows\SysWOW64\Fbgbpihg.exe Eoifcnid.exe File created C:\Windows\SysWOW64\Mpmokb32.exe Majopeii.exe File created C:\Windows\SysWOW64\Ablaodbm.exe Apndbici.exe File opened for modification C:\Windows\SysWOW64\Ebnoikqb.exe Elagacbk.exe File created C:\Windows\SysWOW64\Gpnhekgl.exe Gjapmdid.exe File created C:\Windows\SysWOW64\Kipabjil.exe Kbfiep32.exe File opened for modification C:\Windows\SysWOW64\Gcpapkgp.exe Fodeolof.exe File opened for modification C:\Windows\SysWOW64\Ibjqcd32.exe Haidklda.exe File opened for modification C:\Windows\SysWOW64\Appahiag.exe Aldegj32.exe File created C:\Windows\SysWOW64\Hihjpn32.dll Fopldmcl.exe File created C:\Windows\SysWOW64\Jfffjqdf.exe Jdhine32.exe File opened for modification C:\Windows\SysWOW64\Lgbnmm32.exe Lddbqa32.exe File opened for modification C:\Windows\SysWOW64\Hjmoibog.exe Hfachc32.exe File opened for modification C:\Windows\SysWOW64\Ibojncfj.exe Ipqnahgf.exe File created C:\Windows\SysWOW64\Laefdf32.exe Lnjjdgee.exe File created C:\Windows\SysWOW64\Jehocmdp.dll Dohmlp32.exe File created C:\Windows\SysWOW64\Dllmfd32.exe Debeijoc.exe File opened for modification C:\Windows\SysWOW64\Impepm32.exe Iidipnal.exe File created C:\Windows\SysWOW64\Mcbahlip.exe Maaepd32.exe File created C:\Windows\SysWOW64\Chkede32.dll Elagacbk.exe File created C:\Windows\SysWOW64\Mlilmlna.dll Iiffen32.exe File created C:\Windows\SysWOW64\Imihfl32.exe Iabgaklg.exe File created C:\Windows\SysWOW64\Kpjjod32.exe Kipabjil.exe File opened for modification C:\Windows\SysWOW64\Hapaemll.exe Hjfihc32.exe File opened for modification C:\Windows\SysWOW64\Jdemhe32.exe Jpjqhgol.exe File opened for modification C:\Windows\SysWOW64\Nqiogp32.exe Nnjbke32.exe File created C:\Windows\SysWOW64\Jjblgaie.dll Kkihknfg.exe File created C:\Windows\SysWOW64\Kgphpo32.exe Kpepcedo.exe File created C:\Windows\SysWOW64\Higjda32.dll Pniomgpl.exe File opened for modification C:\Windows\SysWOW64\Behiln32.exe Bammlomg.exe File created C:\Windows\SysWOW64\Fgjnbc32.dll Behiln32.exe File opened for modification C:\Windows\SysWOW64\Dhlhjf32.exe Dabpnlkp.exe File opened for modification C:\Windows\SysWOW64\Gpnhekgl.exe Gjapmdid.exe File created C:\Windows\SysWOW64\Qchnlc32.dll Hpgkkioa.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8460 8364 WerFault.exe 361 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgnnhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehlaaddj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eoifcnid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iabgaklg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjpeepnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 6d71763b699f13abaca98582812c389523875c9183f2ac51da171c0e66b6101c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Baojaoke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjcgohig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbfpobpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Impepm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iapjlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgpjm32.dll" Haidklda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcbahlip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Debeijoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcggpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll" Jdemhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgneampk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdiklqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfjmgbb.dll" Opmllk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehbccoaj.dll" Hpenfjad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aackeqeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgphpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Maaepd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngcgcjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceblbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll" Kkkdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Appahiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcglnp32.dll" Fijmbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbocea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epkajgee.dll" Pblhhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imihfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejnmepn.dll" Ehjdldfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbnhphbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gimjhafg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhlhjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehhgfdho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bademghm.dll" Ficgacna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll" Ffggkgmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plfiflen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pimfep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkncdifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmfjlh32.dll" Qajhobmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcdegnep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqiogp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejbkehcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcnnaikp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcikolnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chphoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clckpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll" Ibmmhdhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll" Jpgdbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Caimgncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cichoi32.dll" Ehhgfdho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gqfooodg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll" Gjclbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgpagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 6d71763b699f13abaca98582812c389523875c9183f2ac51da171c0e66b6101c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbekne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 6d71763b699f13abaca98582812c389523875c9183f2ac51da171c0e66b6101c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgbnmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ficgacna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gagaaq32.dll" Ebnoikqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boldjd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5284 wrote to memory of 3464 5284 6d71763b699f13abaca98582812c389523875c9183f2ac51da171c0e66b6101c.exe 85 PID 5284 wrote to memory of 3464 5284 6d71763b699f13abaca98582812c389523875c9183f2ac51da171c0e66b6101c.exe 85 PID 5284 wrote to memory of 3464 5284 6d71763b699f13abaca98582812c389523875c9183f2ac51da171c0e66b6101c.exe 85 PID 3464 wrote to memory of 3672 3464 Oiccoa32.exe 86 PID 3464 wrote to memory of 3672 3464 Oiccoa32.exe 86 PID 3464 wrote to memory of 3672 3464 Oiccoa32.exe 86 PID 3672 wrote to memory of 436 3672 Opmllk32.exe 87 PID 3672 wrote to memory of 436 3672 Opmllk32.exe 87 PID 3672 wrote to memory of 436 3672 Opmllk32.exe 87 PID 436 wrote to memory of 3340 436 Pblhhg32.exe 89 PID 436 wrote to memory of 3340 436 Pblhhg32.exe 89 PID 436 wrote to memory of 3340 436 Pblhhg32.exe 89 PID 3340 wrote to memory of 4948 3340 Piepdahl.exe 90 PID 3340 wrote to memory of 4948 3340 Piepdahl.exe 90 PID 3340 wrote to memory of 4948 3340 Piepdahl.exe 90 PID 4948 wrote to memory of 216 4948 Pldlqlgp.exe 92 PID 4948 wrote to memory of 216 4948 Pldlqlgp.exe 92 PID 4948 wrote to memory of 216 4948 Pldlqlgp.exe 92 PID 216 wrote to memory of 2588 216 Paaeiceg.exe 93 PID 216 wrote to memory of 2588 216 Paaeiceg.exe 93 PID 216 wrote to memory of 2588 216 Paaeiceg.exe 93 PID 2588 wrote to memory of 4884 2588 Pihmjqfj.exe 94 PID 2588 wrote to memory of 4884 2588 Pihmjqfj.exe 94 PID 2588 wrote to memory of 4884 2588 Pihmjqfj.exe 94 PID 4884 wrote to memory of 4408 4884 Plfiflen.exe 95 PID 4884 wrote to memory of 4408 4884 Plfiflen.exe 95 PID 4884 wrote to memory of 4408 4884 Plfiflen.exe 95 PID 4408 wrote to memory of 5132 4408 Pneebg32.exe 96 PID 4408 wrote to memory of 5132 4408 Pneebg32.exe 96 PID 4408 wrote to memory of 5132 4408 Pneebg32.exe 96 PID 5132 wrote to memory of 5124 5132 Pacaoc32.exe 97 PID 5132 wrote to memory of 5124 5132 Pacaoc32.exe 97 PID 5132 wrote to memory of 5124 5132 Pacaoc32.exe 97 PID 5124 wrote to memory of 668 5124 Phmjkmka.exe 98 PID 5124 wrote to memory of 668 5124 Phmjkmka.exe 98 PID 5124 wrote to memory of 668 5124 Phmjkmka.exe 98 PID 668 wrote to memory of 1172 668 Ppdbljkd.exe 99 PID 668 wrote to memory of 1172 668 Ppdbljkd.exe 99 PID 668 wrote to memory of 1172 668 Ppdbljkd.exe 99 PID 1172 wrote to memory of 1660 1172 Pbbnhfjh.exe 100 PID 1172 wrote to memory of 1660 1172 Pbbnhfjh.exe 100 PID 1172 wrote to memory of 1660 1172 Pbbnhfjh.exe 100 PID 1660 wrote to memory of 1572 1660 Pimfep32.exe 101 PID 1660 wrote to memory of 1572 1660 Pimfep32.exe 101 PID 1660 wrote to memory of 1572 1660 Pimfep32.exe 101 PID 1572 wrote to memory of 4004 1572 Pniomgpl.exe 103 PID 1572 wrote to memory of 4004 1572 Pniomgpl.exe 103 PID 1572 wrote to memory of 4004 1572 Pniomgpl.exe 103 PID 4004 wrote to memory of 4092 4004 Pbekne32.exe 104 PID 4004 wrote to memory of 4092 4004 Pbekne32.exe 104 PID 4004 wrote to memory of 4092 4004 Pbekne32.exe 104 PID 4092 wrote to memory of 5008 4092 Piockppb.exe 105 PID 4092 wrote to memory of 5008 4092 Piockppb.exe 105 PID 4092 wrote to memory of 5008 4092 Piockppb.exe 105 PID 5008 wrote to memory of 5348 5008 Qpikgj32.exe 106 PID 5008 wrote to memory of 5348 5008 Qpikgj32.exe 106 PID 5008 wrote to memory of 5348 5008 Qpikgj32.exe 106 PID 5348 wrote to memory of 832 5348 Qajhobmm.exe 107 PID 5348 wrote to memory of 832 5348 Qajhobmm.exe 107 PID 5348 wrote to memory of 832 5348 Qajhobmm.exe 107 PID 832 wrote to memory of 2612 832 Qhdpll32.exe 108 PID 832 wrote to memory of 2612 832 Qhdpll32.exe 108 PID 832 wrote to memory of 2612 832 Qhdpll32.exe 108 PID 2612 wrote to memory of 1952 2612 Qlpllkmc.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d71763b699f13abaca98582812c389523875c9183f2ac51da171c0e66b6101c.exe"C:\Users\Admin\AppData\Local\Temp\6d71763b699f13abaca98582812c389523875c9183f2ac51da171c0e66b6101c.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5284 -
C:\Windows\SysWOW64\Oiccoa32.exeC:\Windows\system32\Oiccoa32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\Opmllk32.exeC:\Windows\system32\Opmllk32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Pblhhg32.exeC:\Windows\system32\Pblhhg32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Piepdahl.exeC:\Windows\system32\Piepdahl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\Pldlqlgp.exeC:\Windows\system32\Pldlqlgp.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Paaeiceg.exeC:\Windows\system32\Paaeiceg.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Pihmjqfj.exeC:\Windows\system32\Pihmjqfj.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Plfiflen.exeC:\Windows\system32\Plfiflen.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Pneebg32.exeC:\Windows\system32\Pneebg32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Pacaoc32.exeC:\Windows\system32\Pacaoc32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5132 -
C:\Windows\SysWOW64\Phmjkmka.exeC:\Windows\system32\Phmjkmka.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5124 -
C:\Windows\SysWOW64\Ppdbljkd.exeC:\Windows\system32\Ppdbljkd.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\Pbbnhfjh.exeC:\Windows\system32\Pbbnhfjh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Pimfep32.exeC:\Windows\system32\Pimfep32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Pniomgpl.exeC:\Windows\system32\Pniomgpl.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Pbekne32.exeC:\Windows\system32\Pbekne32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\Piockppb.exeC:\Windows\system32\Piockppb.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\Qpikgj32.exeC:\Windows\system32\Qpikgj32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Qajhobmm.exeC:\Windows\system32\Qajhobmm.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5348 -
C:\Windows\SysWOW64\Qhdpll32.exeC:\Windows\system32\Qhdpll32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Qlpllkmc.exeC:\Windows\system32\Qlpllkmc.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Qpkhmi32.exeC:\Windows\system32\Qpkhmi32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Qehqepcc.exeC:\Windows\system32\Qehqepcc.exe24⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Qiclfo32.exeC:\Windows\system32\Qiclfo32.exe25⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Apndbici.exeC:\Windows\system32\Apndbici.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:6080 -
C:\Windows\SysWOW64\Ablaodbm.exeC:\Windows\system32\Ablaodbm.exe27⤵
- Executes dropped EXE
PID:6024 -
C:\Windows\SysWOW64\Aldegj32.exeC:\Windows\system32\Aldegj32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3964 -
C:\Windows\SysWOW64\Appahiag.exeC:\Windows\system32\Appahiag.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4720 -
C:\Windows\SysWOW64\Aaanpa32.exeC:\Windows\system32\Aaanpa32.exe30⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Ahkflk32.exeC:\Windows\system32\Ahkflk32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Algbmjgk.exeC:\Windows\system32\Algbmjgk.exe32⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Aackeqeb.exeC:\Windows\system32\Aackeqeb.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:5684 -
C:\Windows\SysWOW64\Aikbfnfd.exeC:\Windows\system32\Aikbfnfd.exe34⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Apekch32.exeC:\Windows\system32\Apekch32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Abcgoc32.exeC:\Windows\system32\Abcgoc32.exe36⤵
- Executes dropped EXE
PID:5848 -
C:\Windows\SysWOW64\Aeacko32.exeC:\Windows\system32\Aeacko32.exe37⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Ahppgjjl.exeC:\Windows\system32\Ahppgjjl.exe38⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Alkkhi32.exeC:\Windows\system32\Alkkhi32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5536 -
C:\Windows\SysWOW64\Abedecjb.exeC:\Windows\system32\Abedecjb.exe40⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Aiolam32.exeC:\Windows\system32\Aiolam32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Blnhni32.exeC:\Windows\system32\Blnhni32.exe42⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Boldjd32.exeC:\Windows\system32\Boldjd32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:4252 -
C:\Windows\SysWOW64\Befmfngc.exeC:\Windows\system32\Befmfngc.exe44⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\Bpladg32.exeC:\Windows\system32\Bpladg32.exe45⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Bammlomg.exeC:\Windows\system32\Bammlomg.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3500 -
C:\Windows\SysWOW64\Behiln32.exeC:\Windows\system32\Behiln32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5172 -
C:\Windows\SysWOW64\Blbaihmn.exeC:\Windows\system32\Blbaihmn.exe48⤵
- Executes dropped EXE
PID:5740 -
C:\Windows\SysWOW64\Boanecla.exeC:\Windows\system32\Boanecla.exe49⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Baojaoke.exeC:\Windows\system32\Baojaoke.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Bifbbllg.exeC:\Windows\system32\Bifbbllg.exe51⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Blennh32.exeC:\Windows\system32\Blennh32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3820 -
C:\Windows\SysWOW64\Bbofkbbh.exeC:\Windows\system32\Bbofkbbh.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Biiohl32.exeC:\Windows\system32\Biiohl32.exe54⤵
- Executes dropped EXE
PID:5564 -
C:\Windows\SysWOW64\Blgkdg32.exeC:\Windows\system32\Blgkdg32.exe55⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Bikkml32.exeC:\Windows\system32\Bikkml32.exe56⤵
- Executes dropped EXE
PID:5304 -
C:\Windows\SysWOW64\Chnlihnl.exeC:\Windows\system32\Chnlihnl.exe57⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Cohdebfi.exeC:\Windows\system32\Cohdebfi.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Ceblbm32.exeC:\Windows\system32\Ceblbm32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5076 -
C:\Windows\SysWOW64\Chphoh32.exeC:\Windows\system32\Chphoh32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:5252 -
C:\Windows\SysWOW64\Caimgncj.exeC:\Windows\system32\Caimgncj.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1080 -
C:\Windows\SysWOW64\Cedihl32.exeC:\Windows\system32\Cedihl32.exe62⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Cpjmee32.exeC:\Windows\system32\Cpjmee32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1228 -
C:\Windows\SysWOW64\Cefemliq.exeC:\Windows\system32\Cefemliq.exe64⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Chebighd.exeC:\Windows\system32\Chebighd.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Camfbm32.exeC:\Windows\system32\Camfbm32.exe66⤵PID:2732
-
C:\Windows\SysWOW64\Cidncj32.exeC:\Windows\system32\Cidncj32.exe67⤵PID:5868
-
C:\Windows\SysWOW64\Clckpf32.exeC:\Windows\system32\Clckpf32.exe68⤵
- Modifies registry class
PID:5916 -
C:\Windows\SysWOW64\Cpofpdgd.exeC:\Windows\system32\Cpofpdgd.exe69⤵PID:4068
-
C:\Windows\SysWOW64\Ccmclp32.exeC:\Windows\system32\Ccmclp32.exe70⤵PID:4608
-
C:\Windows\SysWOW64\Cekohk32.exeC:\Windows\system32\Cekohk32.exe71⤵PID:3552
-
C:\Windows\SysWOW64\Dlegeemh.exeC:\Windows\system32\Dlegeemh.exe72⤵PID:3528
-
C:\Windows\SysWOW64\Doccaall.exeC:\Windows\system32\Doccaall.exe73⤵PID:2692
-
C:\Windows\SysWOW64\Dabpnlkp.exeC:\Windows\system32\Dabpnlkp.exe74⤵
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Dhlhjf32.exeC:\Windows\system32\Dhlhjf32.exe75⤵
- Modifies registry class
PID:1448 -
C:\Windows\SysWOW64\Dpcpkc32.exeC:\Windows\system32\Dpcpkc32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3816 -
C:\Windows\SysWOW64\Dcalgo32.exeC:\Windows\system32\Dcalgo32.exe77⤵PID:2348
-
C:\Windows\SysWOW64\Dljqpd32.exeC:\Windows\system32\Dljqpd32.exe78⤵PID:4888
-
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe79⤵
- Drops file in System32 directory
PID:1376 -
C:\Windows\SysWOW64\Dcdimopp.exeC:\Windows\system32\Dcdimopp.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4712 -
C:\Windows\SysWOW64\Debeijoc.exeC:\Windows\system32\Debeijoc.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Dllmfd32.exeC:\Windows\system32\Dllmfd32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6036 -
C:\Windows\SysWOW64\Dphifcoi.exeC:\Windows\system32\Dphifcoi.exe83⤵PID:3656
-
C:\Windows\SysWOW64\Dcfebonm.exeC:\Windows\system32\Dcfebonm.exe84⤵PID:1580
-
C:\Windows\SysWOW64\Dfdbojmq.exeC:\Windows\system32\Dfdbojmq.exe85⤵PID:1668
-
C:\Windows\SysWOW64\Domfgpca.exeC:\Windows\system32\Domfgpca.exe86⤵PID:5792
-
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe87⤵
- Modifies registry class
PID:5568 -
C:\Windows\SysWOW64\Elagacbk.exeC:\Windows\system32\Elagacbk.exe88⤵
- Drops file in System32 directory
PID:1068 -
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe89⤵
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe90⤵
- Modifies registry class
PID:4936 -
C:\Windows\SysWOW64\Epopgbia.exeC:\Windows\system32\Epopgbia.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1072 -
C:\Windows\SysWOW64\Ecmlcmhe.exeC:\Windows\system32\Ecmlcmhe.exe92⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Eflhoigi.exeC:\Windows\system32\Eflhoigi.exe93⤵PID:5324
-
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe94⤵
- Modifies registry class
PID:5624 -
C:\Windows\SysWOW64\Eqalmafo.exeC:\Windows\system32\Eqalmafo.exe95⤵PID:5112
-
C:\Windows\SysWOW64\Ecphimfb.exeC:\Windows\system32\Ecphimfb.exe96⤵PID:220
-
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe97⤵
- Drops file in System32 directory
- Modifies registry class
PID:4864 -
C:\Windows\SysWOW64\Elhmablc.exeC:\Windows\system32\Elhmablc.exe98⤵PID:5160
-
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe99⤵PID:6032
-
C:\Windows\SysWOW64\Ecbenm32.exeC:\Windows\system32\Ecbenm32.exe100⤵PID:2032
-
C:\Windows\SysWOW64\Eoifcnid.exeC:\Windows\system32\Eoifcnid.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4188 -
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe102⤵PID:5648
-
C:\Windows\SysWOW64\Fjnjqfij.exeC:\Windows\system32\Fjnjqfij.exe103⤵PID:2044
-
C:\Windows\SysWOW64\Fmmfmbhn.exeC:\Windows\system32\Fmmfmbhn.exe104⤵
- Drops file in System32 directory
PID:4556 -
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe105⤵PID:2244
-
C:\Windows\SysWOW64\Ffekegon.exeC:\Windows\system32\Ffekegon.exe106⤵PID:4584
-
C:\Windows\SysWOW64\Ficgacna.exeC:\Windows\system32\Ficgacna.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Fqkocpod.exeC:\Windows\system32\Fqkocpod.exe108⤵PID:4708
-
C:\Windows\SysWOW64\Fcikolnh.exeC:\Windows\system32\Fcikolnh.exe109⤵
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe110⤵
- Modifies registry class
PID:3768 -
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5764 -
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe112⤵PID:980
-
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4808 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe114⤵
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe115⤵PID:4536
-
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe116⤵PID:3364
-
C:\Windows\SysWOW64\Fmclmabe.exeC:\Windows\system32\Fmclmabe.exe117⤵PID:1316
-
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe118⤵PID:5560
-
C:\Windows\SysWOW64\Fbqefhpm.exeC:\Windows\system32\Fbqefhpm.exe119⤵
- Drops file in System32 directory
PID:4032 -
C:\Windows\SysWOW64\Fjhmgeao.exeC:\Windows\system32\Fjhmgeao.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3620 -
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe121⤵
- Modifies registry class
PID:2956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-