Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
75s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20/04/2024, 20:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
250bc173168bd00661ae12c75e2c953e01f7a8e534cee86a18a854824a6d8805.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
250bc173168bd00661ae12c75e2c953e01f7a8e534cee86a18a854824a6d8805.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
250bc173168bd00661ae12c75e2c953e01f7a8e534cee86a18a854824a6d8805.exe
-
Size
59KB
-
MD5
cfbd7e367a31b5abfdb04cd29942e1cf
-
SHA1
344a52ccf2aea325817f8dec396364e970edb52f
-
SHA256
250bc173168bd00661ae12c75e2c953e01f7a8e534cee86a18a854824a6d8805
-
SHA512
054034a8793f974cd754d7bce52391ced416e99dc8106df100eca7bdf1b840e8beadb3fb907b944bc3fa466b54324c1e85ceb08a2b0fd36c94022285ab85893d
-
SSDEEP
1536:b5Z7uySULEbnwV7hLywZGREyYqdNCyVs:FZ7uELKnY7hLyfiyYqmes
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlpigk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egnhcgeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afnlpohj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ockdmmoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eipilmgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dendok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djmima32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmfldkei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqhfoebo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dncehk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poelfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiapjecl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpipkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnfooe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaejhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pilgnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plocob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkcigjel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pehjfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpnglbkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcnqkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkqccbkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cljomc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmjdaoni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnealfkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anijjkbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdgckg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjhgke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmecba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obdbqm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeailhme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dalofi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjoeoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icefib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaffbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpjdiadb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckdkhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apdkmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnjhhpgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdmeqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjfoja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbkdgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bimach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkjfakng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiphjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpklql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjlaoioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeilne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpolbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbnopbdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkbkmqed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niihlkdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajodef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldqfddml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfjeckpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gclimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obfpejcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agkgceeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkbnkfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmlkpgia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akgjnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifnkeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malnklgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopkkdgf.exe -
Executes dropped EXE 64 IoCs
pid Process 4520 Gpolbo32.exe 1712 Ggmmlamj.exe 4800 Giljfddl.exe 4204 Hhaggp32.exe 3036 Hnnljj32.exe 3380 Hnphoj32.exe 3420 Hnbeeiji.exe 3796 Ihkjno32.exe 872 Iacngdgj.exe 1128 Iogopi32.exe 3500 Ilkoim32.exe 3980 Iiopca32.exe 396 Iehmmb32.exe 4748 Jbojlfdp.exe 4440 Jikoopij.exe 4444 Jafdcbge.exe 3804 Jpgdai32.exe 636 Kiphjo32.exe 4120 Koonge32.exe 4976 Khiofk32.exe 1624 Klggli32.exe 2892 Likhem32.exe 932 Lojmcdgl.exe 3176 Lancko32.exe 3184 Mcoljagj.exe 4316 Mbdiknlb.exe 2348 Mpeiie32.exe 4576 Mqhfoebo.exe 2628 Momcpa32.exe 5000 Noppeaed.exe 5004 Nhhdnf32.exe 1460 Ncmhko32.exe 3616 Nodiqp32.exe 1808 Njjmni32.exe 5056 Ncbafoge.exe 1848 Omalpc32.exe 3888 Ockdmmoj.exe 456 Opbean32.exe 1924 Omfekbdh.exe 2908 Pimfpc32.exe 1880 Pcbkml32.exe 2112 Piocecgj.exe 4856 Pjoppf32.exe 3944 Pcgdhkem.exe 4696 Pblajhje.exe 4688 Qjffpe32.exe 4108 Qikbaaml.exe 4132 Abcgjg32.exe 3088 Abfdpfaj.exe 3584 Abhqefpg.exe 220 Affikdfn.exe 1748 Adjjeieh.exe 2400 Bmbnnn32.exe 4952 Bfkbfd32.exe 4360 Bdapehop.exe 3044 Baepolni.exe 1456 Bipecnkd.exe 4704 Cajjjk32.exe 4176 Ckdkhq32.exe 1776 Ccppmc32.exe 4940 Cgmhcaac.exe 1256 Cdaile32.exe 5108 Ddcebe32.exe 840 Dnljkk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Khiofk32.exe Koonge32.exe File created C:\Windows\SysWOW64\Nijfhn32.dll Fefcgh32.exe File created C:\Windows\SysWOW64\Ddpjjd32.exe Djjemlhf.exe File opened for modification C:\Windows\SysWOW64\Lgqhki32.exe Ldblon32.exe File opened for modification C:\Windows\SysWOW64\Gnfooe32.exe Gdnjfojj.exe File created C:\Windows\SysWOW64\Eifffoob.exe Dpnbmi32.exe File created C:\Windows\SysWOW64\Gqmqih32.dll Hikkdc32.exe File created C:\Windows\SysWOW64\Ljjicl32.exe Lkiiee32.exe File created C:\Windows\SysWOW64\Npighq32.exe Nfabok32.exe File opened for modification C:\Windows\SysWOW64\Khlinedh.exe Knfepldb.exe File opened for modification C:\Windows\SysWOW64\Mffjnc32.exe Libido32.exe File created C:\Windows\SysWOW64\Ojqhfb32.dll Genobp32.exe File created C:\Windows\SysWOW64\Kmbhlfil.dll Pimmil32.exe File created C:\Windows\SysWOW64\Hpkmajcn.dll Imgbdh32.exe File opened for modification C:\Windows\SysWOW64\Nombnc32.exe Nbibeo32.exe File created C:\Windows\SysWOW64\Kfidgk32.exe Keghocao.exe File created C:\Windows\SysWOW64\Nbgcol32.dll Eemgkpef.exe File opened for modification C:\Windows\SysWOW64\Eipilmgh.exe Ehpmbj32.exe File created C:\Windows\SysWOW64\Npqhhb32.dll Omkdcccb.exe File created C:\Windows\SysWOW64\Galfhpmf.exe Gkbnkfei.exe File created C:\Windows\SysWOW64\Pmmgfg32.dll Acaanp32.exe File opened for modification C:\Windows\SysWOW64\Ccldebeo.exe Cmblhh32.exe File created C:\Windows\SysWOW64\Mjndfpnf.dll Mkangg32.exe File opened for modification C:\Windows\SysWOW64\Pfmlok32.exe Pkhhbbck.exe File created C:\Windows\SysWOW64\Lipcka32.dll Pghaghfn.exe File created C:\Windows\SysWOW64\Elaobdmm.exe Dbijinfl.exe File opened for modification C:\Windows\SysWOW64\Hhpaki32.exe Hhmdeink.exe File created C:\Windows\SysWOW64\Ppnbpg32.exe Pfenga32.exe File created C:\Windows\SysWOW64\Jlbngnmk.dll Jjgkab32.exe File opened for modification C:\Windows\SysWOW64\Ogqmee32.exe Onhhmpoo.exe File opened for modification C:\Windows\SysWOW64\Eoconenj.exe Eifffoob.exe File opened for modification C:\Windows\SysWOW64\Hladlc32.exe Hgdlcm32.exe File created C:\Windows\SysWOW64\Lfbpae32.dll Alfcflfb.exe File opened for modification C:\Windows\SysWOW64\Fqfmlm32.exe Egnhcgeb.exe File opened for modification C:\Windows\SysWOW64\Igjbci32.exe Iapjgo32.exe File opened for modification C:\Windows\SysWOW64\Piikhc32.exe Pgknlg32.exe File created C:\Windows\SysWOW64\Bejobk32.exe Acgfec32.exe File created C:\Windows\SysWOW64\Flopmh32.dll Fcmgpbjc.exe File created C:\Windows\SysWOW64\Lnkjgg32.dll Khpcid32.exe File created C:\Windows\SysWOW64\Algiaepd.exe Apqhldjp.exe File opened for modification C:\Windows\SysWOW64\Emoaopnf.exe Dfeibf32.exe File created C:\Windows\SysWOW64\Ijpcbn32.exe Hagnihom.exe File created C:\Windows\SysWOW64\Inkjfk32.exe Icefib32.exe File created C:\Windows\SysWOW64\Lbehhfik.dll Keghocao.exe File opened for modification C:\Windows\SysWOW64\Qffoejkg.exe Qomghp32.exe File created C:\Windows\SysWOW64\Aogbkmdk.dll Deagoa32.exe File created C:\Windows\SysWOW64\Nodqpf32.dll Fpnkdfko.exe File created C:\Windows\SysWOW64\Glmqjj32.exe Gechnpid.exe File opened for modification C:\Windows\SysWOW64\Bipecnkd.exe Baepolni.exe File created C:\Windows\SysWOW64\Helfhden.dll Gnlenp32.exe File created C:\Windows\SysWOW64\Maoakaip.exe Mginniij.exe File opened for modification C:\Windows\SysWOW64\Eiobbgcl.exe Elkbhbeb.exe File opened for modification C:\Windows\SysWOW64\Cjnoggoh.exe Cljomc32.exe File created C:\Windows\SysWOW64\Ckpfqdce.dll Gfcnka32.exe File created C:\Windows\SysWOW64\Kkcghg32.dll Eddnic32.exe File opened for modification C:\Windows\SysWOW64\Dmplkd32.exe Dpllbp32.exe File created C:\Windows\SysWOW64\Ifhldi32.dll Kklbop32.exe File opened for modification C:\Windows\SysWOW64\Lfkich32.exe Lkfeeo32.exe File created C:\Windows\SysWOW64\Ligiodee.dll Jdajabdc.exe File created C:\Windows\SysWOW64\Pgoigcip.exe Pfmlok32.exe File created C:\Windows\SysWOW64\Bdpqcg32.exe Bjjmfn32.exe File created C:\Windows\SysWOW64\Phobaibg.dll Bllble32.exe File opened for modification C:\Windows\SysWOW64\Noppeaed.exe Momcpa32.exe File opened for modification C:\Windows\SysWOW64\Pblajhje.exe Pcgdhkem.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8788 7220 Process not Found 1681 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbfola32.dll" Hecadm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knfepldb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnebcph.dll" Iaqapggb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcacpg32.dll" Ffcedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceppfbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgpilmfi.dll" Ggmmlamj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clgmkbna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Japmcfcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdgckg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agkgceeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldcinlep.dll" Biolkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghgljg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdofpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbqdmodg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbfag32.dll" Jkqccbkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gadimkpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcckpooc.dll" Kakednfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aiejda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeqagi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbmlmmjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dehnpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghcbohpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pimmil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddabpkhl.dll" Qlnfkgho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnamofdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abfdpfaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbeobhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngipjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgonal32.dll" Hnpognhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhoind32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmbhgjoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlmopqdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnmeodjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khonkogj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfmlok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chfaenfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpdogj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldblon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgglmb32.dll" Aaldngqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noldbk32.dll" Nmbhgjoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjjaci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkkekdhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Occlngfm.dll" Ecccmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkjbfi32.dll" Idinej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpnheh32.dll" Dobnpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 250bc173168bd00661ae12c75e2c953e01f7a8e534cee86a18a854824a6d8805.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhiabbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocooahdo.dll" Emioab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egbdjhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daccia32.dll" Gechnpid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggfobofl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eieplhlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmpolhlc.dll" Ndjldo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkchimnc.dll" Bafgdfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhcecm32.dll" Cljomc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jopaaj32.dll" Iapjgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gegchl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igpkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnpdlep.dll" Mokdllim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poelfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcoljagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogeigbeb.dll" Fnjocf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kppbejka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmhphqoe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3672 wrote to memory of 4520 3672 250bc173168bd00661ae12c75e2c953e01f7a8e534cee86a18a854824a6d8805.exe 91 PID 3672 wrote to memory of 4520 3672 250bc173168bd00661ae12c75e2c953e01f7a8e534cee86a18a854824a6d8805.exe 91 PID 3672 wrote to memory of 4520 3672 250bc173168bd00661ae12c75e2c953e01f7a8e534cee86a18a854824a6d8805.exe 91 PID 4520 wrote to memory of 1712 4520 Gpolbo32.exe 92 PID 4520 wrote to memory of 1712 4520 Gpolbo32.exe 92 PID 4520 wrote to memory of 1712 4520 Gpolbo32.exe 92 PID 1712 wrote to memory of 4800 1712 Ggmmlamj.exe 93 PID 1712 wrote to memory of 4800 1712 Ggmmlamj.exe 93 PID 1712 wrote to memory of 4800 1712 Ggmmlamj.exe 93 PID 4800 wrote to memory of 4204 4800 Giljfddl.exe 94 PID 4800 wrote to memory of 4204 4800 Giljfddl.exe 94 PID 4800 wrote to memory of 4204 4800 Giljfddl.exe 94 PID 4204 wrote to memory of 3036 4204 Hhaggp32.exe 95 PID 4204 wrote to memory of 3036 4204 Hhaggp32.exe 95 PID 4204 wrote to memory of 3036 4204 Hhaggp32.exe 95 PID 3036 wrote to memory of 3380 3036 Hnnljj32.exe 96 PID 3036 wrote to memory of 3380 3036 Hnnljj32.exe 96 PID 3036 wrote to memory of 3380 3036 Hnnljj32.exe 96 PID 3380 wrote to memory of 3420 3380 Hnphoj32.exe 97 PID 3380 wrote to memory of 3420 3380 Hnphoj32.exe 97 PID 3380 wrote to memory of 3420 3380 Hnphoj32.exe 97 PID 3420 wrote to memory of 3796 3420 Hnbeeiji.exe 98 PID 3420 wrote to memory of 3796 3420 Hnbeeiji.exe 98 PID 3420 wrote to memory of 3796 3420 Hnbeeiji.exe 98 PID 3796 wrote to memory of 872 3796 Ihkjno32.exe 99 PID 3796 wrote to memory of 872 3796 Ihkjno32.exe 99 PID 3796 wrote to memory of 872 3796 Ihkjno32.exe 99 PID 872 wrote to memory of 1128 872 Iacngdgj.exe 100 PID 872 wrote to memory of 1128 872 Iacngdgj.exe 100 PID 872 wrote to memory of 1128 872 Iacngdgj.exe 100 PID 1128 wrote to memory of 3500 1128 Iogopi32.exe 101 PID 1128 wrote to memory of 3500 1128 Iogopi32.exe 101 PID 1128 wrote to memory of 3500 1128 Iogopi32.exe 101 PID 3500 wrote to memory of 3980 3500 Ilkoim32.exe 102 PID 3500 wrote to memory of 3980 3500 Ilkoim32.exe 102 PID 3500 wrote to memory of 3980 3500 Ilkoim32.exe 102 PID 3980 wrote to memory of 396 3980 Iiopca32.exe 103 PID 3980 wrote to memory of 396 3980 Iiopca32.exe 103 PID 3980 wrote to memory of 396 3980 Iiopca32.exe 103 PID 396 wrote to memory of 4748 396 Iehmmb32.exe 104 PID 396 wrote to memory of 4748 396 Iehmmb32.exe 104 PID 396 wrote to memory of 4748 396 Iehmmb32.exe 104 PID 4748 wrote to memory of 4440 4748 Jbojlfdp.exe 105 PID 4748 wrote to memory of 4440 4748 Jbojlfdp.exe 105 PID 4748 wrote to memory of 4440 4748 Jbojlfdp.exe 105 PID 4440 wrote to memory of 4444 4440 Jikoopij.exe 106 PID 4440 wrote to memory of 4444 4440 Jikoopij.exe 106 PID 4440 wrote to memory of 4444 4440 Jikoopij.exe 106 PID 4444 wrote to memory of 3804 4444 Jafdcbge.exe 107 PID 4444 wrote to memory of 3804 4444 Jafdcbge.exe 107 PID 4444 wrote to memory of 3804 4444 Jafdcbge.exe 107 PID 3804 wrote to memory of 636 3804 Jpgdai32.exe 108 PID 3804 wrote to memory of 636 3804 Jpgdai32.exe 108 PID 3804 wrote to memory of 636 3804 Jpgdai32.exe 108 PID 636 wrote to memory of 4120 636 Kiphjo32.exe 109 PID 636 wrote to memory of 4120 636 Kiphjo32.exe 109 PID 636 wrote to memory of 4120 636 Kiphjo32.exe 109 PID 4120 wrote to memory of 4976 4120 Koonge32.exe 110 PID 4120 wrote to memory of 4976 4120 Koonge32.exe 110 PID 4120 wrote to memory of 4976 4120 Koonge32.exe 110 PID 4976 wrote to memory of 1624 4976 Khiofk32.exe 111 PID 4976 wrote to memory of 1624 4976 Khiofk32.exe 111 PID 4976 wrote to memory of 1624 4976 Khiofk32.exe 111 PID 1624 wrote to memory of 2892 1624 Klggli32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\250bc173168bd00661ae12c75e2c953e01f7a8e534cee86a18a854824a6d8805.exe"C:\Users\Admin\AppData\Local\Temp\250bc173168bd00661ae12c75e2c953e01f7a8e534cee86a18a854824a6d8805.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Gpolbo32.exeC:\Windows\system32\Gpolbo32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Ggmmlamj.exeC:\Windows\system32\Ggmmlamj.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Giljfddl.exeC:\Windows\system32\Giljfddl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Hhaggp32.exeC:\Windows\system32\Hhaggp32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\Hnnljj32.exeC:\Windows\system32\Hnnljj32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Hnphoj32.exeC:\Windows\system32\Hnphoj32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\Hnbeeiji.exeC:\Windows\system32\Hnbeeiji.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Ihkjno32.exeC:\Windows\system32\Ihkjno32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\Iacngdgj.exeC:\Windows\system32\Iacngdgj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Iogopi32.exeC:\Windows\system32\Iogopi32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Ilkoim32.exeC:\Windows\system32\Ilkoim32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Iiopca32.exeC:\Windows\system32\Iiopca32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\Iehmmb32.exeC:\Windows\system32\Iehmmb32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Jbojlfdp.exeC:\Windows\system32\Jbojlfdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Jikoopij.exeC:\Windows\system32\Jikoopij.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Jafdcbge.exeC:\Windows\system32\Jafdcbge.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\Jpgdai32.exeC:\Windows\system32\Jpgdai32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\Kiphjo32.exeC:\Windows\system32\Kiphjo32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Koonge32.exeC:\Windows\system32\Koonge32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\Khiofk32.exeC:\Windows\system32\Khiofk32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Klggli32.exeC:\Windows\system32\Klggli32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Likhem32.exeC:\Windows\system32\Likhem32.exe23⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Lojmcdgl.exeC:\Windows\system32\Lojmcdgl.exe24⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Lancko32.exeC:\Windows\system32\Lancko32.exe25⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Mcoljagj.exeC:\Windows\system32\Mcoljagj.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:3184 -
C:\Windows\SysWOW64\Mbdiknlb.exeC:\Windows\system32\Mbdiknlb.exe27⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Mpeiie32.exeC:\Windows\system32\Mpeiie32.exe28⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Mqhfoebo.exeC:\Windows\system32\Mqhfoebo.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Momcpa32.exeC:\Windows\system32\Momcpa32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Noppeaed.exeC:\Windows\system32\Noppeaed.exe31⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Nhhdnf32.exeC:\Windows\system32\Nhhdnf32.exe32⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Ncmhko32.exeC:\Windows\system32\Ncmhko32.exe33⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Nodiqp32.exeC:\Windows\system32\Nodiqp32.exe34⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Njjmni32.exeC:\Windows\system32\Njjmni32.exe35⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Ncbafoge.exeC:\Windows\system32\Ncbafoge.exe36⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Omalpc32.exeC:\Windows\system32\Omalpc32.exe37⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Ockdmmoj.exeC:\Windows\system32\Ockdmmoj.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Opbean32.exeC:\Windows\system32\Opbean32.exe39⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Omfekbdh.exeC:\Windows\system32\Omfekbdh.exe40⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Pimfpc32.exeC:\Windows\system32\Pimfpc32.exe41⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Pcbkml32.exeC:\Windows\system32\Pcbkml32.exe42⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Piocecgj.exeC:\Windows\system32\Piocecgj.exe43⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Pjoppf32.exeC:\Windows\system32\Pjoppf32.exe44⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Pcgdhkem.exeC:\Windows\system32\Pcgdhkem.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3944 -
C:\Windows\SysWOW64\Pblajhje.exeC:\Windows\system32\Pblajhje.exe46⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Qjffpe32.exeC:\Windows\system32\Qjffpe32.exe47⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Qikbaaml.exeC:\Windows\system32\Qikbaaml.exe48⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Abcgjg32.exeC:\Windows\system32\Abcgjg32.exe49⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Abfdpfaj.exeC:\Windows\system32\Abfdpfaj.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3088 -
C:\Windows\SysWOW64\Abhqefpg.exeC:\Windows\system32\Abhqefpg.exe51⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Affikdfn.exeC:\Windows\system32\Affikdfn.exe52⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Adjjeieh.exeC:\Windows\system32\Adjjeieh.exe53⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Bmbnnn32.exeC:\Windows\system32\Bmbnnn32.exe54⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Bfkbfd32.exeC:\Windows\system32\Bfkbfd32.exe55⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Bdapehop.exeC:\Windows\system32\Bdapehop.exe56⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Baepolni.exeC:\Windows\system32\Baepolni.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Bipecnkd.exeC:\Windows\system32\Bipecnkd.exe58⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Cajjjk32.exeC:\Windows\system32\Cajjjk32.exe59⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Ckdkhq32.exeC:\Windows\system32\Ckdkhq32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Ccppmc32.exeC:\Windows\system32\Ccppmc32.exe61⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Cgmhcaac.exeC:\Windows\system32\Cgmhcaac.exe62⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Cdaile32.exeC:\Windows\system32\Cdaile32.exe63⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Ddcebe32.exeC:\Windows\system32\Ddcebe32.exe64⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Dnljkk32.exeC:\Windows\system32\Dnljkk32.exe65⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Dgdncplk.exeC:\Windows\system32\Dgdncplk.exe66⤵PID:2544
-
C:\Windows\SysWOW64\Dpmcmf32.exeC:\Windows\system32\Dpmcmf32.exe67⤵PID:2404
-
C:\Windows\SysWOW64\Dalofi32.exeC:\Windows\system32\Dalofi32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2968 -
C:\Windows\SysWOW64\Djgdkk32.exeC:\Windows\system32\Djgdkk32.exe69⤵PID:2256
-
C:\Windows\SysWOW64\Egkddo32.exeC:\Windows\system32\Egkddo32.exe70⤵PID:3988
-
C:\Windows\SysWOW64\Epdime32.exeC:\Windows\system32\Epdime32.exe71⤵PID:3472
-
C:\Windows\SysWOW64\Ekimjn32.exeC:\Windows\system32\Ekimjn32.exe72⤵PID:2564
-
C:\Windows\SysWOW64\Edaaccbj.exeC:\Windows\system32\Edaaccbj.exe73⤵PID:3724
-
C:\Windows\SysWOW64\Eddnic32.exeC:\Windows\system32\Eddnic32.exe74⤵
- Drops file in System32 directory
PID:3104 -
C:\Windows\SysWOW64\Eqkondfl.exeC:\Windows\system32\Eqkondfl.exe75⤵PID:4908
-
C:\Windows\SysWOW64\Fkcpql32.exeC:\Windows\system32\Fkcpql32.exe76⤵PID:4884
-
C:\Windows\SysWOW64\Fqphic32.exeC:\Windows\system32\Fqphic32.exe77⤵PID:2332
-
C:\Windows\SysWOW64\Fncibg32.exeC:\Windows\system32\Fncibg32.exe78⤵PID:2784
-
C:\Windows\SysWOW64\Fnffhgon.exeC:\Windows\system32\Fnffhgon.exe79⤵PID:460
-
C:\Windows\SysWOW64\Fkjfakng.exeC:\Windows\system32\Fkjfakng.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3252 -
C:\Windows\SysWOW64\Fdbkja32.exeC:\Windows\system32\Fdbkja32.exe81⤵PID:1056
-
C:\Windows\SysWOW64\Fnjocf32.exeC:\Windows\system32\Fnjocf32.exe82⤵
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Ggccllai.exeC:\Windows\system32\Ggccllai.exe83⤵PID:4480
-
C:\Windows\SysWOW64\Gqkhda32.exeC:\Windows\system32\Gqkhda32.exe84⤵PID:4304
-
C:\Windows\SysWOW64\Gqnejaff.exeC:\Windows\system32\Gqnejaff.exe85⤵PID:5136
-
C:\Windows\SysWOW64\Gkcigjel.exeC:\Windows\system32\Gkcigjel.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5184 -
C:\Windows\SysWOW64\Gcnnllcg.exeC:\Windows\system32\Gcnnllcg.exe87⤵PID:5220
-
C:\Windows\SysWOW64\Gjhfif32.exeC:\Windows\system32\Gjhfif32.exe88⤵PID:5268
-
C:\Windows\SysWOW64\Gdnjfojj.exeC:\Windows\system32\Gdnjfojj.exe89⤵
- Drops file in System32 directory
PID:5308 -
C:\Windows\SysWOW64\Gnfooe32.exeC:\Windows\system32\Gnfooe32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5352 -
C:\Windows\SysWOW64\Hkjohi32.exeC:\Windows\system32\Hkjohi32.exe91⤵PID:5396
-
C:\Windows\SysWOW64\Hkmlnimb.exeC:\Windows\system32\Hkmlnimb.exe92⤵PID:5440
-
C:\Windows\SysWOW64\Hnmeodjc.exeC:\Windows\system32\Hnmeodjc.exe93⤵
- Modifies registry class
PID:5484 -
C:\Windows\SysWOW64\Hjdedepg.exeC:\Windows\system32\Hjdedepg.exe94⤵PID:5524
-
C:\Windows\SysWOW64\Hcljmj32.exeC:\Windows\system32\Hcljmj32.exe95⤵PID:5580
-
C:\Windows\SysWOW64\Iapjgo32.exeC:\Windows\system32\Iapjgo32.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:5620 -
C:\Windows\SysWOW64\Igjbci32.exeC:\Windows\system32\Igjbci32.exe97⤵PID:5668
-
C:\Windows\SysWOW64\Icachjbb.exeC:\Windows\system32\Icachjbb.exe98⤵PID:5716
-
C:\Windows\SysWOW64\Ilkhog32.exeC:\Windows\system32\Ilkhog32.exe99⤵PID:5764
-
C:\Windows\SysWOW64\Jehfcl32.exeC:\Windows\system32\Jehfcl32.exe100⤵PID:5804
-
C:\Windows\SysWOW64\Jjgkab32.exeC:\Windows\system32\Jjgkab32.exe101⤵
- Drops file in System32 directory
PID:5848 -
C:\Windows\SysWOW64\Jhkljfok.exeC:\Windows\system32\Jhkljfok.exe102⤵PID:5892
-
C:\Windows\SysWOW64\Koimbpbc.exeC:\Windows\system32\Koimbpbc.exe103⤵PID:5932
-
C:\Windows\SysWOW64\Keceoj32.exeC:\Windows\system32\Keceoj32.exe104⤵PID:5972
-
C:\Windows\SysWOW64\Kajfdk32.exeC:\Windows\system32\Kajfdk32.exe105⤵PID:6020
-
C:\Windows\SysWOW64\Kkbkmqed.exeC:\Windows\system32\Kkbkmqed.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6064 -
C:\Windows\SysWOW64\Kehojiej.exeC:\Windows\system32\Kehojiej.exe107⤵PID:6104
-
C:\Windows\SysWOW64\Kejloi32.exeC:\Windows\system32\Kejloi32.exe108⤵PID:4516
-
C:\Windows\SysWOW64\Kaaldjil.exeC:\Windows\system32\Kaaldjil.exe109⤵PID:5176
-
C:\Windows\SysWOW64\Klgqabib.exeC:\Windows\system32\Klgqabib.exe110⤵PID:5256
-
C:\Windows\SysWOW64\Ldbefe32.exeC:\Windows\system32\Ldbefe32.exe111⤵PID:5316
-
C:\Windows\SysWOW64\Laffpi32.exeC:\Windows\system32\Laffpi32.exe112⤵PID:5404
-
C:\Windows\SysWOW64\Lojfin32.exeC:\Windows\system32\Lojfin32.exe113⤵PID:5480
-
C:\Windows\SysWOW64\Mhiabbdi.exeC:\Windows\system32\Mhiabbdi.exe114⤵
- Modifies registry class
PID:5548 -
C:\Windows\SysWOW64\Mociol32.exeC:\Windows\system32\Mociol32.exe115⤵PID:5692
-
C:\Windows\SysWOW64\Mccokj32.exeC:\Windows\system32\Mccokj32.exe116⤵PID:5740
-
C:\Windows\SysWOW64\Mhpgca32.exeC:\Windows\system32\Mhpgca32.exe117⤵PID:5832
-
C:\Windows\SysWOW64\Nhbciqln.exeC:\Windows\system32\Nhbciqln.exe118⤵PID:5884
-
C:\Windows\SysWOW64\Nchhfild.exeC:\Windows\system32\Nchhfild.exe119⤵PID:5952
-
C:\Windows\SysWOW64\Nhgmcp32.exeC:\Windows\system32\Nhgmcp32.exe120⤵PID:6000
-
C:\Windows\SysWOW64\Noaeqjpe.exeC:\Windows\system32\Noaeqjpe.exe121⤵PID:6072
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-