Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/04/2024, 10:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
25c68ef1a84c065a3945e79fd8de50cb.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
25c68ef1a84c065a3945e79fd8de50cb.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
25c68ef1a84c065a3945e79fd8de50cb.exe
-
Size
104KB
-
MD5
25c68ef1a84c065a3945e79fd8de50cb
-
SHA1
c0d845b36c29bfa3aa97356c1846192794fd2372
-
SHA256
6f986944433073694b5dd3a7d620b6e18f91954c97fbf07569b584f91145a758
-
SHA512
5b0ca8f92dd9aa840639d6fe53a0faf0120fc6173e7f41eaca4ffcff049de27c0dd87fa03e72f79632e73fae1782e5e5d579162f3a3987380f6923d9e4090b63
-
SSDEEP
3072:VqcTFBtm7Jm+QeoIuE+h3+rJM++SYSUZCbCdW:VqunmgKoFEcAJN+SYSUZCbX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glqkefff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkboeobh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npadcfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfbdpabn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdakd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfejmobh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icdhdfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbieebha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppolhcnm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkholi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fncbha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjbdbjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pacfjfej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkhceh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhdcmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdqcenmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcicma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhanngbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eddnic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdbnmbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfnjbdep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmgfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbnmkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidlqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdiakp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aaofedkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qlimed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcidmkpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppdbgncl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fncbha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migcpneb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfgjbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmgfod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhefhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bacjdbch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlhgpag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abdfkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cegnol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kicfijal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mldhacpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlhih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcabhido.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlbdba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmedjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bikeni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjbdbjbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbahm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkefphem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fongpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Niglfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dalkek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kblkap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgkmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dphiaffa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhbdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncecioib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efpomccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdngpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmmgof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ellpmolj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfglfdkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cienon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oakjnnap.exe -
Executes dropped EXE 64 IoCs
pid Process 496 Qlimed32.exe 4496 Bedgjgkg.exe 2600 Bffcpg32.exe 4804 Chglab32.exe 4260 Chiigadc.exe 3676 Clgbmp32.exe 1604 Cljobphg.exe 2004 Dfglfdkb.exe 4524 Dbnmke32.exe 3780 Dflfac32.exe 2940 Ekkkoj32.exe 3140 Efpomccg.exe 2604 Eiahnnph.exe 4312 Ekaapi32.exe 5016 Eppjfgcp.exe 1856 Flfkkhid.exe 2320 Fbbpmb32.exe 2460 Flmqlg32.exe 4848 Fbjena32.exe 2520 Gblbca32.exe 3560 Gbnoiqdq.exe 4560 Gikdkj32.exe 3700 Gimqajgh.exe 2772 Hlnjbedi.exe 2956 Hfcnpn32.exe 3716 Hmbphg32.exe 4428 Illfdc32.exe 4776 Jgkmgk32.exe 4620 Jljbeali.exe 228 Jphkkpbp.exe 2020 Kcidmkpq.exe 1064 Kjeiodek.exe 2392 Kpanan32.exe 3948 Kpcjgnhb.exe 1152 Lgpoihnl.exe 2536 Lfeljd32.exe 2708 Lfgipd32.exe 4868 Lopmii32.exe 1504 Lfjfecno.exe 4880 Mqafhl32.exe 772 Mogcihaj.exe 2304 Mqfpckhm.exe 3420 Mokmdh32.exe 4572 Njfkmphe.exe 3724 Nfaemp32.exe 808 Ogcnmc32.exe 1068 Ocjoadei.exe 3444 Oghghb32.exe 4420 Ondljl32.exe 3092 Ohlqcagj.exe 2700 Phonha32.exe 3592 Pfdjinjo.exe 3228 Pdhkcb32.exe 3340 Ppolhcnm.exe 1420 Pdmdnadc.exe 1496 Akkffkhk.exe 5112 Afbgkl32.exe 4248 Amnlme32.exe 4592 Aggpfkjj.exe 3460 Amcehdod.exe 3532 Bgnffj32.exe 3500 Bacjdbch.exe 4104 Bddcenpi.exe 4576 Bpkdjofm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aoibcl32.dll Dgjoif32.exe File opened for modification C:\Windows\SysWOW64\Gihpkd32.exe Gnpphljo.exe File created C:\Windows\SysWOW64\Qpbnhl32.exe Qclmck32.exe File created C:\Windows\SysWOW64\Aaofedkl.exe Akenij32.exe File created C:\Windows\SysWOW64\Jmjkhghe.dll Cnmebblf.exe File created C:\Windows\SysWOW64\Aehojk32.dll Eddnic32.exe File created C:\Windows\SysWOW64\Pahpee32.exe Pgbkgmao.exe File created C:\Windows\SysWOW64\Dbbdip32.exe Dgmpkg32.exe File created C:\Windows\SysWOW64\Dnooce32.dll Jokiig32.exe File created C:\Windows\SysWOW64\Lfgnho32.dll Pidlqb32.exe File created C:\Windows\SysWOW64\Ccblbb32.exe Cmedjl32.exe File created C:\Windows\SysWOW64\Gajlgpic.dll Fjjjgh32.exe File opened for modification C:\Windows\SysWOW64\Bikeni32.exe Bpbpecen.exe File created C:\Windows\SysWOW64\Dlmegd32.exe Dagajlal.exe File created C:\Windows\SysWOW64\Ldldehjm.dll Gimqajgh.exe File created C:\Windows\SysWOW64\Illfdc32.exe Hmbphg32.exe File opened for modification C:\Windows\SysWOW64\Aggpfkjj.exe Amnlme32.exe File created C:\Windows\SysWOW64\Jhbkgiif.dll Glnnofhi.exe File opened for modification C:\Windows\SysWOW64\Amnlme32.exe Afbgkl32.exe File created C:\Windows\SysWOW64\Nhfjcpfb.dll Flmqlg32.exe File opened for modification C:\Windows\SysWOW64\Gggfme32.exe Gqmnpk32.exe File created C:\Windows\SysWOW64\Iameid32.exe Iheaqolo.exe File created C:\Windows\SysWOW64\Cqghcn32.exe Bkjpkg32.exe File opened for modification C:\Windows\SysWOW64\Hhpheo32.exe Hligqnjp.exe File opened for modification C:\Windows\SysWOW64\Fjpoio32.exe Eecfah32.exe File created C:\Windows\SysWOW64\Doojec32.exe Dakikoom.exe File created C:\Windows\SysWOW64\Gkhikf32.dll Pkholi32.exe File created C:\Windows\SysWOW64\Gcgqag32.exe Glmhdm32.exe File created C:\Windows\SysWOW64\Nggjog32.exe Nolekd32.exe File created C:\Windows\SysWOW64\Jkggfeam.dll Lpinac32.exe File created C:\Windows\SysWOW64\Iifmbajf.dll Lbgjmnno.exe File created C:\Windows\SysWOW64\Pafkgphl.exe Pimfpc32.exe File opened for modification C:\Windows\SysWOW64\Epjhcnbp.exe Eippgckc.exe File created C:\Windows\SysWOW64\Efnieaef.dll Anjpeelk.exe File created C:\Windows\SysWOW64\Lpinac32.exe Liofdigo.exe File opened for modification C:\Windows\SysWOW64\Bffcpg32.exe Bedgjgkg.exe File created C:\Windows\SysWOW64\Kcgekjgp.exe Kjopbd32.exe File opened for modification C:\Windows\SysWOW64\Ldhdlnli.exe Lfddci32.exe File created C:\Windows\SysWOW64\Ojhiogdd.exe Oihmedma.exe File opened for modification C:\Windows\SysWOW64\Fcmnkh32.exe Feimadoe.exe File created C:\Windows\SysWOW64\Lgpoihnl.exe Kpcjgnhb.exe File opened for modification C:\Windows\SysWOW64\Ijigfaol.exe Icooig32.exe File created C:\Windows\SysWOW64\Miikdm32.dll Lfjchn32.exe File opened for modification C:\Windows\SysWOW64\Nbjpjl32.exe Npldnp32.exe File opened for modification C:\Windows\SysWOW64\Kcidmkpq.exe Jphkkpbp.exe File created C:\Windows\SysWOW64\Fmamhbhe.dll Cpdgqmnb.exe File opened for modification C:\Windows\SysWOW64\Pimfpc32.exe Ppdbgncl.exe File created C:\Windows\SysWOW64\Ceiemclg.dll Fekclnif.exe File created C:\Windows\SysWOW64\Fcpnhp32.dll Laiafl32.exe File created C:\Windows\SysWOW64\Jjnaaa32.exe Jeaiij32.exe File created C:\Windows\SysWOW64\Eihlahjd.exe Enbhdojn.exe File created C:\Windows\SysWOW64\Dflfac32.exe Dbnmke32.exe File created C:\Windows\SysWOW64\Bbbcimhh.dll Foakpc32.exe File created C:\Windows\SysWOW64\Ohpefcna.dll Qkcackeb.exe File created C:\Windows\SysWOW64\Ledioi32.dll Qoocnpag.exe File created C:\Windows\SysWOW64\Fdjhkl32.dll Eangjkkd.exe File created C:\Windows\SysWOW64\Keecjl32.dll Kokbpe32.exe File created C:\Windows\SysWOW64\Gkedmpik.dll Lfqjhmhk.exe File created C:\Windows\SysWOW64\Hgeihiac.exe Halaloif.exe File created C:\Windows\SysWOW64\Fgiabhkn.dll Bejhhd32.exe File created C:\Windows\SysWOW64\Cnaoemei.dll Kfjjbd32.exe File created C:\Windows\SysWOW64\Gofdmmgd.dll Qlimed32.exe File opened for modification C:\Windows\SysWOW64\Mablfnne.exe Mapppn32.exe File created C:\Windows\SysWOW64\Epjhcnbp.exe Eippgckc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10212 10108 WerFault.exe 612 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fekclnif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkpjkai.dll" Njfkmphe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pacfjfej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhpheo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nblidf32.dll" Njmopj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gnmlhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iabbeiag.dll" Lfmghdpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Npadcfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cglbhhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gcqjal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ejdonq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlbdba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gbjlgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iondqhpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncjdki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nbdkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhcfleff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmmgae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Backedki.dll" Gdgdeppb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gbpnjdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgkmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiffij32.dll" Kmeiie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Najjmjkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Babcil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjihfbno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaaneok.dll" Icefib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mackfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnpkdp32.dll" Ondljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ondljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Phonha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhdcmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Edfknb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjnaaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eocfgq32.dll" Hladlc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppolhcnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ppdbgncl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehpadhll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abpmpkoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abipfifn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fgjpfqpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmfbakio.dll" Nchhfild.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladlqj32.dll" Cpnpqakp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Icakofel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoljhi32.dll" Ncbfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigbqakg.dll" Ekaapi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iajdgcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndfnlpc.dll" Oonlfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffpcbchm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lhopgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lopkkdgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mbjgcnll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlgegcng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eimlgnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dflfac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lbgjmnno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pimfpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lipmoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bqnemp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donloloo.dll" Cgjcfgoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nbjpjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qoocnpag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fgjpfqpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ggfobofl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cancekeo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4992 wrote to memory of 496 4992 25c68ef1a84c065a3945e79fd8de50cb.exe 90 PID 4992 wrote to memory of 496 4992 25c68ef1a84c065a3945e79fd8de50cb.exe 90 PID 4992 wrote to memory of 496 4992 25c68ef1a84c065a3945e79fd8de50cb.exe 90 PID 496 wrote to memory of 4496 496 Qlimed32.exe 91 PID 496 wrote to memory of 4496 496 Qlimed32.exe 91 PID 496 wrote to memory of 4496 496 Qlimed32.exe 91 PID 4496 wrote to memory of 2600 4496 Bedgjgkg.exe 92 PID 4496 wrote to memory of 2600 4496 Bedgjgkg.exe 92 PID 4496 wrote to memory of 2600 4496 Bedgjgkg.exe 92 PID 2600 wrote to memory of 4804 2600 Bffcpg32.exe 93 PID 2600 wrote to memory of 4804 2600 Bffcpg32.exe 93 PID 2600 wrote to memory of 4804 2600 Bffcpg32.exe 93 PID 4804 wrote to memory of 4260 4804 Chglab32.exe 94 PID 4804 wrote to memory of 4260 4804 Chglab32.exe 94 PID 4804 wrote to memory of 4260 4804 Chglab32.exe 94 PID 4260 wrote to memory of 3676 4260 Chiigadc.exe 95 PID 4260 wrote to memory of 3676 4260 Chiigadc.exe 95 PID 4260 wrote to memory of 3676 4260 Chiigadc.exe 95 PID 3676 wrote to memory of 1604 3676 Clgbmp32.exe 96 PID 3676 wrote to memory of 1604 3676 Clgbmp32.exe 96 PID 3676 wrote to memory of 1604 3676 Clgbmp32.exe 96 PID 1604 wrote to memory of 2004 1604 Cljobphg.exe 97 PID 1604 wrote to memory of 2004 1604 Cljobphg.exe 97 PID 1604 wrote to memory of 2004 1604 Cljobphg.exe 97 PID 2004 wrote to memory of 4524 2004 Dfglfdkb.exe 98 PID 2004 wrote to memory of 4524 2004 Dfglfdkb.exe 98 PID 2004 wrote to memory of 4524 2004 Dfglfdkb.exe 98 PID 4524 wrote to memory of 3780 4524 Dbnmke32.exe 99 PID 4524 wrote to memory of 3780 4524 Dbnmke32.exe 99 PID 4524 wrote to memory of 3780 4524 Dbnmke32.exe 99 PID 3780 wrote to memory of 2940 3780 Dflfac32.exe 100 PID 3780 wrote to memory of 2940 3780 Dflfac32.exe 100 PID 3780 wrote to memory of 2940 3780 Dflfac32.exe 100 PID 2940 wrote to memory of 3140 2940 Ekkkoj32.exe 101 PID 2940 wrote to memory of 3140 2940 Ekkkoj32.exe 101 PID 2940 wrote to memory of 3140 2940 Ekkkoj32.exe 101 PID 3140 wrote to memory of 2604 3140 Efpomccg.exe 102 PID 3140 wrote to memory of 2604 3140 Efpomccg.exe 102 PID 3140 wrote to memory of 2604 3140 Efpomccg.exe 102 PID 2604 wrote to memory of 4312 2604 Eiahnnph.exe 103 PID 2604 wrote to memory of 4312 2604 Eiahnnph.exe 103 PID 2604 wrote to memory of 4312 2604 Eiahnnph.exe 103 PID 4312 wrote to memory of 5016 4312 Ekaapi32.exe 104 PID 4312 wrote to memory of 5016 4312 Ekaapi32.exe 104 PID 4312 wrote to memory of 5016 4312 Ekaapi32.exe 104 PID 5016 wrote to memory of 1856 5016 Eppjfgcp.exe 105 PID 5016 wrote to memory of 1856 5016 Eppjfgcp.exe 105 PID 5016 wrote to memory of 1856 5016 Eppjfgcp.exe 105 PID 1856 wrote to memory of 2320 1856 Flfkkhid.exe 106 PID 1856 wrote to memory of 2320 1856 Flfkkhid.exe 106 PID 1856 wrote to memory of 2320 1856 Flfkkhid.exe 106 PID 2320 wrote to memory of 2460 2320 Fbbpmb32.exe 107 PID 2320 wrote to memory of 2460 2320 Fbbpmb32.exe 107 PID 2320 wrote to memory of 2460 2320 Fbbpmb32.exe 107 PID 2460 wrote to memory of 4848 2460 Flmqlg32.exe 108 PID 2460 wrote to memory of 4848 2460 Flmqlg32.exe 108 PID 2460 wrote to memory of 4848 2460 Flmqlg32.exe 108 PID 4848 wrote to memory of 2520 4848 Fbjena32.exe 109 PID 4848 wrote to memory of 2520 4848 Fbjena32.exe 109 PID 4848 wrote to memory of 2520 4848 Fbjena32.exe 109 PID 2520 wrote to memory of 3560 2520 Gblbca32.exe 110 PID 2520 wrote to memory of 3560 2520 Gblbca32.exe 110 PID 2520 wrote to memory of 3560 2520 Gblbca32.exe 110 PID 3560 wrote to memory of 4560 3560 Gbnoiqdq.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\25c68ef1a84c065a3945e79fd8de50cb.exe"C:\Users\Admin\AppData\Local\Temp\25c68ef1a84c065a3945e79fd8de50cb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Qlimed32.exeC:\Windows\system32\Qlimed32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Windows\SysWOW64\Bedgjgkg.exeC:\Windows\system32\Bedgjgkg.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\Bffcpg32.exeC:\Windows\system32\Bffcpg32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Chglab32.exeC:\Windows\system32\Chglab32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Chiigadc.exeC:\Windows\system32\Chiigadc.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Clgbmp32.exeC:\Windows\system32\Clgbmp32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Cljobphg.exeC:\Windows\system32\Cljobphg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Dfglfdkb.exeC:\Windows\system32\Dfglfdkb.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Dbnmke32.exeC:\Windows\system32\Dbnmke32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Dflfac32.exeC:\Windows\system32\Dflfac32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Ekkkoj32.exeC:\Windows\system32\Ekkkoj32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Efpomccg.exeC:\Windows\system32\Efpomccg.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\Eiahnnph.exeC:\Windows\system32\Eiahnnph.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Ekaapi32.exeC:\Windows\system32\Ekaapi32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\Eppjfgcp.exeC:\Windows\system32\Eppjfgcp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Flfkkhid.exeC:\Windows\system32\Flfkkhid.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Fbbpmb32.exeC:\Windows\system32\Fbbpmb32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Flmqlg32.exeC:\Windows\system32\Flmqlg32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Fbjena32.exeC:\Windows\system32\Fbjena32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Gblbca32.exeC:\Windows\system32\Gblbca32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Gbnoiqdq.exeC:\Windows\system32\Gbnoiqdq.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\Gikdkj32.exeC:\Windows\system32\Gikdkj32.exe23⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Gimqajgh.exeC:\Windows\system32\Gimqajgh.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3700 -
C:\Windows\SysWOW64\Hlnjbedi.exeC:\Windows\system32\Hlnjbedi.exe25⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Hfcnpn32.exeC:\Windows\system32\Hfcnpn32.exe26⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Hmbphg32.exeC:\Windows\system32\Hmbphg32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3716 -
C:\Windows\SysWOW64\Illfdc32.exeC:\Windows\system32\Illfdc32.exe28⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Jgkmgk32.exeC:\Windows\system32\Jgkmgk32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4776 -
C:\Windows\SysWOW64\Jljbeali.exeC:\Windows\system32\Jljbeali.exe30⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Jphkkpbp.exeC:\Windows\system32\Jphkkpbp.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:228 -
C:\Windows\SysWOW64\Kcidmkpq.exeC:\Windows\system32\Kcidmkpq.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Kjeiodek.exeC:\Windows\system32\Kjeiodek.exe33⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Kpanan32.exeC:\Windows\system32\Kpanan32.exe34⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Kpcjgnhb.exeC:\Windows\system32\Kpcjgnhb.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3948 -
C:\Windows\SysWOW64\Lgpoihnl.exeC:\Windows\system32\Lgpoihnl.exe36⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Lfeljd32.exeC:\Windows\system32\Lfeljd32.exe37⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Lfgipd32.exeC:\Windows\system32\Lfgipd32.exe38⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Lopmii32.exeC:\Windows\system32\Lopmii32.exe39⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Lfjfecno.exeC:\Windows\system32\Lfjfecno.exe40⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Mqafhl32.exeC:\Windows\system32\Mqafhl32.exe41⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Mogcihaj.exeC:\Windows\system32\Mogcihaj.exe42⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Mqfpckhm.exeC:\Windows\system32\Mqfpckhm.exe43⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Mokmdh32.exeC:\Windows\system32\Mokmdh32.exe44⤵
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Njfkmphe.exeC:\Windows\system32\Njfkmphe.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4572 -
C:\Windows\SysWOW64\Nfaemp32.exeC:\Windows\system32\Nfaemp32.exe46⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Ogcnmc32.exeC:\Windows\system32\Ogcnmc32.exe47⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Ocjoadei.exeC:\Windows\system32\Ocjoadei.exe48⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Oghghb32.exeC:\Windows\system32\Oghghb32.exe49⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Ondljl32.exeC:\Windows\system32\Ondljl32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4420 -
C:\Windows\SysWOW64\Ohlqcagj.exeC:\Windows\system32\Ohlqcagj.exe51⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Phonha32.exeC:\Windows\system32\Phonha32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Pfdjinjo.exeC:\Windows\system32\Pfdjinjo.exe53⤵
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\Pdhkcb32.exeC:\Windows\system32\Pdhkcb32.exe54⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\Ppolhcnm.exeC:\Windows\system32\Ppolhcnm.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3340 -
C:\Windows\SysWOW64\Pdmdnadc.exeC:\Windows\system32\Pdmdnadc.exe56⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Akkffkhk.exeC:\Windows\system32\Akkffkhk.exe57⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Afbgkl32.exeC:\Windows\system32\Afbgkl32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5112 -
C:\Windows\SysWOW64\Amnlme32.exeC:\Windows\system32\Amnlme32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4248 -
C:\Windows\SysWOW64\Aggpfkjj.exeC:\Windows\system32\Aggpfkjj.exe60⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Amcehdod.exeC:\Windows\system32\Amcehdod.exe61⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Bgnffj32.exeC:\Windows\system32\Bgnffj32.exe62⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Bacjdbch.exeC:\Windows\system32\Bacjdbch.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Bddcenpi.exeC:\Windows\system32\Bddcenpi.exe64⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Bpkdjofm.exeC:\Windows\system32\Bpkdjofm.exe65⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Bnoddcef.exeC:\Windows\system32\Bnoddcef.exe66⤵PID:456
-
C:\Windows\SysWOW64\Conanfli.exeC:\Windows\system32\Conanfli.exe67⤵PID:4028
-
C:\Windows\SysWOW64\Coqncejg.exeC:\Windows\system32\Coqncejg.exe68⤵PID:1608
-
C:\Windows\SysWOW64\Cglbhhga.exeC:\Windows\system32\Cglbhhga.exe69⤵
- Modifies registry class
PID:3436 -
C:\Windows\SysWOW64\Cpdgqmnb.exeC:\Windows\system32\Cpdgqmnb.exe70⤵
- Drops file in System32 directory
PID:3964 -
C:\Windows\SysWOW64\Coegoe32.exeC:\Windows\system32\Coegoe32.exe71⤵PID:32
-
C:\Windows\SysWOW64\Cgqlcg32.exeC:\Windows\system32\Cgqlcg32.exe72⤵PID:1156
-
C:\Windows\SysWOW64\Dhbebj32.exeC:\Windows\system32\Dhbebj32.exe73⤵PID:1740
-
C:\Windows\SysWOW64\Dakikoom.exeC:\Windows\system32\Dakikoom.exe74⤵
- Drops file in System32 directory
PID:464 -
C:\Windows\SysWOW64\Doojec32.exeC:\Windows\system32\Doojec32.exe75⤵PID:2632
-
C:\Windows\SysWOW64\Dgjoif32.exeC:\Windows\system32\Dgjoif32.exe76⤵
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Dhikci32.exeC:\Windows\system32\Dhikci32.exe77⤵PID:2572
-
C:\Windows\SysWOW64\Ehlhih32.exeC:\Windows\system32\Ehlhih32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1592 -
C:\Windows\SysWOW64\Ehpadhll.exeC:\Windows\system32\Ehpadhll.exe79⤵
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Eomffaag.exeC:\Windows\system32\Eomffaag.exe80⤵PID:4924
-
C:\Windows\SysWOW64\Fbbicl32.exeC:\Windows\system32\Fbbicl32.exe81⤵PID:2024
-
C:\Windows\SysWOW64\Gnpphljo.exeC:\Windows\system32\Gnpphljo.exe82⤵
- Drops file in System32 directory
PID:3824 -
C:\Windows\SysWOW64\Gihpkd32.exeC:\Windows\system32\Gihpkd32.exe83⤵PID:4940
-
C:\Windows\SysWOW64\Hecjke32.exeC:\Windows\system32\Hecjke32.exe84⤵PID:5136
-
C:\Windows\SysWOW64\Hhdcmp32.exeC:\Windows\system32\Hhdcmp32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5192 -
C:\Windows\SysWOW64\Ipdndloi.exeC:\Windows\system32\Ipdndloi.exe86⤵PID:5232
-
C:\Windows\SysWOW64\Ihpcinld.exeC:\Windows\system32\Ihpcinld.exe87⤵PID:5280
-
C:\Windows\SysWOW64\Iajdgcab.exeC:\Windows\system32\Iajdgcab.exe88⤵
- Modifies registry class
PID:5336 -
C:\Windows\SysWOW64\Iondqhpl.exeC:\Windows\system32\Iondqhpl.exe89⤵
- Modifies registry class
PID:5388 -
C:\Windows\SysWOW64\Kbhmbdle.exeC:\Windows\system32\Kbhmbdle.exe90⤵PID:5436
-
C:\Windows\SysWOW64\Kifojnol.exeC:\Windows\system32\Kifojnol.exe91⤵PID:5484
-
C:\Windows\SysWOW64\Kabcopmg.exeC:\Windows\system32\Kabcopmg.exe92⤵PID:5528
-
C:\Windows\SysWOW64\Lafmjp32.exeC:\Windows\system32\Lafmjp32.exe93⤵PID:5572
-
C:\Windows\SysWOW64\Lcfidb32.exeC:\Windows\system32\Lcfidb32.exe94⤵PID:5620
-
C:\Windows\SysWOW64\Llnnmhfe.exeC:\Windows\system32\Llnnmhfe.exe95⤵PID:5668
-
C:\Windows\SysWOW64\Ljbnfleo.exeC:\Windows\system32\Ljbnfleo.exe96⤵PID:5720
-
C:\Windows\SysWOW64\Llcghg32.exeC:\Windows\system32\Llcghg32.exe97⤵PID:5764
-
C:\Windows\SysWOW64\Mapppn32.exeC:\Windows\system32\Mapppn32.exe98⤵
- Drops file in System32 directory
PID:5808 -
C:\Windows\SysWOW64\Mablfnne.exeC:\Windows\system32\Mablfnne.exe99⤵PID:5852
-
C:\Windows\SysWOW64\Mofmobmo.exeC:\Windows\system32\Mofmobmo.exe100⤵PID:5896
-
C:\Windows\SysWOW64\Mljmhflh.exeC:\Windows\system32\Mljmhflh.exe101⤵PID:5940
-
C:\Windows\SysWOW64\Mbgeqmjp.exeC:\Windows\system32\Mbgeqmjp.exe102⤵PID:5988
-
C:\Windows\SysWOW64\Mhanngbl.exeC:\Windows\system32\Mhanngbl.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6032 -
C:\Windows\SysWOW64\Mjpjgj32.exeC:\Windows\system32\Mjpjgj32.exe104⤵PID:6076
-
C:\Windows\SysWOW64\Nciopppp.exeC:\Windows\system32\Nciopppp.exe105⤵PID:6120
-
C:\Windows\SysWOW64\Nbnlaldg.exeC:\Windows\system32\Nbnlaldg.exe106⤵PID:5132
-
C:\Windows\SysWOW64\Njljch32.exeC:\Windows\system32\Njljch32.exe107⤵PID:5216
-
C:\Windows\SysWOW64\Ofckhj32.exeC:\Windows\system32\Ofckhj32.exe108⤵PID:5248
-
C:\Windows\SysWOW64\Ocgkan32.exeC:\Windows\system32\Ocgkan32.exe109⤵PID:5376
-
C:\Windows\SysWOW64\Oonlfo32.exeC:\Windows\system32\Oonlfo32.exe110⤵
- Modifies registry class
PID:5408 -
C:\Windows\SysWOW64\Omalpc32.exeC:\Windows\system32\Omalpc32.exe111⤵PID:5508
-
C:\Windows\SysWOW64\Oihmedma.exeC:\Windows\system32\Oihmedma.exe112⤵
- Drops file in System32 directory
PID:5568 -
C:\Windows\SysWOW64\Ojhiogdd.exeC:\Windows\system32\Ojhiogdd.exe113⤵PID:5632
-
C:\Windows\SysWOW64\Ppdbgncl.exeC:\Windows\system32\Ppdbgncl.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5716 -
C:\Windows\SysWOW64\Pimfpc32.exeC:\Windows\system32\Pimfpc32.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:5776 -
C:\Windows\SysWOW64\Pafkgphl.exeC:\Windows\system32\Pafkgphl.exe116⤵PID:5840
-
C:\Windows\SysWOW64\Pmmlla32.exeC:\Windows\system32\Pmmlla32.exe117⤵PID:5908
-
C:\Windows\SysWOW64\Pidlqb32.exeC:\Windows\system32\Pidlqb32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5976 -
C:\Windows\SysWOW64\Pfhmjf32.exeC:\Windows\system32\Pfhmjf32.exe119⤵PID:6044
-
C:\Windows\SysWOW64\Qclmck32.exeC:\Windows\system32\Qclmck32.exe120⤵
- Drops file in System32 directory
PID:6108 -
C:\Windows\SysWOW64\Qpbnhl32.exeC:\Windows\system32\Qpbnhl32.exe121⤵PID:5168
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-