Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/04/2024, 23:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b4600e3c90d9bb4805e907eb3a33bef3.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
b4600e3c90d9bb4805e907eb3a33bef3.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
b4600e3c90d9bb4805e907eb3a33bef3.exe
-
Size
45KB
-
MD5
b4600e3c90d9bb4805e907eb3a33bef3
-
SHA1
01001b6f8287265b300a151caad7c5b111ee9a65
-
SHA256
f1cffecd6454c81802dad28c268a201176d394651a8293c268b68b89226a31dc
-
SHA512
62c981b537f314e4b5fcee7115731f714bbeef086f6aa31a7ba9586a6a9ca65ab84904bc81ecc5966b5103bc7ea33ce24fc36324d56de3d86f661307acb651bc
-
SSDEEP
768:VtUBkZaY/N7SqiXtudepjZjMa30cywJymx5Ge8CiN/1H5UK:Z3/NOht5hZdEcxGe87
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfoeel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmklak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabplobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgkbeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgciff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmfcop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anecfgdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihbdhepp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkciic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dochelmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefcmehe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gedbfimc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gedbfimc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad b4600e3c90d9bb4805e907eb3a33bef3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgibdjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adblnnbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdpehd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nipefmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egdlec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdmepgce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bggjjlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnogfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbobaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjjpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iojopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjhgbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndjfgkha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gibkmgcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkefoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmiolk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bobhal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehpcehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jggoqimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpboinpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaekljjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llhocfnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndjfgkha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhhge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaekljjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afndjdpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcglec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccpeld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icifjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijcngenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" b4600e3c90d9bb4805e907eb3a33bef3.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feddombd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feddombd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icifjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdngip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbmlkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhmfod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgnokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epbbkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghibjjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gidhbgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kolhdbjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndlbmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chhldeho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjijqa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcodkcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbcien32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbojjq32.exe -
Executes dropped EXE 64 IoCs
pid Process 2316 Acpdko32.exe 2968 Bnielm32.exe 2656 Bnkbam32.exe 2056 Balkchpi.exe 2600 Baohhgnf.exe 2420 Bobhal32.exe 2916 Cdoajb32.exe 724 Cpfaocal.exe 1616 Ciqcmiei.exe 2888 Clalod32.exe 1108 Cophko32.exe 2712 Chhldeho.exe 1904 Delmmigh.exe 1008 Dkiefp32.exe 1116 Dhmfod32.exe 2260 Dlahng32.exe 2860 Eqamje32.exe 2072 Elhnof32.exe 1052 Egdlec32.exe 1544 Fcmiod32.exe 820 Fgkbeb32.exe 1512 Fgnokb32.exe 752 Fmjgcipg.exe 276 Gjngmmnp.exe 1940 Gcglec32.exe 1004 Glbqje32.exe 2928 Gejebk32.exe 860 Gbnflo32.exe 1536 Gjijqa32.exe 2772 Gmjcblbb.exe 2424 Npaich32.exe 1892 Nenakoho.exe 2752 Hnbaif32.exe 2224 Obeacl32.exe 1880 Bknjfb32.exe 1692 Boifga32.exe 2076 Bfcodkcb.exe 604 Bdhleh32.exe 1176 Bjedmo32.exe 2884 Bqolji32.exe 1728 Cgidfcdk.exe 2228 Cncmcm32.exe 2872 Cdmepgce.exe 1900 Ccpeld32.exe 2116 Cjjnhnbl.exe 2176 Cmmcpi32.exe 2460 Colpld32.exe 2568 Cfehhn32.exe 2524 Cmppehkh.exe 2536 Dnqlmq32.exe 2564 Difqji32.exe 2544 Dncibp32.exe 2388 Daaenlng.exe 2428 Dgknkf32.exe 1648 Djjjga32.exe 792 Deondj32.exe 556 Dgnjqe32.exe 2780 Dhpgfeao.exe 2800 Dnjoco32.exe 2408 Dpklkgoj.exe 1616 Efedga32.exe 2728 Eicpcm32.exe 1008 Eakhdj32.exe 2448 Edidqf32.exe -
Loads dropped DLL 64 IoCs
pid Process 2464 b4600e3c90d9bb4805e907eb3a33bef3.exe 2464 b4600e3c90d9bb4805e907eb3a33bef3.exe 2316 Acpdko32.exe 2316 Acpdko32.exe 2968 Bnielm32.exe 2968 Bnielm32.exe 2656 Bnkbam32.exe 2656 Bnkbam32.exe 2056 Balkchpi.exe 2056 Balkchpi.exe 2600 Baohhgnf.exe 2600 Baohhgnf.exe 2420 Bobhal32.exe 2420 Bobhal32.exe 2916 Cdoajb32.exe 2916 Cdoajb32.exe 724 Cpfaocal.exe 724 Cpfaocal.exe 1616 Ciqcmiei.exe 1616 Ciqcmiei.exe 2888 Clalod32.exe 2888 Clalod32.exe 1108 Cophko32.exe 1108 Cophko32.exe 2712 Chhldeho.exe 2712 Chhldeho.exe 1904 Delmmigh.exe 1904 Delmmigh.exe 1008 Dkiefp32.exe 1008 Dkiefp32.exe 1116 Dhmfod32.exe 1116 Dhmfod32.exe 2260 Dlahng32.exe 2260 Dlahng32.exe 2860 Eqamje32.exe 2860 Eqamje32.exe 2072 Elhnof32.exe 2072 Elhnof32.exe 1052 Egdlec32.exe 1052 Egdlec32.exe 1544 Fcmiod32.exe 1544 Fcmiod32.exe 820 Fgkbeb32.exe 820 Fgkbeb32.exe 1512 Fgnokb32.exe 1512 Fgnokb32.exe 752 Fmjgcipg.exe 752 Fmjgcipg.exe 276 Gjngmmnp.exe 276 Gjngmmnp.exe 1940 Gcglec32.exe 1940 Gcglec32.exe 1004 Glbqje32.exe 1004 Glbqje32.exe 2928 Gejebk32.exe 2928 Gejebk32.exe 860 Gbnflo32.exe 860 Gbnflo32.exe 1536 Gjijqa32.exe 1536 Gjijqa32.exe 2772 Gmjcblbb.exe 2772 Gmjcblbb.exe 2424 Npaich32.exe 2424 Npaich32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mmmloaog.dll Anecfgdc.exe File created C:\Windows\SysWOW64\Ccgnelll.exe Cpiaipmh.exe File created C:\Windows\SysWOW64\Eddjhb32.exe Dnjalhpp.exe File opened for modification C:\Windows\SysWOW64\Kghmhegc.exe Keiqlihp.exe File created C:\Windows\SysWOW64\Jqbbhg32.exe Jjijkmbi.exe File created C:\Windows\SysWOW64\Fnoopd32.dll Jibpghbk.exe File opened for modification C:\Windows\SysWOW64\Hjohmbpd.exe Hklhae32.exe File created C:\Windows\SysWOW64\Ogbogkjn.dll Hfhfhbce.exe File created C:\Windows\SysWOW64\Ikldqile.exe Igqhpj32.exe File created C:\Windows\SysWOW64\Pobiicng.dll Gbmlkl32.exe File created C:\Windows\SysWOW64\Dkiefp32.exe Delmmigh.exe File created C:\Windows\SysWOW64\Bopffl32.dll Bedamd32.exe File opened for modification C:\Windows\SysWOW64\Gfoeel32.exe Gbcien32.exe File created C:\Windows\SysWOW64\Cinefnpo.dll Gdnibdmf.exe File opened for modification C:\Windows\SysWOW64\Ibillk32.exe Iojopp32.exe File opened for modification C:\Windows\SysWOW64\Nlanhh32.exe Ndjfgkha.exe File created C:\Windows\SysWOW64\Fjigapme.dll Ohengmcf.exe File created C:\Windows\SysWOW64\Egdlec32.exe Elhnof32.exe File created C:\Windows\SysWOW64\Eemnnn32.exe Edidqf32.exe File opened for modification C:\Windows\SysWOW64\Gkhaooec.exe Gdnibdmf.exe File created C:\Windows\SysWOW64\Leaohdkk.dll Golgon32.exe File created C:\Windows\SysWOW64\Leghmkmk.dll Dnqlmq32.exe File opened for modification C:\Windows\SysWOW64\Elibpg32.exe Eeojcmfi.exe File created C:\Windows\SysWOW64\Gmhkin32.exe Fimoiopk.exe File created C:\Windows\SysWOW64\Obgmpo32.dll Bjedmo32.exe File opened for modification C:\Windows\SysWOW64\Fkqlgc32.exe Feddombd.exe File opened for modification C:\Windows\SysWOW64\Jjhgbd32.exe Jcnoejch.exe File opened for modification C:\Windows\SysWOW64\Lmpeljkm.exe Lffmpp32.exe File created C:\Windows\SysWOW64\Amjiln32.exe Aebakp32.exe File created C:\Windows\SysWOW64\Dncibp32.exe Difqji32.exe File created C:\Windows\SysWOW64\Dgnjqe32.exe Deondj32.exe File created C:\Windows\SysWOW64\Npabemib.dll Bbqkeioh.exe File opened for modification C:\Windows\SysWOW64\Ehpcehcj.exe Eafkhn32.exe File created C:\Windows\SysWOW64\Gfjkqg32.dll Nljhhi32.exe File opened for modification C:\Windows\SysWOW64\Fipbhd32.exe Fedfgejh.exe File created C:\Windows\SysWOW64\Fpemhb32.exe Fikelhib.exe File created C:\Windows\SysWOW64\Colldggd.dll Lodnjboi.exe File opened for modification C:\Windows\SysWOW64\Ikldqile.exe Igqhpj32.exe File created C:\Windows\SysWOW64\Dhklna32.exe Dqddmd32.exe File created C:\Windows\SysWOW64\Fpkljm32.dll Einebddd.exe File created C:\Windows\SysWOW64\Fipbhd32.exe Fedfgejh.exe File opened for modification C:\Windows\SysWOW64\Lcedne32.exe Kmklak32.exe File opened for modification C:\Windows\SysWOW64\Lfdpjp32.exe Lcedne32.exe File created C:\Windows\SysWOW64\Djcnme32.dll Abgaeddg.exe File created C:\Windows\SysWOW64\Hjpqkajf.dll Dncibp32.exe File opened for modification C:\Windows\SysWOW64\Djjjga32.exe Dgknkf32.exe File created C:\Windows\SysWOW64\Mbendkpn.dll Ajamfh32.exe File created C:\Windows\SysWOW64\Olqdoelc.dll Amoibc32.exe File created C:\Windows\SysWOW64\Oomjld32.dll Ejfllhao.exe File opened for modification C:\Windows\SysWOW64\Bnkbam32.exe Bnielm32.exe File opened for modification C:\Windows\SysWOW64\Fgkbeb32.exe Fcmiod32.exe File opened for modification C:\Windows\SysWOW64\Boifga32.exe Bknjfb32.exe File created C:\Windows\SysWOW64\Glbqje32.exe Gcglec32.exe File created C:\Windows\SysWOW64\Peqiahfi.dll Dhklna32.exe File created C:\Windows\SysWOW64\Gplcia32.exe Gibkmgcj.exe File created C:\Windows\SysWOW64\Kpcmnaip.dll Cfcmlg32.exe File opened for modification C:\Windows\SysWOW64\Fllaopcg.exe Einebddd.exe File created C:\Windows\SysWOW64\Jmfcop32.exe Jjhgbd32.exe File created C:\Windows\SysWOW64\Bkcojhgk.dll Oqkpmaif.exe File created C:\Windows\SysWOW64\Nelafe32.dll Bggjjlnb.exe File opened for modification C:\Windows\SysWOW64\Dhklna32.exe Dqddmd32.exe File opened for modification C:\Windows\SysWOW64\Dgqion32.exe Dcemnopj.exe File created C:\Windows\SysWOW64\Ndlbmk32.exe Nanfqo32.exe File created C:\Windows\SysWOW64\Aemmee32.dll Qaqlbmbn.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feddombd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajamfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amafgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlkfk32.dll" Fllaopcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbcien32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmjcblbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npaich32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goigjpaa.dll" Pjjkfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abnopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcedne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfhiepbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abgaeddg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blniinac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pofldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogadek32.dll" Epqgopbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oemmkpog.dll" Gplcia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibillk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcijnhod.dll" Kkciic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbkaoalg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npepbkgb.dll" Ccpeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iampng32.dll" Eemnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikggmnae.dll" Dcjjkkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiabmg32.dll" Epcddopf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecnpdnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgocid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfdpjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll" Bobhal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcbonpco.dll" Jcnoejch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdinnqon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbldk32.dll" Cpiaipmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djoeki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihbdhepp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgjmoace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnbaaioa.dll" Pcmoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aemmee32.dll" Qaqlbmbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbiffmpn.dll" Pidaba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fikelhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjmoeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anhpkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fefcmehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obeacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaemlqhb.dll" Cojeomee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eddjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljmdkm32.dll" Gipngg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekolhln.dll" Dlahng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfcmlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcoljb32.dll" Mlgkbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Holgkalp.dll" Aeenapck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciqcmiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enkcccnb.dll" Anhpkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibillk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfcekf32.dll" Jfddkmch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkfojakp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdnfkg32.dll" Fmjgcipg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghibjjnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibhicbao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djmiejji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmklak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndlbmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qaqlbmbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpbnjjkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcepqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lffmpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnfpjc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2464 wrote to memory of 2316 2464 b4600e3c90d9bb4805e907eb3a33bef3.exe 28 PID 2464 wrote to memory of 2316 2464 b4600e3c90d9bb4805e907eb3a33bef3.exe 28 PID 2464 wrote to memory of 2316 2464 b4600e3c90d9bb4805e907eb3a33bef3.exe 28 PID 2464 wrote to memory of 2316 2464 b4600e3c90d9bb4805e907eb3a33bef3.exe 28 PID 2316 wrote to memory of 2968 2316 Acpdko32.exe 29 PID 2316 wrote to memory of 2968 2316 Acpdko32.exe 29 PID 2316 wrote to memory of 2968 2316 Acpdko32.exe 29 PID 2316 wrote to memory of 2968 2316 Acpdko32.exe 29 PID 2968 wrote to memory of 2656 2968 Bnielm32.exe 30 PID 2968 wrote to memory of 2656 2968 Bnielm32.exe 30 PID 2968 wrote to memory of 2656 2968 Bnielm32.exe 30 PID 2968 wrote to memory of 2656 2968 Bnielm32.exe 30 PID 2656 wrote to memory of 2056 2656 Bnkbam32.exe 31 PID 2656 wrote to memory of 2056 2656 Bnkbam32.exe 31 PID 2656 wrote to memory of 2056 2656 Bnkbam32.exe 31 PID 2656 wrote to memory of 2056 2656 Bnkbam32.exe 31 PID 2056 wrote to memory of 2600 2056 Balkchpi.exe 32 PID 2056 wrote to memory of 2600 2056 Balkchpi.exe 32 PID 2056 wrote to memory of 2600 2056 Balkchpi.exe 32 PID 2056 wrote to memory of 2600 2056 Balkchpi.exe 32 PID 2600 wrote to memory of 2420 2600 Baohhgnf.exe 33 PID 2600 wrote to memory of 2420 2600 Baohhgnf.exe 33 PID 2600 wrote to memory of 2420 2600 Baohhgnf.exe 33 PID 2600 wrote to memory of 2420 2600 Baohhgnf.exe 33 PID 2420 wrote to memory of 2916 2420 Bobhal32.exe 34 PID 2420 wrote to memory of 2916 2420 Bobhal32.exe 34 PID 2420 wrote to memory of 2916 2420 Bobhal32.exe 34 PID 2420 wrote to memory of 2916 2420 Bobhal32.exe 34 PID 2916 wrote to memory of 724 2916 Cdoajb32.exe 35 PID 2916 wrote to memory of 724 2916 Cdoajb32.exe 35 PID 2916 wrote to memory of 724 2916 Cdoajb32.exe 35 PID 2916 wrote to memory of 724 2916 Cdoajb32.exe 35 PID 724 wrote to memory of 1616 724 Cpfaocal.exe 36 PID 724 wrote to memory of 1616 724 Cpfaocal.exe 36 PID 724 wrote to memory of 1616 724 Cpfaocal.exe 36 PID 724 wrote to memory of 1616 724 Cpfaocal.exe 36 PID 1616 wrote to memory of 2888 1616 Ciqcmiei.exe 37 PID 1616 wrote to memory of 2888 1616 Ciqcmiei.exe 37 PID 1616 wrote to memory of 2888 1616 Ciqcmiei.exe 37 PID 1616 wrote to memory of 2888 1616 Ciqcmiei.exe 37 PID 2888 wrote to memory of 1108 2888 Clalod32.exe 38 PID 2888 wrote to memory of 1108 2888 Clalod32.exe 38 PID 2888 wrote to memory of 1108 2888 Clalod32.exe 38 PID 2888 wrote to memory of 1108 2888 Clalod32.exe 38 PID 1108 wrote to memory of 2712 1108 Cophko32.exe 39 PID 1108 wrote to memory of 2712 1108 Cophko32.exe 39 PID 1108 wrote to memory of 2712 1108 Cophko32.exe 39 PID 1108 wrote to memory of 2712 1108 Cophko32.exe 39 PID 2712 wrote to memory of 1904 2712 Chhldeho.exe 40 PID 2712 wrote to memory of 1904 2712 Chhldeho.exe 40 PID 2712 wrote to memory of 1904 2712 Chhldeho.exe 40 PID 2712 wrote to memory of 1904 2712 Chhldeho.exe 40 PID 1904 wrote to memory of 1008 1904 Delmmigh.exe 41 PID 1904 wrote to memory of 1008 1904 Delmmigh.exe 41 PID 1904 wrote to memory of 1008 1904 Delmmigh.exe 41 PID 1904 wrote to memory of 1008 1904 Delmmigh.exe 41 PID 1008 wrote to memory of 1116 1008 Dkiefp32.exe 42 PID 1008 wrote to memory of 1116 1008 Dkiefp32.exe 42 PID 1008 wrote to memory of 1116 1008 Dkiefp32.exe 42 PID 1008 wrote to memory of 1116 1008 Dkiefp32.exe 42 PID 1116 wrote to memory of 2260 1116 Dhmfod32.exe 43 PID 1116 wrote to memory of 2260 1116 Dhmfod32.exe 43 PID 1116 wrote to memory of 2260 1116 Dhmfod32.exe 43 PID 1116 wrote to memory of 2260 1116 Dhmfod32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4600e3c90d9bb4805e907eb3a33bef3.exe"C:\Users\Admin\AppData\Local\Temp\b4600e3c90d9bb4805e907eb3a33bef3.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Acpdko32.exeC:\Windows\system32\Acpdko32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Bnielm32.exeC:\Windows\system32\Bnielm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Bnkbam32.exeC:\Windows\system32\Bnkbam32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Balkchpi.exeC:\Windows\system32\Balkchpi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Baohhgnf.exeC:\Windows\system32\Baohhgnf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Bobhal32.exeC:\Windows\system32\Bobhal32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Cpfaocal.exeC:\Windows\system32\Cpfaocal.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\Ciqcmiei.exeC:\Windows\system32\Ciqcmiei.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Clalod32.exeC:\Windows\system32\Clalod32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Cophko32.exeC:\Windows\system32\Cophko32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Chhldeho.exeC:\Windows\system32\Chhldeho.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Delmmigh.exeC:\Windows\system32\Delmmigh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Dkiefp32.exeC:\Windows\system32\Dkiefp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Dhmfod32.exeC:\Windows\system32\Dhmfod32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\Dlahng32.exeC:\Windows\system32\Dlahng32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Eqamje32.exeC:\Windows\system32\Eqamje32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Elhnof32.exeC:\Windows\system32\Elhnof32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Egdlec32.exeC:\Windows\system32\Egdlec32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1052 -
C:\Windows\SysWOW64\Fcmiod32.exeC:\Windows\system32\Fcmiod32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\Fgkbeb32.exeC:\Windows\system32\Fgkbeb32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:820 -
C:\Windows\SysWOW64\Fgnokb32.exeC:\Windows\system32\Fgnokb32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\Fmjgcipg.exeC:\Windows\system32\Fmjgcipg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:752 -
C:\Windows\SysWOW64\Gjngmmnp.exeC:\Windows\system32\Gjngmmnp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:276 -
C:\Windows\SysWOW64\Gcglec32.exeC:\Windows\system32\Gcglec32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Glbqje32.exeC:\Windows\system32\Glbqje32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1004 -
C:\Windows\SysWOW64\Gejebk32.exeC:\Windows\system32\Gejebk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Gbnflo32.exeC:\Windows\system32\Gbnflo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:860 -
C:\Windows\SysWOW64\Gjijqa32.exeC:\Windows\system32\Gjijqa32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe33⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Hnbaif32.exeC:\Windows\system32\Hnbaif32.exe34⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Obeacl32.exeC:\Windows\system32\Obeacl32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Bknjfb32.exeC:\Windows\system32\Bknjfb32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1880 -
C:\Windows\SysWOW64\Boifga32.exeC:\Windows\system32\Boifga32.exe37⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Bfcodkcb.exeC:\Windows\system32\Bfcodkcb.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Bdhleh32.exeC:\Windows\system32\Bdhleh32.exe39⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Bjedmo32.exeC:\Windows\system32\Bjedmo32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1176 -
C:\Windows\SysWOW64\Bqolji32.exeC:\Windows\system32\Bqolji32.exe41⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Cgidfcdk.exeC:\Windows\system32\Cgidfcdk.exe42⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Cncmcm32.exeC:\Windows\system32\Cncmcm32.exe43⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Cdmepgce.exeC:\Windows\system32\Cdmepgce.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Ccpeld32.exeC:\Windows\system32\Ccpeld32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Cjjnhnbl.exeC:\Windows\system32\Cjjnhnbl.exe46⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Cmmcpi32.exeC:\Windows\system32\Cmmcpi32.exe47⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Colpld32.exeC:\Windows\system32\Colpld32.exe48⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Cfehhn32.exeC:\Windows\system32\Cfehhn32.exe49⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Cmppehkh.exeC:\Windows\system32\Cmppehkh.exe50⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Dnqlmq32.exeC:\Windows\system32\Dnqlmq32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Difqji32.exeC:\Windows\system32\Difqji32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Dncibp32.exeC:\Windows\system32\Dncibp32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Daaenlng.exeC:\Windows\system32\Daaenlng.exe54⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Dgknkf32.exeC:\Windows\system32\Dgknkf32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Djjjga32.exeC:\Windows\system32\Djjjga32.exe56⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Deondj32.exeC:\Windows\system32\Deondj32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:792 -
C:\Windows\SysWOW64\Dgnjqe32.exeC:\Windows\system32\Dgnjqe32.exe58⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Dhpgfeao.exeC:\Windows\system32\Dhpgfeao.exe59⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Dnjoco32.exeC:\Windows\system32\Dnjoco32.exe60⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Dpklkgoj.exeC:\Windows\system32\Dpklkgoj.exe61⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Efedga32.exeC:\Windows\system32\Efedga32.exe62⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Eicpcm32.exeC:\Windows\system32\Eicpcm32.exe63⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Eakhdj32.exeC:\Windows\system32\Eakhdj32.exe64⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Edidqf32.exeC:\Windows\system32\Edidqf32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Eemnnn32.exeC:\Windows\system32\Eemnnn32.exe66⤵
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Emdeok32.exeC:\Windows\system32\Emdeok32.exe67⤵PID:276
-
C:\Windows\SysWOW64\Epbbkf32.exeC:\Windows\system32\Epbbkf32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2820 -
C:\Windows\SysWOW64\Eoebgcol.exeC:\Windows\system32\Eoebgcol.exe69⤵PID:2744
-
C:\Windows\SysWOW64\Eeojcmfi.exeC:\Windows\system32\Eeojcmfi.exe70⤵
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Elibpg32.exeC:\Windows\system32\Elibpg32.exe71⤵PID:2268
-
C:\Windows\SysWOW64\Eogolc32.exeC:\Windows\system32\Eogolc32.exe72⤵PID:2012
-
C:\Windows\SysWOW64\Eafkhn32.exeC:\Windows\system32\Eafkhn32.exe73⤵
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Ehpcehcj.exeC:\Windows\system32\Ehpcehcj.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1540 -
C:\Windows\SysWOW64\Eknpadcn.exeC:\Windows\system32\Eknpadcn.exe75⤵PID:1836
-
C:\Windows\SysWOW64\Eojlbb32.exeC:\Windows\system32\Eojlbb32.exe76⤵PID:2020
-
C:\Windows\SysWOW64\Feddombd.exeC:\Windows\system32\Feddombd.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Fkqlgc32.exeC:\Windows\system32\Fkqlgc32.exe78⤵PID:2244
-
C:\Windows\SysWOW64\Fpbnjjkm.exeC:\Windows\system32\Fpbnjjkm.exe79⤵
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Fcqjfeja.exeC:\Windows\system32\Fcqjfeja.exe80⤵PID:1604
-
C:\Windows\SysWOW64\Fglfgd32.exeC:\Windows\system32\Fglfgd32.exe81⤵PID:1564
-
C:\Windows\SysWOW64\Fmfocnjg.exeC:\Windows\system32\Fmfocnjg.exe82⤵PID:2976
-
C:\Windows\SysWOW64\Fliook32.exeC:\Windows\system32\Fliook32.exe83⤵PID:2812
-
C:\Windows\SysWOW64\Fccglehn.exeC:\Windows\system32\Fccglehn.exe84⤵PID:2972
-
C:\Windows\SysWOW64\Fgocmc32.exeC:\Windows\system32\Fgocmc32.exe85⤵PID:2512
-
C:\Windows\SysWOW64\Fimoiopk.exeC:\Windows\system32\Fimoiopk.exe86⤵
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Gmhkin32.exeC:\Windows\system32\Gmhkin32.exe87⤵PID:2372
-
C:\Windows\SysWOW64\Ghibjjnk.exeC:\Windows\system32\Ghibjjnk.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Gkgoff32.exeC:\Windows\system32\Gkgoff32.exe89⤵PID:1644
-
C:\Windows\SysWOW64\Gnfkba32.exeC:\Windows\system32\Gnfkba32.exe90⤵PID:524
-
C:\Windows\SysWOW64\Gqdgom32.exeC:\Windows\system32\Gqdgom32.exe91⤵PID:328
-
C:\Windows\SysWOW64\Hdpcokdo.exeC:\Windows\system32\Hdpcokdo.exe92⤵PID:2684
-
C:\Windows\SysWOW64\Hjmlhbbg.exeC:\Windows\system32\Hjmlhbbg.exe93⤵PID:2756
-
C:\Windows\SysWOW64\Hnhgha32.exeC:\Windows\system32\Hnhgha32.exe94⤵PID:1108
-
C:\Windows\SysWOW64\Hqgddm32.exeC:\Windows\system32\Hqgddm32.exe95⤵PID:1396
-
C:\Windows\SysWOW64\Hcepqh32.exeC:\Windows\system32\Hcepqh32.exe96⤵
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Hklhae32.exeC:\Windows\system32\Hklhae32.exe97⤵
- Drops file in System32 directory
PID:820 -
C:\Windows\SysWOW64\Hjohmbpd.exeC:\Windows\system32\Hjohmbpd.exe98⤵PID:1860
-
C:\Windows\SysWOW64\Hmmdin32.exeC:\Windows\system32\Hmmdin32.exe99⤵PID:1488
-
C:\Windows\SysWOW64\Hqiqjlga.exeC:\Windows\system32\Hqiqjlga.exe100⤵PID:2740
-
C:\Windows\SysWOW64\Hgciff32.exeC:\Windows\system32\Hgciff32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2220 -
C:\Windows\SysWOW64\Hfhfhbce.exeC:\Windows\system32\Hfhfhbce.exe102⤵
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Igqhpj32.exeC:\Windows\system32\Igqhpj32.exe103⤵
- Drops file in System32 directory
PID:624 -
C:\Windows\SysWOW64\Ikldqile.exeC:\Windows\system32\Ikldqile.exe104⤵PID:1704
-
C:\Windows\SysWOW64\Ibfmmb32.exeC:\Windows\system32\Ibfmmb32.exe105⤵PID:2824
-
C:\Windows\SysWOW64\Iediin32.exeC:\Windows\system32\Iediin32.exe106⤵PID:2280
-
C:\Windows\SysWOW64\Igceej32.exeC:\Windows\system32\Igceej32.exe107⤵PID:3068
-
C:\Windows\SysWOW64\Ijaaae32.exeC:\Windows\system32\Ijaaae32.exe108⤵PID:2336
-
C:\Windows\SysWOW64\Ibhicbao.exeC:\Windows\system32\Ibhicbao.exe109⤵
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Icifjk32.exeC:\Windows\system32\Icifjk32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:852 -
C:\Windows\SysWOW64\Ijcngenj.exeC:\Windows\system32\Ijcngenj.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2904 -
C:\Windows\SysWOW64\Inojhc32.exeC:\Windows\system32\Inojhc32.exe112⤵PID:2592
-
C:\Windows\SysWOW64\Iamfdo32.exeC:\Windows\system32\Iamfdo32.exe113⤵PID:1580
-
C:\Windows\SysWOW64\Ieibdnnp.exeC:\Windows\system32\Ieibdnnp.exe114⤵PID:1120
-
C:\Windows\SysWOW64\Jggoqimd.exeC:\Windows\system32\Jggoqimd.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2900 -
C:\Windows\SysWOW64\Jfjolf32.exeC:\Windows\system32\Jfjolf32.exe116⤵PID:572
-
C:\Windows\SysWOW64\Jnagmc32.exeC:\Windows\system32\Jnagmc32.exe117⤵PID:2788
-
C:\Windows\SysWOW64\Jcnoejch.exeC:\Windows\system32\Jcnoejch.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Jjhgbd32.exeC:\Windows\system32\Jjhgbd32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Jmfcop32.exeC:\Windows\system32\Jmfcop32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1332 -
C:\Windows\SysWOW64\Jnofgg32.exeC:\Windows\system32\Jnofgg32.exe121⤵PID:2636
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-