Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/05/2024, 04:54
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe
-
Size
439KB
-
MD5
706e0179cfa2f9c1eb90eb55ab3f8152
-
SHA1
3e73dbabb57367ecf88bfaa448a288b0bbb47c94
-
SHA256
e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b
-
SHA512
59037021ef0007fb660cfec5fbc8b34b1a320c70b60f42b7d73029661531cc76f2cff26830a8c43f1b4d60b10a9729153ee13d91f92231536f5eae0fd2fbbf59
-
SSDEEP
12288:6VbYrVPeKm2OPeKm22Vtp90NtmVtp90NtXONt:6UpEkpEY
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aifjgdkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfceom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlbgkgcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iediin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhhominh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bodhjdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhknaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgjnhaco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bajqfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phlclgfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiepea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mngjeamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncjbba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mflgih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aejlnmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjofo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmeeepjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnjicjbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqokpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocefpnom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaablcej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmdofebo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lelljepm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afbpnlcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blniinac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqmamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgaebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giolnomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpnopm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghbhhnhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcqebd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaogognm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nedifo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmikpngk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfdddm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoagccfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gabofn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlmaad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcifdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npolmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmpolof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikagogco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccgnelll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qifpqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbfbnddq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flclam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Einjdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmlddeio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eldbkbop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghajacmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjpgdik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilhlan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfmbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oodjjign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glnkcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abhlak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maapjjml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlndnacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bajqfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcnojnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbiocd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbjfcnkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igoomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljbipolj.exe -
Detects executables packed with ConfuserEx Mod 64 IoCs
resource yara_rule behavioral1/files/0x000b0000000155e2-5.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0008000000015c5d-19.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0007000000015c7c-35.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0009000000015d88-54.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0014000000015c2f-60.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x00050000000186a0-72.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000018ae8-88.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000018b33-104.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000018b42-120.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000018b6a-128.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/memory/1184-136-0x0000000000400000-0x000000000049A000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000018b96-142.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/memory/904-135-0x0000000000220000-0x00000000002BA000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000018d06-158.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x00050000000192f4-178.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/memory/1976-164-0x0000000000220000-0x00000000002BA000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0005000000019333-188.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/memory/1640-201-0x0000000000400000-0x000000000049A000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0005000000019377-203.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x00050000000193b0-221.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x000500000001946b-234.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0005000000019473-244.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x00050000000194a4-256.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/memory/2136-275-0x0000000000400000-0x000000000049A000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x00040000000194d8-266.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x00050000000194e8-277.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x00050000000194ee-290.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x00050000000194f2-299.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/memory/2036-308-0x0000000000400000-0x000000000049A000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x000500000001950c-310.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/memory/1000-319-0x0000000000400000-0x000000000049A000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0005000000019547-321.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x000500000001959c-334.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x00050000000195a2-342.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/memory/2684-349-0x0000000000400000-0x000000000049A000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x00050000000195a6-354.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/memory/2520-373-0x0000000000400000-0x000000000049A000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x00050000000195a8-363.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x00050000000195aa-376.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x00050000000195ff-387.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x00050000000196d8-397.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0005000000019bd6-407.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0005000000019bd8-417.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0005000000019cba-427.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0005000000019d4d-438.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0005000000019f42-448.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/memory/1092-457-0x0000000000400000-0x000000000049A000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x000500000001a00c-459.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x000500000001a04c-468.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x000500000001a31e-480.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x000500000001a3cd-495.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x000500000001a3c5-491.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x000500000001a40b-515.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x000500000001a42b-525.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x000500000001a432-535.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x000500000001a441-543.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x000500000001a445-551.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x000500000001a449-562.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x000500000001a44d-573.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x000500000001a451-586.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x000500000001a455-597.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x000500000001a459-608.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x000500000001a45d-620.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x000500000001a461-634.dat INDICATOR_EXE_Packed_ConfuserEx -
Executes dropped EXE 64 IoCs
pid Process 2680 Lmbonmll.exe 2536 Lpedeg32.exe 2552 Mcifdj32.exe 2432 Mmfdhojb.exe 2508 Mimemp32.exe 2516 Nidkmojn.exe 868 Nocpkf32.exe 2372 Oiakgcnl.exe 904 Oidglb32.exe 1184 Pddnnp32.exe 1976 Pojbkh32.exe 2236 Aipfmane.exe 1964 Afdgfelo.exe 1640 Anolkh32.exe 2736 Bjmbqhif.exe 672 Bbmapj32.exe 2268 Bleeioil.exe 1320 Cifelgmd.exe 1804 Dbafjlaa.exe 2136 Dlndnacm.exe 1664 Eeielfhk.exe 1516 Elldgehk.exe 2036 Efdhpjok.exe 1000 Fgcejm32.exe 1876 Foccjood.exe 2684 Gjbmelgm.exe 2056 Gegabegc.exe 2488 Giiglhjb.exe 2520 Hebdfind.exe 2420 Hipmmg32.exe 2568 Hdoghdmd.exe 2460 Idcacc32.exe 392 Ibhndp32.exe 2316 Ifffkncm.exe 576 Jabdql32.exe 2696 Jdcmbgkj.exe 1092 Jplkmgol.exe 1936 Jpogbgmi.exe 1504 Khoebi32.exe 2204 Kcdjoaee.exe 1644 Kbigpn32.exe 2704 Kgfoie32.exe 1524 Lblcfnhj.exe 2260 Lfbbjpgd.exe 1348 Liqoflfh.exe 2780 Mejlalji.exe 1908 Melifl32.exe 976 Mbpipp32.exe 1648 Mngjeamd.exe 2176 Mhonngce.exe 2820 Ncfoch32.exe 1952 Najpll32.exe 2480 Nhdhif32.exe 2584 Npolmh32.exe 2628 Nigafnck.exe 2128 Npaich32.exe 2304 Nlhjhi32.exe 2192 Obdojcef.exe 3032 Oeehln32.exe 2876 Odjdmjgo.exe 840 Omcifpnp.exe 572 Okgjodmi.exe 760 Pdonhj32.exe 1912 Pdakniag.exe -
Loads dropped DLL 64 IoCs
pid Process 1500 e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe 1500 e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe 2680 Lmbonmll.exe 2680 Lmbonmll.exe 2536 Lpedeg32.exe 2536 Lpedeg32.exe 2552 Mcifdj32.exe 2552 Mcifdj32.exe 2432 Mmfdhojb.exe 2432 Mmfdhojb.exe 2508 Mimemp32.exe 2508 Mimemp32.exe 2516 Nidkmojn.exe 2516 Nidkmojn.exe 868 Nocpkf32.exe 868 Nocpkf32.exe 2372 Oiakgcnl.exe 2372 Oiakgcnl.exe 904 Oidglb32.exe 904 Oidglb32.exe 1184 Pddnnp32.exe 1184 Pddnnp32.exe 1976 Pojbkh32.exe 1976 Pojbkh32.exe 2236 Aipfmane.exe 2236 Aipfmane.exe 1964 Afdgfelo.exe 1964 Afdgfelo.exe 1640 Anolkh32.exe 1640 Anolkh32.exe 2736 Bjmbqhif.exe 2736 Bjmbqhif.exe 672 Bbmapj32.exe 672 Bbmapj32.exe 2268 Bleeioil.exe 2268 Bleeioil.exe 1320 Cifelgmd.exe 1320 Cifelgmd.exe 1804 Dbafjlaa.exe 1804 Dbafjlaa.exe 2136 Dlndnacm.exe 2136 Dlndnacm.exe 1664 Eeielfhk.exe 1664 Eeielfhk.exe 1516 Elldgehk.exe 1516 Elldgehk.exe 2036 Efdhpjok.exe 2036 Efdhpjok.exe 1000 Fgcejm32.exe 1000 Fgcejm32.exe 1876 Foccjood.exe 1876 Foccjood.exe 2684 Gjbmelgm.exe 2684 Gjbmelgm.exe 2056 Gegabegc.exe 2056 Gegabegc.exe 2488 Giiglhjb.exe 2488 Giiglhjb.exe 2520 Hebdfind.exe 2520 Hebdfind.exe 2420 Hipmmg32.exe 2420 Hipmmg32.exe 2568 Hdoghdmd.exe 2568 Hdoghdmd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ladgkmlj.exe Liibgkoo.exe File opened for modification C:\Windows\SysWOW64\Mllhne32.exe Lkmldbcj.exe File opened for modification C:\Windows\SysWOW64\Qifpqi32.exe Qkbpgeai.exe File opened for modification C:\Windows\SysWOW64\Kgfoie32.exe Kbigpn32.exe File created C:\Windows\SysWOW64\Kqojbd32.dll Hidcef32.exe File created C:\Windows\SysWOW64\Hejmpqop.exe Hbidne32.exe File created C:\Windows\SysWOW64\Mkipao32.exe Mflgih32.exe File opened for modification C:\Windows\SysWOW64\Geloanjg.exe Glckihcg.exe File opened for modification C:\Windows\SysWOW64\Nmgjee32.exe Mhfhaoec.exe File created C:\Windows\SysWOW64\Aqanke32.exe Qgiibp32.exe File created C:\Windows\SysWOW64\Liqoflfh.exe Lfbbjpgd.exe File opened for modification C:\Windows\SysWOW64\Nlhjhi32.exe Npaich32.exe File created C:\Windows\SysWOW64\Jfbinf32.exe Jfpmifoa.exe File created C:\Windows\SysWOW64\Eocmep32.dll Mhfhaoec.exe File created C:\Windows\SysWOW64\Bnihdemo.exe Bimoloog.exe File created C:\Windows\SysWOW64\Gnkoid32.exe Ggagmjbq.exe File opened for modification C:\Windows\SysWOW64\Dnhefh32.exe Dhklna32.exe File created C:\Windows\SysWOW64\Gpqlnhfp.dll Jinfli32.exe File created C:\Windows\SysWOW64\Jaamhjgm.dll Kobkbaac.exe File created C:\Windows\SysWOW64\Almdmc32.dll Lfbbjpgd.exe File created C:\Windows\SysWOW64\Caccmo32.dll Haleefoe.exe File created C:\Windows\SysWOW64\Nihcog32.exe Nnnbni32.exe File created C:\Windows\SysWOW64\Gkcekfad.exe Gcgqgd32.exe File created C:\Windows\SysWOW64\Opnqffif.dll Gdfiofhn.exe File created C:\Windows\SysWOW64\Kfacdqhf.exe Knfopnkk.exe File created C:\Windows\SysWOW64\Hnflnfbm.exe Habkeacd.exe File created C:\Windows\SysWOW64\Cpqhdl32.dll Hjlioj32.exe File created C:\Windows\SysWOW64\Ifigco32.dll Hfcjdkpg.exe File opened for modification C:\Windows\SysWOW64\Ehjqgjmp.exe Emdmjamj.exe File opened for modification C:\Windows\SysWOW64\Pbgefa32.exe Pecelm32.exe File created C:\Windows\SysWOW64\Hqnpad32.dll Nlbgkgcc.exe File created C:\Windows\SysWOW64\Ghajacmo.exe Fhomkcoa.exe File created C:\Windows\SysWOW64\Lklgbadb.exe Lhknaf32.exe File created C:\Windows\SysWOW64\Mjpbcokk.dll Odedge32.exe File created C:\Windows\SysWOW64\Pkkbcl32.dll Ijfqfj32.exe File opened for modification C:\Windows\SysWOW64\Pdigkk32.exe Pkpcbecl.exe File created C:\Windows\SysWOW64\Lpcbkpnn.dll Fpkchm32.exe File created C:\Windows\SysWOW64\Eoomai32.exe Dkeahf32.exe File created C:\Windows\SysWOW64\Okfmbm32.exe Nanhihno.exe File opened for modification C:\Windows\SysWOW64\Mfeaiime.exe Llmmpcfe.exe File created C:\Windows\SysWOW64\Pfpgeall.dll Ebknblho.exe File created C:\Windows\SysWOW64\Nflfad32.exe Nldahn32.exe File opened for modification C:\Windows\SysWOW64\Bklpjlmc.exe Boeoek32.exe File created C:\Windows\SysWOW64\Gmaonc32.dll Dbmkfh32.exe File created C:\Windows\SysWOW64\Qeegim32.dll Joppeeif.exe File created C:\Windows\SysWOW64\Igeddb32.exe Ibillk32.exe File opened for modification C:\Windows\SysWOW64\Amglgn32.exe Abbhje32.exe File opened for modification C:\Windows\SysWOW64\Neghdg32.exe Nhcgkbja.exe File created C:\Windows\SysWOW64\Jandaf32.dll Glckihcg.exe File opened for modification C:\Windows\SysWOW64\Ofaolcmh.exe Omhkcnfg.exe File opened for modification C:\Windows\SysWOW64\Jmdiahco.exe Igeddb32.exe File created C:\Windows\SysWOW64\Okmqlhnm.dll e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe File created C:\Windows\SysWOW64\Bgffhkoj.exe Bkpeci32.exe File created C:\Windows\SysWOW64\Dcoaml32.dll Akpkmo32.exe File created C:\Windows\SysWOW64\Iediin32.exe Ifolhann.exe File created C:\Windows\SysWOW64\Nihkmh32.dll Ainkcf32.exe File created C:\Windows\SysWOW64\Lmhnej32.dll Hibidc32.exe File created C:\Windows\SysWOW64\Ljamki32.dll Qlgkki32.exe File created C:\Windows\SysWOW64\Dabahf32.dll Mnpobefe.exe File created C:\Windows\SysWOW64\Mpphdpcf.exe Mjfphf32.exe File created C:\Windows\SysWOW64\Nldahn32.exe Nqmqcmdh.exe File opened for modification C:\Windows\SysWOW64\Kpafapbk.exe Kdkelolf.exe File created C:\Windows\SysWOW64\Ciagojda.exe Cfanmogq.exe File created C:\Windows\SysWOW64\Idohdhbo.exe Igkhjdde.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4772 4160 WerFault.exe 873 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maoalb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgfjggll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldmaijdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibagdh32.dll" Flclam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chbihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckpoih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkeahf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikmibjkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecomg32.dll" Cifelgmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Padhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjddgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ienjoljk.dll" Clilmbhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlbgkgcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phmfpddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcifdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbpipp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpeiligo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nakikpin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnjkhha.dll" Npppaejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqmamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmedlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epbbkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liibgkoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heijidbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neghdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Capocbbb.dll" Jlhkgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epnhpglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcoaaei.dll" Bklpjlmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpfoboml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kecmfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bikfklni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phlaof32.dll" Hlcbfnjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqmqcmdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeokba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coefaghp.dll" Ppopja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnlepioj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onocon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhehfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olbogqoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eihjolae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ladgkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhnemdbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogmngn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdonhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgjccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnlpnk32.dll" Fofbhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmbdddn.dll" Plhaeofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajmqgkiq.dll" Lolofd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amjpgdik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinefnpo.dll" Gekhgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmbji32.dll" Hahnac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edeomgho.dll" Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhjdeqif.dll" Kikokf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niqgof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enadon32.dll" Nqpdcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdoccg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljbipolj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcfddmhe.dll" Podpoffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcnedka.dll" Oojfnakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imlmlm32.dll" Npaich32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmaonc32.dll" Dbmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joqgkdem.dll" Gkebafoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gockgdeh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1500 wrote to memory of 2680 1500 e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe 28 PID 1500 wrote to memory of 2680 1500 e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe 28 PID 1500 wrote to memory of 2680 1500 e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe 28 PID 1500 wrote to memory of 2680 1500 e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe 28 PID 2680 wrote to memory of 2536 2680 Lmbonmll.exe 29 PID 2680 wrote to memory of 2536 2680 Lmbonmll.exe 29 PID 2680 wrote to memory of 2536 2680 Lmbonmll.exe 29 PID 2680 wrote to memory of 2536 2680 Lmbonmll.exe 29 PID 2536 wrote to memory of 2552 2536 Lpedeg32.exe 30 PID 2536 wrote to memory of 2552 2536 Lpedeg32.exe 30 PID 2536 wrote to memory of 2552 2536 Lpedeg32.exe 30 PID 2536 wrote to memory of 2552 2536 Lpedeg32.exe 30 PID 2552 wrote to memory of 2432 2552 Mcifdj32.exe 31 PID 2552 wrote to memory of 2432 2552 Mcifdj32.exe 31 PID 2552 wrote to memory of 2432 2552 Mcifdj32.exe 31 PID 2552 wrote to memory of 2432 2552 Mcifdj32.exe 31 PID 2432 wrote to memory of 2508 2432 Mmfdhojb.exe 32 PID 2432 wrote to memory of 2508 2432 Mmfdhojb.exe 32 PID 2432 wrote to memory of 2508 2432 Mmfdhojb.exe 32 PID 2432 wrote to memory of 2508 2432 Mmfdhojb.exe 32 PID 2508 wrote to memory of 2516 2508 Mimemp32.exe 33 PID 2508 wrote to memory of 2516 2508 Mimemp32.exe 33 PID 2508 wrote to memory of 2516 2508 Mimemp32.exe 33 PID 2508 wrote to memory of 2516 2508 Mimemp32.exe 33 PID 2516 wrote to memory of 868 2516 Nidkmojn.exe 34 PID 2516 wrote to memory of 868 2516 Nidkmojn.exe 34 PID 2516 wrote to memory of 868 2516 Nidkmojn.exe 34 PID 2516 wrote to memory of 868 2516 Nidkmojn.exe 34 PID 868 wrote to memory of 2372 868 Nocpkf32.exe 35 PID 868 wrote to memory of 2372 868 Nocpkf32.exe 35 PID 868 wrote to memory of 2372 868 Nocpkf32.exe 35 PID 868 wrote to memory of 2372 868 Nocpkf32.exe 35 PID 2372 wrote to memory of 904 2372 Oiakgcnl.exe 36 PID 2372 wrote to memory of 904 2372 Oiakgcnl.exe 36 PID 2372 wrote to memory of 904 2372 Oiakgcnl.exe 36 PID 2372 wrote to memory of 904 2372 Oiakgcnl.exe 36 PID 904 wrote to memory of 1184 904 Oidglb32.exe 37 PID 904 wrote to memory of 1184 904 Oidglb32.exe 37 PID 904 wrote to memory of 1184 904 Oidglb32.exe 37 PID 904 wrote to memory of 1184 904 Oidglb32.exe 37 PID 1184 wrote to memory of 1976 1184 Pddnnp32.exe 38 PID 1184 wrote to memory of 1976 1184 Pddnnp32.exe 38 PID 1184 wrote to memory of 1976 1184 Pddnnp32.exe 38 PID 1184 wrote to memory of 1976 1184 Pddnnp32.exe 38 PID 1976 wrote to memory of 2236 1976 Pojbkh32.exe 39 PID 1976 wrote to memory of 2236 1976 Pojbkh32.exe 39 PID 1976 wrote to memory of 2236 1976 Pojbkh32.exe 39 PID 1976 wrote to memory of 2236 1976 Pojbkh32.exe 39 PID 2236 wrote to memory of 1964 2236 Aipfmane.exe 40 PID 2236 wrote to memory of 1964 2236 Aipfmane.exe 40 PID 2236 wrote to memory of 1964 2236 Aipfmane.exe 40 PID 2236 wrote to memory of 1964 2236 Aipfmane.exe 40 PID 1964 wrote to memory of 1640 1964 Afdgfelo.exe 41 PID 1964 wrote to memory of 1640 1964 Afdgfelo.exe 41 PID 1964 wrote to memory of 1640 1964 Afdgfelo.exe 41 PID 1964 wrote to memory of 1640 1964 Afdgfelo.exe 41 PID 1640 wrote to memory of 2736 1640 Anolkh32.exe 42 PID 1640 wrote to memory of 2736 1640 Anolkh32.exe 42 PID 1640 wrote to memory of 2736 1640 Anolkh32.exe 42 PID 1640 wrote to memory of 2736 1640 Anolkh32.exe 42 PID 2736 wrote to memory of 672 2736 Bjmbqhif.exe 43 PID 2736 wrote to memory of 672 2736 Bjmbqhif.exe 43 PID 2736 wrote to memory of 672 2736 Bjmbqhif.exe 43 PID 2736 wrote to memory of 672 2736 Bjmbqhif.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe"C:\Users\Admin\AppData\Local\Temp\e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Lmbonmll.exeC:\Windows\system32\Lmbonmll.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Lpedeg32.exeC:\Windows\system32\Lpedeg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Mcifdj32.exeC:\Windows\system32\Mcifdj32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Mmfdhojb.exeC:\Windows\system32\Mmfdhojb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Mimemp32.exeC:\Windows\system32\Mimemp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Nocpkf32.exeC:\Windows\system32\Nocpkf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Oiakgcnl.exeC:\Windows\system32\Oiakgcnl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Pddnnp32.exeC:\Windows\system32\Pddnnp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Aipfmane.exeC:\Windows\system32\Aipfmane.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Afdgfelo.exeC:\Windows\system32\Afdgfelo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Bjmbqhif.exeC:\Windows\system32\Bjmbqhif.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:672 -
C:\Windows\SysWOW64\Bleeioil.exeC:\Windows\system32\Bleeioil.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Cifelgmd.exeC:\Windows\system32\Cifelgmd.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1000 -
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1876 -
C:\Windows\SysWOW64\Gjbmelgm.exeC:\Windows\system32\Gjbmelgm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe33⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe34⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe35⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe36⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe37⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Jplkmgol.exeC:\Windows\system32\Jplkmgol.exe38⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe39⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe40⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe41⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe43⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe44⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Lfbbjpgd.exeC:\Windows\system32\Lfbbjpgd.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe46⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe47⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Melifl32.exeC:\Windows\system32\Melifl32.exe48⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Mbpipp32.exeC:\Windows\system32\Mbpipp32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:976 -
C:\Windows\SysWOW64\Mngjeamd.exeC:\Windows\system32\Mngjeamd.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe51⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe52⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe53⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe54⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Npolmh32.exeC:\Windows\system32\Npolmh32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe56⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe58⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe59⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe60⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe61⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Omcifpnp.exeC:\Windows\system32\Omcifpnp.exe62⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe63⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe65⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2700 -
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe67⤵PID:1548
-
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe68⤵PID:1744
-
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe69⤵PID:1604
-
C:\Windows\SysWOW64\Qaqnkafa.exeC:\Windows\system32\Qaqnkafa.exe70⤵PID:772
-
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe71⤵PID:1308
-
C:\Windows\SysWOW64\Akkoig32.exeC:\Windows\system32\Akkoig32.exe72⤵PID:2280
-
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe73⤵PID:1732
-
C:\Windows\SysWOW64\Aqjdgmgd.exeC:\Windows\system32\Aqjdgmgd.exe74⤵PID:2988
-
C:\Windows\SysWOW64\Aqmamm32.exeC:\Windows\system32\Aqmamm32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe76⤵PID:808
-
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe77⤵PID:1668
-
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe78⤵PID:1820
-
C:\Windows\SysWOW64\Bimoloog.exeC:\Windows\system32\Bimoloog.exe79⤵
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Bnihdemo.exeC:\Windows\system32\Bnihdemo.exe80⤵PID:780
-
C:\Windows\SysWOW64\Bkmhnjlh.exeC:\Windows\system32\Bkmhnjlh.exe81⤵PID:2352
-
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2052 -
C:\Windows\SysWOW64\Bkpeci32.exeC:\Windows\system32\Bkpeci32.exe83⤵
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe84⤵PID:2596
-
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe85⤵PID:2624
-
C:\Windows\SysWOW64\Cnckjddd.exeC:\Windows\system32\Cnckjddd.exe86⤵PID:2440
-
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe87⤵PID:2448
-
C:\Windows\SysWOW64\Cacclpae.exeC:\Windows\system32\Cacclpae.exe88⤵PID:2904
-
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe89⤵PID:2380
-
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe90⤵PID:1692
-
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe91⤵PID:1996
-
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe92⤵PID:2232
-
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe93⤵PID:1180
-
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe94⤵PID:2000
-
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe95⤵PID:528
-
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe96⤵PID:1892
-
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe97⤵PID:3016
-
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe98⤵PID:1768
-
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe99⤵PID:1376
-
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe100⤵PID:1784
-
C:\Windows\SysWOW64\Fjegog32.exeC:\Windows\system32\Fjegog32.exe101⤵PID:1824
-
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe102⤵PID:2824
-
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe103⤵PID:1212
-
C:\Windows\SysWOW64\Fjjpjgjj.exeC:\Windows\system32\Fjjpjgjj.exe104⤵PID:2104
-
C:\Windows\SysWOW64\Flhmfbim.exeC:\Windows\system32\Flhmfbim.exe105⤵PID:3048
-
C:\Windows\SysWOW64\Fhomkcoa.exeC:\Windows\system32\Fhomkcoa.exe106⤵
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2168 -
C:\Windows\SysWOW64\Gcgnnlle.exeC:\Windows\system32\Gcgnnlle.exe108⤵PID:2532
-
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe109⤵PID:2416
-
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe110⤵PID:1480
-
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe111⤵PID:1588
-
C:\Windows\SysWOW64\Gkglnm32.exeC:\Windows\system32\Gkglnm32.exe112⤵PID:2008
-
C:\Windows\SysWOW64\Gepafc32.exeC:\Windows\system32\Gepafc32.exe113⤵PID:1916
-
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe114⤵
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Hfcjdkpg.exeC:\Windows\system32\Hfcjdkpg.exe115⤵
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe116⤵
- Modifies registry class
PID:476 -
C:\Windows\SysWOW64\Hidcef32.exeC:\Windows\system32\Hidcef32.exe117⤵
- Drops file in System32 directory
PID:1900 -
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe118⤵PID:2768
-
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe119⤵PID:1160
-
C:\Windows\SysWOW64\Hneeilgj.exeC:\Windows\system32\Hneeilgj.exe120⤵PID:932
-
C:\Windows\SysWOW64\Ibcnojnp.exeC:\Windows\system32\Ibcnojnp.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-