Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
20/04/2024, 04:40
Static task
static1
3 signatures
Behavioral task
behavioral1
Sample
f11d1aa09a29121a85155b5bc9143e319e6790ab6c0d959937f6e69119b08073.exe
Resource
win7-20240215-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
f11d1aa09a29121a85155b5bc9143e319e6790ab6c0d959937f6e69119b08073.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
f11d1aa09a29121a85155b5bc9143e319e6790ab6c0d959937f6e69119b08073.exe
-
Size
163KB
-
MD5
d6891b608c4716c31359175499c61cce
-
SHA1
a1041a621b7d6aff7bfcf4e63276d563b9a7bfa1
-
SHA256
f11d1aa09a29121a85155b5bc9143e319e6790ab6c0d959937f6e69119b08073
-
SHA512
e4e15760bcaa5dd74eeb41f42337efb6eefee668ab55bada883adc0d937dadd2ec939a446759605e665928616aa6216ac806bf45a1da1491c1bcf3c9cdefea16
-
SSDEEP
1536:Pj8I75xda5BIYhQkILf2ECUZQ0ILlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:LxfZeaD2V7LltOrWKDBr+yJb
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijbfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpjiajeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fehjeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhhcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdqafgnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfefiemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gldkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pphjgfqq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhlmgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Banepo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djefobmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpknlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Midcpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abbbnchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbbkja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nohnhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nocemcbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhcdaibd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdakgibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhjgal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hejoiedd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mohbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjjddchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogmfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnilobkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgfjbgmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laplei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdqafgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqlafm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejbfhfaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icbimi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmdnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghabf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopicc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflkdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egamfkdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnccfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kinaqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oicpfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pndniaop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migpeiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abmibdlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mochnppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmqdkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emeopn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebbgid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knjiin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfdpip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlhnbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djefobmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncancbha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjijdadm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncmdhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fejgko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfefiemq.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
resource yara_rule behavioral1/files/0x000a000000012252-5.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0035000000014502-25.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0007000000014b10-39.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0008000000014dae-53.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015c93-58.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015cb0-71.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015cce-84.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015ce3-104.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015d0c-111.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015d44-130.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015e09-143.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015f3c-157.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000160cc-163.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000162c9-183.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000600000001654a-189.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016813-210.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016c1d-218.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016c42-229.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016cb2-240.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/828-257-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016cf5-250.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d05-262.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d16-273.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d32-284.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0035000000014662-295.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d9f-306.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/1620-314-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016db3-317.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016fe8-328.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000175ac-350.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000173e5-337.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000175b8-360.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0009000000018640-369.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000186c1-378.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000018700-391.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001874c-400.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000191eb-412.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019223-422.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019233-435.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019248-444.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019331-455.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001935b-466.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019413-486.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000193e2-477.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019426-498.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019437-510.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001948d-520.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000194c4-529.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019520-541.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195b2-551.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195eb-562.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195ef-571.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195f5-591.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195f1-581.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019607-601.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001968d-610.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019961-622.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019c21-632.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019c3e-646.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019d2f-656.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019da2-667.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019fa5-678.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a06b-689.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a2ec-698.dat INDICATOR_EXE_Packed_MPress -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral1/files/0x000a000000012252-5.dat UPX behavioral1/files/0x0035000000014502-25.dat UPX behavioral1/files/0x0007000000014b10-39.dat UPX behavioral1/files/0x0008000000014dae-53.dat UPX behavioral1/files/0x0006000000015c93-58.dat UPX behavioral1/files/0x0006000000015cb0-71.dat UPX behavioral1/files/0x0006000000015cce-84.dat UPX behavioral1/files/0x0006000000015ce3-104.dat UPX behavioral1/files/0x0006000000015d0c-111.dat UPX behavioral1/files/0x0006000000015d44-130.dat UPX behavioral1/files/0x0006000000015e09-143.dat UPX behavioral1/files/0x0006000000015f3c-157.dat UPX behavioral1/files/0x00060000000160cc-163.dat UPX behavioral1/files/0x00060000000162c9-183.dat UPX behavioral1/files/0x000600000001654a-189.dat UPX behavioral1/files/0x0006000000016813-210.dat UPX behavioral1/files/0x0006000000016c1d-218.dat UPX behavioral1/files/0x0006000000016c42-229.dat UPX behavioral1/files/0x0006000000016cb2-240.dat UPX behavioral1/memory/828-257-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral1/files/0x0006000000016cf5-250.dat UPX behavioral1/files/0x0006000000016d05-262.dat UPX behavioral1/files/0x0006000000016d16-273.dat UPX behavioral1/files/0x0006000000016d32-284.dat UPX behavioral1/files/0x0035000000014662-295.dat UPX behavioral1/files/0x0006000000016d9f-306.dat UPX behavioral1/memory/1620-314-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral1/files/0x0006000000016db3-317.dat UPX behavioral1/files/0x0006000000016fe8-328.dat UPX behavioral1/files/0x00060000000175ac-350.dat UPX behavioral1/files/0x00060000000173e5-337.dat UPX behavioral1/files/0x00060000000175b8-360.dat UPX behavioral1/files/0x0009000000018640-369.dat UPX behavioral1/files/0x00050000000186c1-378.dat UPX behavioral1/files/0x0005000000018700-391.dat UPX behavioral1/files/0x000500000001874c-400.dat UPX behavioral1/files/0x00050000000191eb-412.dat UPX behavioral1/files/0x0005000000019223-422.dat UPX behavioral1/files/0x0005000000019233-435.dat UPX behavioral1/files/0x0005000000019248-444.dat UPX behavioral1/files/0x0005000000019331-455.dat UPX behavioral1/files/0x000500000001935b-466.dat UPX behavioral1/files/0x0005000000019413-486.dat UPX behavioral1/files/0x00050000000193e2-477.dat UPX behavioral1/files/0x0005000000019426-498.dat UPX behavioral1/files/0x0005000000019437-510.dat UPX behavioral1/files/0x000500000001948d-520.dat UPX behavioral1/files/0x00050000000194c4-529.dat UPX behavioral1/files/0x0005000000019520-541.dat UPX behavioral1/files/0x00050000000195b2-551.dat UPX behavioral1/files/0x00050000000195eb-562.dat UPX behavioral1/files/0x00050000000195ef-571.dat UPX behavioral1/files/0x00050000000195f5-591.dat UPX behavioral1/files/0x00050000000195f1-581.dat UPX behavioral1/files/0x0005000000019607-601.dat UPX behavioral1/files/0x000500000001968d-610.dat UPX behavioral1/files/0x0005000000019961-622.dat UPX behavioral1/files/0x0005000000019c21-632.dat UPX behavioral1/files/0x0005000000019c3e-646.dat UPX behavioral1/files/0x0005000000019d2f-656.dat UPX behavioral1/files/0x0005000000019da2-667.dat UPX behavioral1/files/0x0005000000019fa5-678.dat UPX behavioral1/files/0x000500000001a06b-689.dat UPX behavioral1/files/0x000500000001a2ec-698.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 2592 Jmdcfg32.exe 2548 Kbalnnam.exe 3016 Kmgpkfab.exe 2104 Kpemgbqf.exe 2196 Kbcicmpj.exe 2464 Kinaqg32.exe 3048 Knjiin32.exe 1640 Kedaeh32.exe 2820 Kpjfba32.exe 2208 Kbhbom32.exe 1760 Kegnkh32.exe 1968 Klqfhbbe.exe 2372 Koocdnai.exe 840 Kdlkld32.exe 2184 Llccmb32.exe 2688 Lmdpejfq.exe 796 Laplei32.exe 936 Lfmdnp32.exe 828 Lkhpnnej.exe 1076 Ldqegd32.exe 2220 Lhlqhb32.exe 1352 Ladeqhjd.exe 1032 Ldcamcih.exe 2128 Lipjejgp.exe 1620 Lpjbad32.exe 2928 Lefkjkmc.exe 2640 Mcjkcplm.exe 2936 Midcpj32.exe 2740 Mhgclfje.exe 3032 Mcmhiojk.exe 2460 Migpeiag.exe 2444 Mkhmma32.exe 1588 Mochnppo.exe 2492 Mdqafgnf.exe 1964 Mhlmgf32.exe 1864 Mnieom32.exe 1688 Mdcnlglc.exe 308 Mohbip32.exe 2264 Magnek32.exe 1200 Mhqfbebj.exe 1676 Mkobnqan.exe 1532 Nnnojlpa.exe 2976 Nplkfgoe.exe 480 Ncjgbcoi.exe 1148 Nnplpl32.exe 2356 Npnhlg32.exe 2160 Ncmdhb32.exe 916 Nfkpdn32.exe 908 Nnbhek32.exe 2024 Nleiqhcg.exe 1604 Nocemcbj.exe 2780 Ngkmnacm.exe 2596 Njiijlbp.exe 2888 Nhlifi32.exe 2544 Nqcagfim.exe 2612 Ncancbha.exe 2892 Nbdnoo32.exe 1304 Nmjblg32.exe 1972 Nohnhc32.exe 1924 Odegpj32.exe 1668 Onmkio32.exe 1260 Ofdcjm32.exe 1816 Oicpfh32.exe 2068 Oomhcbjp.exe -
Loads dropped DLL 64 IoCs
pid Process 1772 f11d1aa09a29121a85155b5bc9143e319e6790ab6c0d959937f6e69119b08073.exe 1772 f11d1aa09a29121a85155b5bc9143e319e6790ab6c0d959937f6e69119b08073.exe 2592 Jmdcfg32.exe 2592 Jmdcfg32.exe 2548 Kbalnnam.exe 2548 Kbalnnam.exe 3016 Kmgpkfab.exe 3016 Kmgpkfab.exe 2104 Kpemgbqf.exe 2104 Kpemgbqf.exe 2196 Kbcicmpj.exe 2196 Kbcicmpj.exe 2464 Kinaqg32.exe 2464 Kinaqg32.exe 3048 Knjiin32.exe 3048 Knjiin32.exe 1640 Kedaeh32.exe 1640 Kedaeh32.exe 2820 Kpjfba32.exe 2820 Kpjfba32.exe 2208 Kbhbom32.exe 2208 Kbhbom32.exe 1760 Kegnkh32.exe 1760 Kegnkh32.exe 1968 Klqfhbbe.exe 1968 Klqfhbbe.exe 2372 Koocdnai.exe 2372 Koocdnai.exe 840 Kdlkld32.exe 840 Kdlkld32.exe 2184 Llccmb32.exe 2184 Llccmb32.exe 2688 Lmdpejfq.exe 2688 Lmdpejfq.exe 796 Laplei32.exe 796 Laplei32.exe 936 Lfmdnp32.exe 936 Lfmdnp32.exe 828 Lkhpnnej.exe 828 Lkhpnnej.exe 1076 Ldqegd32.exe 1076 Ldqegd32.exe 2220 Lhlqhb32.exe 2220 Lhlqhb32.exe 1352 Ladeqhjd.exe 1352 Ladeqhjd.exe 1032 Ldcamcih.exe 1032 Ldcamcih.exe 2128 Lipjejgp.exe 2128 Lipjejgp.exe 1620 Lpjbad32.exe 1620 Lpjbad32.exe 2928 Lefkjkmc.exe 2928 Lefkjkmc.exe 2640 Mcjkcplm.exe 2640 Mcjkcplm.exe 2936 Midcpj32.exe 2936 Midcpj32.exe 2740 Mhgclfje.exe 2740 Mhgclfje.exe 3032 Mcmhiojk.exe 3032 Mcmhiojk.exe 2460 Migpeiag.exe 2460 Migpeiag.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dekpaqgc.dll Ekholjqg.exe File opened for modification C:\Windows\SysWOW64\Nplkfgoe.exe Nnnojlpa.exe File opened for modification C:\Windows\SysWOW64\Apcfahio.exe Amejeljk.exe File opened for modification C:\Windows\SysWOW64\Dhmcfkme.exe Dqelenlc.exe File created C:\Windows\SysWOW64\Ekholjqg.exe Emeopn32.exe File created C:\Windows\SysWOW64\Maphhihi.dll Emhlfmgj.exe File created C:\Windows\SysWOW64\Fjlhneio.exe Ffpmnf32.exe File created C:\Windows\SysWOW64\Jjcpjl32.dll Ghoegl32.exe File created C:\Windows\SysWOW64\Mhgclfje.exe Midcpj32.exe File created C:\Windows\SysWOW64\Deokcq32.dll Banepo32.exe File created C:\Windows\SysWOW64\Ckignd32.exe Cgmkmecg.exe File created C:\Windows\SysWOW64\Nlbodgap.dll Cfinoq32.exe File created C:\Windows\SysWOW64\Ccdcec32.dll Cndbcc32.exe File created C:\Windows\SysWOW64\Dbbkja32.exe Dodonf32.exe File created C:\Windows\SysWOW64\Ongbcmlc.dll Ffkcbgek.exe File created C:\Windows\SysWOW64\Iiiaeiac.dll Ldqegd32.exe File created C:\Windows\SysWOW64\Bloqah32.exe Bhcdaibd.exe File created C:\Windows\SysWOW64\Ebgacddo.exe Egamfkdh.exe File created C:\Windows\SysWOW64\Hpocfncj.exe Hlcgeo32.exe File created C:\Windows\SysWOW64\Fphafl32.exe Flmefm32.exe File created C:\Windows\SysWOW64\Lbjhdo32.dll Qbbfopeg.exe File created C:\Windows\SysWOW64\Ccfhhffh.exe Cphlljge.exe File created C:\Windows\SysWOW64\Bkodhe32.exe Blmdlhmp.exe File opened for modification C:\Windows\SysWOW64\Pphjgfqq.exe Paejki32.exe File created C:\Windows\SysWOW64\Pfflopdh.exe Pchpbded.exe File opened for modification C:\Windows\SysWOW64\Qbbfopeg.exe Qjknnbed.exe File created C:\Windows\SysWOW64\Adjigg32.exe Ampqjm32.exe File created C:\Windows\SysWOW64\Bingpmnl.exe Bebkpn32.exe File created C:\Windows\SysWOW64\Hfbenjka.dll Dflkdp32.exe File created C:\Windows\SysWOW64\Mdqafgnf.exe Mochnppo.exe File created C:\Windows\SysWOW64\Doffod32.dll Oenifh32.exe File created C:\Windows\SysWOW64\Gaqcoc32.exe Gbnccfpb.exe File opened for modification C:\Windows\SysWOW64\Hiqbndpb.exe Hgbebiao.exe File created C:\Windows\SysWOW64\Imgcddkm.dll Oiellh32.exe File opened for modification C:\Windows\SysWOW64\Pnbacbac.exe Ppoqge32.exe File created C:\Windows\SysWOW64\Flcnijgi.dll Dfgmhd32.exe File created C:\Windows\SysWOW64\Dmafennb.exe Djbiicon.exe File opened for modification C:\Windows\SysWOW64\Egdilkbf.exe Eiaiqn32.exe File created C:\Windows\SysWOW64\Hpkjko32.exe Hmlnoc32.exe File opened for modification C:\Windows\SysWOW64\Ejgcdb32.exe Ebpkce32.exe File created C:\Windows\SysWOW64\Iffhidee.dll Npnhlg32.exe File opened for modification C:\Windows\SysWOW64\Cjbmjplb.exe Cbkeib32.exe File created C:\Windows\SysWOW64\Mmqgncdn.dll Eihfjo32.exe File created C:\Windows\SysWOW64\Cfeoofge.dll Emcbkn32.exe File opened for modification C:\Windows\SysWOW64\Kpemgbqf.exe Kmgpkfab.exe File opened for modification C:\Windows\SysWOW64\Dkhcmgnl.exe Dgmglh32.exe File created C:\Windows\SysWOW64\Acpmei32.dll Ejbfhfaj.exe File opened for modification C:\Windows\SysWOW64\Oicpfh32.exe Ofdcjm32.exe File opened for modification C:\Windows\SysWOW64\Cndbcc32.exe Cobbhfhg.exe File opened for modification C:\Windows\SysWOW64\Dodonf32.exe Dkhcmgnl.exe File created C:\Windows\SysWOW64\Dcknbh32.exe Dqlafm32.exe File opened for modification C:\Windows\SysWOW64\Fphafl32.exe Flmefm32.exe File created C:\Windows\SysWOW64\Hlkljlhn.dll Llccmb32.exe File created C:\Windows\SysWOW64\Ladeqhjd.exe Lhlqhb32.exe File created C:\Windows\SysWOW64\Gooqhm32.dll Odegpj32.exe File created C:\Windows\SysWOW64\Qmlgonbe.exe Qnigda32.exe File created C:\Windows\SysWOW64\Jolfcj32.dll Alenki32.exe File created C:\Windows\SysWOW64\Cobbhfhg.exe Ckffgg32.exe File created C:\Windows\SysWOW64\Gacpdbej.exe Gmgdddmq.exe File created C:\Windows\SysWOW64\Aajpelhl.exe Adeplhib.exe File created C:\Windows\SysWOW64\Dcfdgiid.exe Ddcdkl32.exe File opened for modification C:\Windows\SysWOW64\Ecmkghcl.exe Eqonkmdh.exe File opened for modification C:\Windows\SysWOW64\Icbimi32.exe Hkkalk32.exe File opened for modification C:\Windows\SysWOW64\Mochnppo.exe Mkhmma32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3684 4040 WerFault.exe 327 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmoipopd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkhmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jngohf32.dll" Ampqjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbfpbmji.dll" Aoffmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flabbihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnpnndgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjlled32.dll" Kpjfba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjijdadm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nleiqhcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mefagn32.dll" Qlhnbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpokk32.dll" Pnbacbac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiabof32.dll" Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qljkhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbjhdo32.dll" Qbbfopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpocfncj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlhnbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ailkjmpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpjfeia.dll" Dmafennb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhhcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhfbdd32.dll" Abmibdlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccedfd32.dll" Nplkfgoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbcpgjj.dll" Cphlljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmaibnf.dll" Clomqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chemfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll" Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nllkkc32.dll" Ladeqhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbjlmdgj.dll" Oicpfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmcqoe32.dll" Pchpbded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffihah32.dll" Ckffgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbelkc32.dll" Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmjblg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oicpfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmqdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbkeib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djpmccqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emeopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhjogple.dll" Kdlkld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmddhkao.dll" Bebkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flmefm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amejeljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll" Hjjddchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klqfhbbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abpfhcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoflni32.dll" Cciemedf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fphafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhfilfi.dll" Cgbdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkobnqan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojjljknn.dll" Kbhbom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeonk32.dll" Cdakgibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqjepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdeced32.dll" Djnpnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnplpl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1772 wrote to memory of 2592 1772 f11d1aa09a29121a85155b5bc9143e319e6790ab6c0d959937f6e69119b08073.exe 28 PID 1772 wrote to memory of 2592 1772 f11d1aa09a29121a85155b5bc9143e319e6790ab6c0d959937f6e69119b08073.exe 28 PID 1772 wrote to memory of 2592 1772 f11d1aa09a29121a85155b5bc9143e319e6790ab6c0d959937f6e69119b08073.exe 28 PID 1772 wrote to memory of 2592 1772 f11d1aa09a29121a85155b5bc9143e319e6790ab6c0d959937f6e69119b08073.exe 28 PID 2592 wrote to memory of 2548 2592 Jmdcfg32.exe 29 PID 2592 wrote to memory of 2548 2592 Jmdcfg32.exe 29 PID 2592 wrote to memory of 2548 2592 Jmdcfg32.exe 29 PID 2592 wrote to memory of 2548 2592 Jmdcfg32.exe 29 PID 2548 wrote to memory of 3016 2548 Kbalnnam.exe 30 PID 2548 wrote to memory of 3016 2548 Kbalnnam.exe 30 PID 2548 wrote to memory of 3016 2548 Kbalnnam.exe 30 PID 2548 wrote to memory of 3016 2548 Kbalnnam.exe 30 PID 3016 wrote to memory of 2104 3016 Kmgpkfab.exe 31 PID 3016 wrote to memory of 2104 3016 Kmgpkfab.exe 31 PID 3016 wrote to memory of 2104 3016 Kmgpkfab.exe 31 PID 3016 wrote to memory of 2104 3016 Kmgpkfab.exe 31 PID 2104 wrote to memory of 2196 2104 Kpemgbqf.exe 32 PID 2104 wrote to memory of 2196 2104 Kpemgbqf.exe 32 PID 2104 wrote to memory of 2196 2104 Kpemgbqf.exe 32 PID 2104 wrote to memory of 2196 2104 Kpemgbqf.exe 32 PID 2196 wrote to memory of 2464 2196 Kbcicmpj.exe 33 PID 2196 wrote to memory of 2464 2196 Kbcicmpj.exe 33 PID 2196 wrote to memory of 2464 2196 Kbcicmpj.exe 33 PID 2196 wrote to memory of 2464 2196 Kbcicmpj.exe 33 PID 2464 wrote to memory of 3048 2464 Kinaqg32.exe 34 PID 2464 wrote to memory of 3048 2464 Kinaqg32.exe 34 PID 2464 wrote to memory of 3048 2464 Kinaqg32.exe 34 PID 2464 wrote to memory of 3048 2464 Kinaqg32.exe 34 PID 3048 wrote to memory of 1640 3048 Knjiin32.exe 35 PID 3048 wrote to memory of 1640 3048 Knjiin32.exe 35 PID 3048 wrote to memory of 1640 3048 Knjiin32.exe 35 PID 3048 wrote to memory of 1640 3048 Knjiin32.exe 35 PID 1640 wrote to memory of 2820 1640 Kedaeh32.exe 36 PID 1640 wrote to memory of 2820 1640 Kedaeh32.exe 36 PID 1640 wrote to memory of 2820 1640 Kedaeh32.exe 36 PID 1640 wrote to memory of 2820 1640 Kedaeh32.exe 36 PID 2820 wrote to memory of 2208 2820 Kpjfba32.exe 37 PID 2820 wrote to memory of 2208 2820 Kpjfba32.exe 37 PID 2820 wrote to memory of 2208 2820 Kpjfba32.exe 37 PID 2820 wrote to memory of 2208 2820 Kpjfba32.exe 37 PID 2208 wrote to memory of 1760 2208 Kbhbom32.exe 38 PID 2208 wrote to memory of 1760 2208 Kbhbom32.exe 38 PID 2208 wrote to memory of 1760 2208 Kbhbom32.exe 38 PID 2208 wrote to memory of 1760 2208 Kbhbom32.exe 38 PID 1760 wrote to memory of 1968 1760 Kegnkh32.exe 39 PID 1760 wrote to memory of 1968 1760 Kegnkh32.exe 39 PID 1760 wrote to memory of 1968 1760 Kegnkh32.exe 39 PID 1760 wrote to memory of 1968 1760 Kegnkh32.exe 39 PID 1968 wrote to memory of 2372 1968 Klqfhbbe.exe 40 PID 1968 wrote to memory of 2372 1968 Klqfhbbe.exe 40 PID 1968 wrote to memory of 2372 1968 Klqfhbbe.exe 40 PID 1968 wrote to memory of 2372 1968 Klqfhbbe.exe 40 PID 2372 wrote to memory of 840 2372 Koocdnai.exe 41 PID 2372 wrote to memory of 840 2372 Koocdnai.exe 41 PID 2372 wrote to memory of 840 2372 Koocdnai.exe 41 PID 2372 wrote to memory of 840 2372 Koocdnai.exe 41 PID 840 wrote to memory of 2184 840 Kdlkld32.exe 42 PID 840 wrote to memory of 2184 840 Kdlkld32.exe 42 PID 840 wrote to memory of 2184 840 Kdlkld32.exe 42 PID 840 wrote to memory of 2184 840 Kdlkld32.exe 42 PID 2184 wrote to memory of 2688 2184 Llccmb32.exe 43 PID 2184 wrote to memory of 2688 2184 Llccmb32.exe 43 PID 2184 wrote to memory of 2688 2184 Llccmb32.exe 43 PID 2184 wrote to memory of 2688 2184 Llccmb32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\f11d1aa09a29121a85155b5bc9143e319e6790ab6c0d959937f6e69119b08073.exe"C:\Users\Admin\AppData\Local\Temp\f11d1aa09a29121a85155b5bc9143e319e6790ab6c0d959937f6e69119b08073.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:796 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:936 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:828 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1076 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1352 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1032 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1588 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe37⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe38⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe40⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe41⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe45⤵
- Executes dropped EXE
PID:480 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1148 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe49⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe50⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe53⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe54⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe55⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe56⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe58⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1924 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe62⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1260 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe65⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe66⤵PID:692
-
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe67⤵PID:3060
-
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe68⤵
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe69⤵PID:1784
-
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe70⤵PID:2752
-
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe71⤵PID:3008
-
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe72⤵PID:2088
-
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe73⤵PID:2800
-
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe74⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe75⤵PID:2576
-
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2672 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe77⤵
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2904 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe79⤵PID:2360
-
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe80⤵PID:2604
-
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe81⤵PID:2744
-
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe82⤵PID:2512
-
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1652 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe84⤵PID:632
-
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe86⤵PID:2084
-
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe87⤵PID:592
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1400 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe89⤵
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe90⤵
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe91⤵PID:1092
-
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe92⤵PID:2808
-
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2832 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe94⤵PID:1720
-
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe95⤵PID:2456
-
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2520 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe98⤵
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe100⤵PID:2392
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe101⤵PID:2364
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe102⤵PID:320
-
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe103⤵
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe104⤵
- Drops file in System32 directory
PID:1492 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe105⤵PID:892
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe106⤵
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe107⤵PID:1820
-
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe108⤵PID:2452
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe109⤵PID:2908
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe111⤵PID:1276
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe113⤵PID:2484
-
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe114⤵
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe115⤵PID:992
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe116⤵
- Modifies registry class
PID:584 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe117⤵
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe118⤵
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1828 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe120⤵
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-