Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23/04/2024, 02:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b26a2716feb1e2b4cbc0e2b9895c2a180ebf9c45498b805443ab86409ecba523.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
b26a2716feb1e2b4cbc0e2b9895c2a180ebf9c45498b805443ab86409ecba523.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
b26a2716feb1e2b4cbc0e2b9895c2a180ebf9c45498b805443ab86409ecba523.exe
-
Size
236KB
-
MD5
b8ce47c8f40667cf1c94c37ef8879c5b
-
SHA1
e6839c982fb1f0de7a840a6f8285766719e969df
-
SHA256
b26a2716feb1e2b4cbc0e2b9895c2a180ebf9c45498b805443ab86409ecba523
-
SHA512
de799cf5d8d5563ea93a19de5f09d0a67e02fdb4751499bcf500e038f8a96b81420473147d8bc06b86ccc5076fe48ab5f76932bec265b4acf57ec601b6bce5fb
-
SSDEEP
3072:mRwuOtk38zbTsZt4VY/ODJ9IDlRxyhTbhgu+tAcrbFAJc+RsUi1aVDkOvhJjvJUp:meuOtA8zbTC+Y/ODsDshsrtMsQB4
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blgpef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpgfki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jabbhcfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oklkmnbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oclilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjhknm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfdmggnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfadgq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccngld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojcecjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iamimc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkmcfhkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfqahgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqideepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkcdafqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llnofpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnpinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckoilb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mihiih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilncom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgninie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmefooki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enakbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmdmcanc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mamddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mihiih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncgdbmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfmdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jicgpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjfdejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lijjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mieeibkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngibaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmgninie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjapjmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjdilgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmanoifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbcpbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heglio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heihnoph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipllekdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcbellac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkiogn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacgdhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjifhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cahail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhbcfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdlkdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhkcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fagjnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmbdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbkameaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alegac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bblogakg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chpmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpngfgle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nncahjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adnopfoj.exe -
Executes dropped EXE 64 IoCs
pid Process 2200 Gphmeo32.exe 2112 Hpkjko32.exe 2656 Hnojdcfi.exe 2696 Hpmgqnfl.exe 1364 Hejoiedd.exe 2416 Hlcgeo32.exe 1156 Hgilchkf.exe 2780 Hjjddchg.exe 2964 Hkkalk32.exe 564 Ieqeidnl.exe 2612 Iknnbklc.exe 2616 Idfbkq32.exe 2740 Ikpjgkjq.exe 1484 Idhopq32.exe 1244 Ijeghgoh.exe 2100 Icmlam32.exe 1896 Icpigm32.exe 1976 Ifnechbj.exe 1020 Jnemdecl.exe 2292 Jqdipqbp.exe 2380 Jcbellac.exe 1952 Jfqahgpg.exe 1712 Jmjjea32.exe 2080 Jjojofgn.exe 2728 Jfekcg32.exe 2144 Jicgpb32.exe 2984 Jmocpado.exe 2668 Jnqphi32.exe 2544 Jbllihbf.exe 2768 Kaaijdgn.exe 2396 Kgkafo32.exe 2456 Kjjmbj32.exe 1372 Kaceodek.exe 2772 Kcbakpdo.exe 1376 Kgnnln32.exe 1248 Kngfih32.exe 696 Kmjfdejp.exe 600 Kafbec32.exe 1624 Kgpjanje.exe 868 Kjnfniii.exe 2084 Kmmcjehm.exe 2496 Kahojc32.exe 3028 Kcfkfo32.exe 1208 Kfegbj32.exe 1572 Kiccofna.exe 1320 Kaklpcoc.exe 1804 Kpmlkp32.exe 840 Kblhgk32.exe 2284 Kfgdhjmk.exe 1592 Kifpdelo.exe 2720 Lldlqakb.exe 2212 Lbnemk32.exe 376 Lfjqnjkh.exe 2436 Lmcijcbe.exe 2188 Llfifq32.exe 2976 Loeebl32.exe 2620 Lflmci32.exe 1920 Lijjoe32.exe 2148 Lijjoe32.exe 540 Lliflp32.exe 1064 Logbhl32.exe 1160 Lbcnhjnj.exe 2064 Lafndg32.exe 2684 Limfed32.exe -
Loads dropped DLL 64 IoCs
pid Process 1928 b26a2716feb1e2b4cbc0e2b9895c2a180ebf9c45498b805443ab86409ecba523.exe 1928 b26a2716feb1e2b4cbc0e2b9895c2a180ebf9c45498b805443ab86409ecba523.exe 2200 Gphmeo32.exe 2200 Gphmeo32.exe 2112 Hpkjko32.exe 2112 Hpkjko32.exe 2656 Hnojdcfi.exe 2656 Hnojdcfi.exe 2696 Hpmgqnfl.exe 2696 Hpmgqnfl.exe 1364 Hejoiedd.exe 1364 Hejoiedd.exe 2416 Hlcgeo32.exe 2416 Hlcgeo32.exe 1156 Hgilchkf.exe 1156 Hgilchkf.exe 2780 Hjjddchg.exe 2780 Hjjddchg.exe 2964 Hkkalk32.exe 2964 Hkkalk32.exe 564 Ieqeidnl.exe 564 Ieqeidnl.exe 2612 Iknnbklc.exe 2612 Iknnbklc.exe 2616 Idfbkq32.exe 2616 Idfbkq32.exe 2740 Ikpjgkjq.exe 2740 Ikpjgkjq.exe 1484 Idhopq32.exe 1484 Idhopq32.exe 1244 Ijeghgoh.exe 1244 Ijeghgoh.exe 2100 Icmlam32.exe 2100 Icmlam32.exe 1896 Icpigm32.exe 1896 Icpigm32.exe 1976 Ifnechbj.exe 1976 Ifnechbj.exe 1020 Jnemdecl.exe 1020 Jnemdecl.exe 2292 Jqdipqbp.exe 2292 Jqdipqbp.exe 2380 Jcbellac.exe 2380 Jcbellac.exe 1952 Jfqahgpg.exe 1952 Jfqahgpg.exe 1712 Jmjjea32.exe 1712 Jmjjea32.exe 2080 Jjojofgn.exe 2080 Jjojofgn.exe 2728 Jfekcg32.exe 2728 Jfekcg32.exe 2144 Jicgpb32.exe 2144 Jicgpb32.exe 2984 Jmocpado.exe 2984 Jmocpado.exe 2668 Jnqphi32.exe 2668 Jnqphi32.exe 2544 Jbllihbf.exe 2544 Jbllihbf.exe 2768 Kaaijdgn.exe 2768 Kaaijdgn.exe 2396 Kgkafo32.exe 2396 Kgkafo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kgpjanje.exe Kafbec32.exe File opened for modification C:\Windows\SysWOW64\Kblhgk32.exe Kpmlkp32.exe File opened for modification C:\Windows\SysWOW64\Nefpnhlc.exe Ncgdbmmp.exe File opened for modification C:\Windows\SysWOW64\Bafidiio.exe Bmkmdk32.exe File created C:\Windows\SysWOW64\Cnobnmpl.exe Cjdfmo32.exe File created C:\Windows\SysWOW64\Algdlcdm.dll Gjakmc32.exe File created C:\Windows\SysWOW64\Dkqmaqbm.dll Jmplcp32.exe File created C:\Windows\SysWOW64\Lccdel32.exe Laegiq32.exe File created C:\Windows\SysWOW64\Delpclld.dll Mmfbogcn.exe File created C:\Windows\SysWOW64\Hedocp32.exe Haiccald.exe File created C:\Windows\SysWOW64\Bemgilhh.exe Baakhm32.exe File created C:\Windows\SysWOW64\Ecjlgm32.dll Iedkbc32.exe File opened for modification C:\Windows\SysWOW64\Miooigfo.exe Mgqcmlgl.exe File created C:\Windows\SysWOW64\Mpigfa32.exe Miooigfo.exe File created C:\Windows\SysWOW64\Ejdmpb32.dll Hjjddchg.exe File created C:\Windows\SysWOW64\Kcbakpdo.exe Kaceodek.exe File opened for modification C:\Windows\SysWOW64\Kcfkfo32.exe Kahojc32.exe File opened for modification C:\Windows\SysWOW64\Mpigfa32.exe Miooigfo.exe File opened for modification C:\Windows\SysWOW64\Knpemf32.exe Kjdilgpc.exe File opened for modification C:\Windows\SysWOW64\Cnmehnan.exe Ckoilb32.exe File opened for modification C:\Windows\SysWOW64\Fpqdkf32.exe Flehkhai.exe File created C:\Windows\SysWOW64\Fffdil32.dll Igakgfpn.exe File created C:\Windows\SysWOW64\Jnfqpega.dll Jchhkjhn.exe File created C:\Windows\SysWOW64\Gpmcnehn.dll Icmlam32.exe File opened for modification C:\Windows\SysWOW64\Ceaadk32.exe Cnkicn32.exe File opened for modification C:\Windows\SysWOW64\Ilncom32.exe Iedkbc32.exe File created C:\Windows\SysWOW64\Aedeic32.dll Ioaifhid.exe File created C:\Windows\SysWOW64\Lcojjmea.exe Leljop32.exe File opened for modification C:\Windows\SysWOW64\Ndhipoob.exe Nmnace32.exe File opened for modification C:\Windows\SysWOW64\Hgilchkf.exe Hlcgeo32.exe File created C:\Windows\SysWOW64\Pcnbablo.exe Pmdjdh32.exe File created C:\Windows\SysWOW64\Qmhccl32.dll Bidjnkdg.exe File created C:\Windows\SysWOW64\Mecjiaic.dll Ileiplhn.exe File created C:\Windows\SysWOW64\Lmgocb32.exe Lndohedg.exe File created C:\Windows\SysWOW64\Cpnojioo.exe Cnobnmpl.exe File created C:\Windows\SysWOW64\Jdpndnei.exe Jabbhcfe.exe File created C:\Windows\SysWOW64\Lamajm32.dll Nenobfak.exe File opened for modification C:\Windows\SysWOW64\Jnemdecl.exe Ifnechbj.exe File opened for modification C:\Windows\SysWOW64\Maoajf32.exe Mihiih32.exe File opened for modification C:\Windows\SysWOW64\Chpmpg32.exe Ceaadk32.exe File created C:\Windows\SysWOW64\Bipikqbi.dll Jqnejn32.exe File opened for modification C:\Windows\SysWOW64\Ofjfhk32.exe Oclilp32.exe File created C:\Windows\SysWOW64\Jjifqd32.dll Aehboi32.exe File created C:\Windows\SysWOW64\Alfadj32.dll Llcefjgf.exe File created C:\Windows\SysWOW64\Nhlhki32.dll Kfegbj32.exe File created C:\Windows\SysWOW64\Nolhan32.exe Mpigfa32.exe File created C:\Windows\SysWOW64\Nhiffc32.exe Nejiih32.exe File created C:\Windows\SysWOW64\Jejinjob.dll Pkndaa32.exe File created C:\Windows\SysWOW64\Bafidiio.exe Bmkmdk32.exe File created C:\Windows\SysWOW64\Nookinfk.dll Iapebchh.exe File created C:\Windows\SysWOW64\Kicmdo32.exe Kbidgeci.exe File created C:\Windows\SysWOW64\Jjojofgn.exe Jmjjea32.exe File created C:\Windows\SysWOW64\Fioeja32.dll Ocimgp32.exe File created C:\Windows\SysWOW64\Fnnkng32.dll Bkommo32.exe File opened for modification C:\Windows\SysWOW64\Kbkameaf.exe Knpemf32.exe File created C:\Windows\SysWOW64\Mgljbm32.exe Mbpnanch.exe File opened for modification C:\Windows\SysWOW64\Ileiplhn.exe Ifkacb32.exe File created C:\Windows\SysWOW64\Mlfojn32.exe Migbnb32.exe File created C:\Windows\SysWOW64\Logbhl32.exe Lliflp32.exe File created C:\Windows\SysWOW64\Mdkjlm32.dll Nkbhgojk.exe File opened for modification C:\Windows\SysWOW64\Bblogakg.exe Boqbfb32.exe File created C:\Windows\SysWOW64\Kbfhbeek.exe Kklpekno.exe File created C:\Windows\SysWOW64\Lfjqnjkh.exe Lbnemk32.exe File opened for modification C:\Windows\SysWOW64\Igakgfpn.exe Ipgbjl32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnobnmpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Effcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbllihbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcaiqm32.dll" Oikojfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkpagq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qedhdjnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioaifhid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgalqkbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmpgio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfjhgdck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaceodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgicjg32.dll" Eqgnokip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll" Nenobfak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbikjlnd.dll" Ofhick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfqpega.dll" Jchhkjhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll" Npojdpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidengnp.dll" Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkddcl32.dll" Pedleg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcpbee32.dll" Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmkmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckjpacfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eibbcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iodahd32.dll" Igonafba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Modkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll" Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nialog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocimgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmhodf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmmkcoap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dljnnb32.dll" Ipgbjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kahojc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbddikd.dll" Kbfhbeek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmfjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fffdil32.dll" Igakgfpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpdcnhnl.dll" Jkoplhip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lccdel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kafbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okikfagn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aehboi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphdelhp.dll" Ejkima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhajpc32.dll" Mkklljmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijeghgoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocimgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcbllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgefik32.dll" Ojcecjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccngld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdcie32.dll" Lcojjmea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noqamn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nglfapnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miikgeea.dll" Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opiehf32.dll" Ckoilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfobbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgmcqkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkeemhpn.dll" Nolhan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Namqci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nolhan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdihmjpf.dll" Alegac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjiphda.dll" Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dojald32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1928 wrote to memory of 2200 1928 b26a2716feb1e2b4cbc0e2b9895c2a180ebf9c45498b805443ab86409ecba523.exe 28 PID 1928 wrote to memory of 2200 1928 b26a2716feb1e2b4cbc0e2b9895c2a180ebf9c45498b805443ab86409ecba523.exe 28 PID 1928 wrote to memory of 2200 1928 b26a2716feb1e2b4cbc0e2b9895c2a180ebf9c45498b805443ab86409ecba523.exe 28 PID 1928 wrote to memory of 2200 1928 b26a2716feb1e2b4cbc0e2b9895c2a180ebf9c45498b805443ab86409ecba523.exe 28 PID 2200 wrote to memory of 2112 2200 Gphmeo32.exe 29 PID 2200 wrote to memory of 2112 2200 Gphmeo32.exe 29 PID 2200 wrote to memory of 2112 2200 Gphmeo32.exe 29 PID 2200 wrote to memory of 2112 2200 Gphmeo32.exe 29 PID 2112 wrote to memory of 2656 2112 Hpkjko32.exe 30 PID 2112 wrote to memory of 2656 2112 Hpkjko32.exe 30 PID 2112 wrote to memory of 2656 2112 Hpkjko32.exe 30 PID 2112 wrote to memory of 2656 2112 Hpkjko32.exe 30 PID 2656 wrote to memory of 2696 2656 Hnojdcfi.exe 31 PID 2656 wrote to memory of 2696 2656 Hnojdcfi.exe 31 PID 2656 wrote to memory of 2696 2656 Hnojdcfi.exe 31 PID 2656 wrote to memory of 2696 2656 Hnojdcfi.exe 31 PID 2696 wrote to memory of 1364 2696 Hpmgqnfl.exe 32 PID 2696 wrote to memory of 1364 2696 Hpmgqnfl.exe 32 PID 2696 wrote to memory of 1364 2696 Hpmgqnfl.exe 32 PID 2696 wrote to memory of 1364 2696 Hpmgqnfl.exe 32 PID 1364 wrote to memory of 2416 1364 Hejoiedd.exe 33 PID 1364 wrote to memory of 2416 1364 Hejoiedd.exe 33 PID 1364 wrote to memory of 2416 1364 Hejoiedd.exe 33 PID 1364 wrote to memory of 2416 1364 Hejoiedd.exe 33 PID 2416 wrote to memory of 1156 2416 Hlcgeo32.exe 34 PID 2416 wrote to memory of 1156 2416 Hlcgeo32.exe 34 PID 2416 wrote to memory of 1156 2416 Hlcgeo32.exe 34 PID 2416 wrote to memory of 1156 2416 Hlcgeo32.exe 34 PID 1156 wrote to memory of 2780 1156 Hgilchkf.exe 35 PID 1156 wrote to memory of 2780 1156 Hgilchkf.exe 35 PID 1156 wrote to memory of 2780 1156 Hgilchkf.exe 35 PID 1156 wrote to memory of 2780 1156 Hgilchkf.exe 35 PID 2780 wrote to memory of 2964 2780 Hjjddchg.exe 36 PID 2780 wrote to memory of 2964 2780 Hjjddchg.exe 36 PID 2780 wrote to memory of 2964 2780 Hjjddchg.exe 36 PID 2780 wrote to memory of 2964 2780 Hjjddchg.exe 36 PID 2964 wrote to memory of 564 2964 Hkkalk32.exe 37 PID 2964 wrote to memory of 564 2964 Hkkalk32.exe 37 PID 2964 wrote to memory of 564 2964 Hkkalk32.exe 37 PID 2964 wrote to memory of 564 2964 Hkkalk32.exe 37 PID 564 wrote to memory of 2612 564 Ieqeidnl.exe 38 PID 564 wrote to memory of 2612 564 Ieqeidnl.exe 38 PID 564 wrote to memory of 2612 564 Ieqeidnl.exe 38 PID 564 wrote to memory of 2612 564 Ieqeidnl.exe 38 PID 2612 wrote to memory of 2616 2612 Iknnbklc.exe 39 PID 2612 wrote to memory of 2616 2612 Iknnbklc.exe 39 PID 2612 wrote to memory of 2616 2612 Iknnbklc.exe 39 PID 2612 wrote to memory of 2616 2612 Iknnbklc.exe 39 PID 2616 wrote to memory of 2740 2616 Idfbkq32.exe 40 PID 2616 wrote to memory of 2740 2616 Idfbkq32.exe 40 PID 2616 wrote to memory of 2740 2616 Idfbkq32.exe 40 PID 2616 wrote to memory of 2740 2616 Idfbkq32.exe 40 PID 2740 wrote to memory of 1484 2740 Ikpjgkjq.exe 41 PID 2740 wrote to memory of 1484 2740 Ikpjgkjq.exe 41 PID 2740 wrote to memory of 1484 2740 Ikpjgkjq.exe 41 PID 2740 wrote to memory of 1484 2740 Ikpjgkjq.exe 41 PID 1484 wrote to memory of 1244 1484 Idhopq32.exe 42 PID 1484 wrote to memory of 1244 1484 Idhopq32.exe 42 PID 1484 wrote to memory of 1244 1484 Idhopq32.exe 42 PID 1484 wrote to memory of 1244 1484 Idhopq32.exe 42 PID 1244 wrote to memory of 2100 1244 Ijeghgoh.exe 43 PID 1244 wrote to memory of 2100 1244 Ijeghgoh.exe 43 PID 1244 wrote to memory of 2100 1244 Ijeghgoh.exe 43 PID 1244 wrote to memory of 2100 1244 Ijeghgoh.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\b26a2716feb1e2b4cbc0e2b9895c2a180ebf9c45498b805443ab86409ecba523.exe"C:\Users\Admin\AppData\Local\Temp\b26a2716feb1e2b4cbc0e2b9895c2a180ebf9c45498b805443ab86409ecba523.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1896 -
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe33⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe35⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe36⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe37⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:600 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe40⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe41⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe42⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe44⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1208 -
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe46⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe47⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe49⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe50⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe51⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe52⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe54⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Lmcijcbe.exeC:\Windows\system32\Lmcijcbe.exe55⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe56⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe57⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe58⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe59⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:540 -
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe62⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe63⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe64⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe65⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe66⤵PID:2968
-
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe67⤵PID:2564
-
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe68⤵PID:2884
-
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe69⤵PID:852
-
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2860 -
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe72⤵PID:1436
-
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe73⤵PID:2528
-
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe74⤵PID:2692
-
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe75⤵PID:1680
-
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe76⤵PID:1600
-
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3048 -
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe78⤵PID:416
-
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe79⤵PID:2924
-
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe80⤵PID:2908
-
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1028 -
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe82⤵PID:1344
-
C:\Windows\SysWOW64\Mpbaebdd.exeC:\Windows\system32\Mpbaebdd.exe83⤵PID:484
-
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe84⤵PID:1116
-
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe85⤵
- Drops file in System32 directory
PID:1168 -
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe86⤵PID:1520
-
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe87⤵PID:816
-
C:\Windows\SysWOW64\Mmfbogcn.exeC:\Windows\system32\Mmfbogcn.exe88⤵
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe89⤵PID:2816
-
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe90⤵PID:1996
-
C:\Windows\SysWOW64\Mgnfhlin.exeC:\Windows\system32\Mgnfhlin.exe91⤵PID:2672
-
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe92⤵PID:2060
-
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe93⤵
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe94⤵PID:2952
-
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe95⤵PID:2788
-
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe96⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe97⤵
- Drops file in System32 directory
PID:1060 -
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe98⤵
- Drops file in System32 directory
PID:640 -
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe99⤵
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe101⤵PID:3036
-
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe102⤵
- Modifies registry class
PID:680 -
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1012 -
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe104⤵PID:904
-
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe105⤵
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe106⤵PID:1596
-
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe107⤵
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe108⤵PID:2320
-
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe109⤵PID:1924
-
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe110⤵PID:1668
-
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe111⤵PID:2088
-
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe112⤵
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2468 -
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe114⤵
- Drops file in System32 directory
PID:1196 -
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe115⤵PID:1284
-
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe116⤵
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe117⤵PID:1396
-
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe118⤵PID:320
-
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe119⤵PID:2664
-
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe120⤵
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2460
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-