Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 00:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b6d9098230a48191316a041eba6c8db0c61a7ce19dd7e809b4023d20c996c8b5.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
b6d9098230a48191316a041eba6c8db0c61a7ce19dd7e809b4023d20c996c8b5.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
b6d9098230a48191316a041eba6c8db0c61a7ce19dd7e809b4023d20c996c8b5.exe
-
Size
479KB
-
MD5
c507b418a46bb0fd2abb252f289af07e
-
SHA1
4339ecc553954b11b0ea21fb11917a654127edf9
-
SHA256
b6d9098230a48191316a041eba6c8db0c61a7ce19dd7e809b4023d20c996c8b5
-
SHA512
c516c2f925bdf2bb0b91de5e5cb5a4d959ed519972fcaecd5745c253d6b857c1f5e6ef048c18524ff0ebb3020e69e66f9b30a8ac5abff629a2e877dee01b6773
-
SSDEEP
6144:gssBv9q1XIRJ6EQnT2leTLgNPx33fpu2leTLg:cBvDRJ6EQ6Q2drQ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djnaji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cklaknjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Polppg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eifhdd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpqodfij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okloegjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocmconhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocopdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejegjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfngap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilccoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkfglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jangmibi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lihfcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcicklnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Empoiimf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlegnjbm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jknfcofa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnaikd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bejogg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdmnlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khmknk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odpjcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkceffcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhqaefng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mockmala.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hienlpel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlobkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlopkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgcjdd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mifljdjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcmofolg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfbploob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efikji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdlnbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpcfkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddakjkqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fedmqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmehkqk.exe -
Executes dropped EXE 64 IoCs
pid Process 5080 Bibigmpl.exe 1140 Blpechop.exe 2832 Bpnnig32.exe 3444 Bockjc32.exe 2860 Blgkdg32.exe 2592 Cpedjf32.exe 4160 Cccpfa32.exe 4976 Chphoh32.exe 1696 Cpgqpe32.exe 3600 Cojqkbdf.exe 3172 Caimgncj.exe 3244 Cedihl32.exe 3120 Chbedh32.exe 2976 Clnadfbp.exe 2056 Commqb32.exe 2992 Cchiaqjm.exe 4928 Cakjmm32.exe 4412 Cibank32.exe 1092 Chebighd.exe 2452 Cpljkdig.exe 3936 Coojfa32.exe 4532 Camfbm32.exe 3988 Ceibclgn.exe 4372 Chgoogfa.exe 3132 Clckpf32.exe 3928 Coagla32.exe 5096 Ccmclp32.exe 4228 Cekohk32.exe 1992 Digkijmd.exe 2260 Doccaall.exe 3524 Dcopbp32.exe 1360 Denlnk32.exe 1924 Diihojkb.exe 4672 Dhlhjf32.exe 3412 Dpcpkc32.exe 4740 Dofpgqji.exe 3784 Dcalgo32.exe 4044 Dephckaf.exe 2780 Djlddi32.exe 3720 Dljqpd32.exe 3948 Dohmlp32.exe 2508 Dcdimopp.exe 2748 Djnaji32.exe 4728 Dhqaefng.exe 848 Dphifcoi.exe 2068 Dokjbp32.exe 4224 Daifnk32.exe 4800 Djpnohej.exe 2928 Dhcnke32.exe 1568 Dpjflb32.exe 2148 Domfgpca.exe 3096 Dakbckbe.exe 552 Efgodj32.exe 2804 Ehekqe32.exe 2140 Elagacbk.exe 4664 Eoocmoao.exe 3156 Eckonn32.exe 1628 Efikji32.exe 3828 Ejegjh32.exe 1528 Elccfc32.exe 1016 Eoapbo32.exe 4972 Ecmlcmhe.exe 4572 Eflhoigi.exe 3760 Ejgdpg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hapfpelh.dll Process not Found File created C:\Windows\SysWOW64\Megljppl.exe Process not Found File created C:\Windows\SysWOW64\Bhbopgfn.dll Nloiakho.exe File created C:\Windows\SysWOW64\Hildmn32.exe Hgmgqc32.exe File opened for modification C:\Windows\SysWOW64\Cfbcke32.exe Process not Found File created C:\Windows\SysWOW64\Gejopl32.exe Process not Found File created C:\Windows\SysWOW64\Ppdbgncl.exe Process not Found File created C:\Windows\SysWOW64\Jfjdddho.dll Daifnk32.exe File opened for modification C:\Windows\SysWOW64\Aglemn32.exe Amgapeea.exe File created C:\Windows\SysWOW64\Hnaggngj.dll Egijmegb.exe File opened for modification C:\Windows\SysWOW64\Jfgdkd32.exe Jnpmjf32.exe File created C:\Windows\SysWOW64\Pgkelj32.exe Ppamophb.exe File created C:\Windows\SysWOW64\Dmlijb32.dll Pemomqcn.exe File created C:\Windows\SysWOW64\Eoaedogc.dll Process not Found File created C:\Windows\SysWOW64\Bomkcm32.exe Process not Found File created C:\Windows\SysWOW64\Afomjffg.dll Ieolehop.exe File opened for modification C:\Windows\SysWOW64\Feqeog32.exe Process not Found File created C:\Windows\SysWOW64\Mjlhgaqp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fiodpl32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Obqanjdb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jeklag32.exe Jpnchp32.exe File created C:\Windows\SysWOW64\Abponp32.exe Akffafgg.exe File created C:\Windows\SysWOW64\Oqbamo32.exe Ojhiqefo.exe File created C:\Windows\SysWOW64\Egijmegb.exe Ekbihd32.exe File created C:\Windows\SysWOW64\Cnnnfkal.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cacmah32.exe Boepel32.exe File created C:\Windows\SysWOW64\Nnjbke32.exe Nklfoi32.exe File created C:\Windows\SysWOW64\Bbnpqk32.exe Bjghpn32.exe File created C:\Windows\SysWOW64\Dicdcemd.dll Process not Found File created C:\Windows\SysWOW64\Eecgicmp.dll Process not Found File created C:\Windows\SysWOW64\Bnjdmn32.dll Kibnhjgj.exe File created C:\Windows\SysWOW64\Occomh32.dll Ealkjh32.exe File created C:\Windows\SysWOW64\Feenjgfq.exe Process not Found File created C:\Windows\SysWOW64\Mqhfoebo.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oiihahme.exe Ocopdn32.exe File created C:\Windows\SysWOW64\Nlmdbh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gehbjm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fdlkdhnk.exe Process not Found File created C:\Windows\SysWOW64\Dpmcmd32.dll Ahfdjanb.exe File created C:\Windows\SysWOW64\Oeokal32.exe Process not Found File created C:\Windows\SysWOW64\Cfpffeaj.exe Process not Found File created C:\Windows\SysWOW64\Iomoenej.exe Process not Found File created C:\Windows\SysWOW64\Kafkmp32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ohcegi32.exe Process not Found File created C:\Windows\SysWOW64\Migjoaaf.exe Mlcifmbl.exe File created C:\Windows\SysWOW64\Jdokpl32.dll Mifljdjo.exe File opened for modification C:\Windows\SysWOW64\Ckilmcgb.exe Cijpahho.exe File created C:\Windows\SysWOW64\Kllfakij.dll Process not Found File created C:\Windows\SysWOW64\Jehocmdp.dll Dohmlp32.exe File opened for modification C:\Windows\SysWOW64\Elnoopdj.exe Eiobceef.exe File created C:\Windows\SysWOW64\Phigif32.exe Process not Found File created C:\Windows\SysWOW64\Fmpbqoqg.dll Cjnffjkl.exe File opened for modification C:\Windows\SysWOW64\Omqmop32.exe Process not Found File created C:\Windows\SysWOW64\Dolqpa32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mgnnhk32.exe Mnfipekh.exe File created C:\Windows\SysWOW64\Ghaliknf.exe Gfbploob.exe File created C:\Windows\SysWOW64\Jmpgldhg.exe Jfeopj32.exe File opened for modification C:\Windows\SysWOW64\Agjhgngj.exe Amddjegd.exe File opened for modification C:\Windows\SysWOW64\Kcejco32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Iojbpo32.exe Process not Found File created C:\Windows\SysWOW64\Kbbfkb32.dll Elagacbk.exe File created C:\Windows\SysWOW64\Cqncfneo.dll Kkihknfg.exe File created C:\Windows\SysWOW64\Fhpili32.dll Eofbch32.exe File created C:\Windows\SysWOW64\Inolmdgj.dll Cakjmm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2124 5552 Process not Found 1704 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hekcnknf.dll" Pkjlge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbceejpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdhkdfdh.dll" Jghabl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjehmfch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgnbaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojncj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcfmgfde.dll" Dlijfneg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pefhlaie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefioe32.dll" Qepkbpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hglaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khnhommq.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckpjfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caghhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imffkelf.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fphbondi.dll" Ejegjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djhgpa32.dll" Eapedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qghlmgij.dll" Ghaliknf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlnkmnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlihmi32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abjfai32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaakpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mblkhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfhadc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkeajoj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlmeco32.dll" Mifcejnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcaaddl.dll" Nhpbfpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfebfnqn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bppgif32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqiogp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcojed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocmconhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fckajehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkmlofol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edogedqq.dll" Bidqko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kibnhjgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqpego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkooklb.dll" Ghlcnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfbploob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll" Bmngqdpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceckcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fojlngce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddgfdiop.dll" Cmipblaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajbmdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aanbhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igkilc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjecbd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll" Jigollag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejfeng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkbado32.dll" Idahjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amdomd32.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2736 wrote to memory of 5080 2736 b6d9098230a48191316a041eba6c8db0c61a7ce19dd7e809b4023d20c996c8b5.exe 83 PID 2736 wrote to memory of 5080 2736 b6d9098230a48191316a041eba6c8db0c61a7ce19dd7e809b4023d20c996c8b5.exe 83 PID 2736 wrote to memory of 5080 2736 b6d9098230a48191316a041eba6c8db0c61a7ce19dd7e809b4023d20c996c8b5.exe 83 PID 5080 wrote to memory of 1140 5080 Bibigmpl.exe 84 PID 5080 wrote to memory of 1140 5080 Bibigmpl.exe 84 PID 5080 wrote to memory of 1140 5080 Bibigmpl.exe 84 PID 1140 wrote to memory of 2832 1140 Blpechop.exe 85 PID 1140 wrote to memory of 2832 1140 Blpechop.exe 85 PID 1140 wrote to memory of 2832 1140 Blpechop.exe 85 PID 2832 wrote to memory of 3444 2832 Bpnnig32.exe 86 PID 2832 wrote to memory of 3444 2832 Bpnnig32.exe 86 PID 2832 wrote to memory of 3444 2832 Bpnnig32.exe 86 PID 3444 wrote to memory of 2860 3444 Bockjc32.exe 87 PID 3444 wrote to memory of 2860 3444 Bockjc32.exe 87 PID 3444 wrote to memory of 2860 3444 Bockjc32.exe 87 PID 2860 wrote to memory of 2592 2860 Blgkdg32.exe 88 PID 2860 wrote to memory of 2592 2860 Blgkdg32.exe 88 PID 2860 wrote to memory of 2592 2860 Blgkdg32.exe 88 PID 2592 wrote to memory of 4160 2592 Cpedjf32.exe 90 PID 2592 wrote to memory of 4160 2592 Cpedjf32.exe 90 PID 2592 wrote to memory of 4160 2592 Cpedjf32.exe 90 PID 4160 wrote to memory of 4976 4160 Cccpfa32.exe 91 PID 4160 wrote to memory of 4976 4160 Cccpfa32.exe 91 PID 4160 wrote to memory of 4976 4160 Cccpfa32.exe 91 PID 4976 wrote to memory of 1696 4976 Chphoh32.exe 92 PID 4976 wrote to memory of 1696 4976 Chphoh32.exe 92 PID 4976 wrote to memory of 1696 4976 Chphoh32.exe 92 PID 1696 wrote to memory of 3600 1696 Cpgqpe32.exe 93 PID 1696 wrote to memory of 3600 1696 Cpgqpe32.exe 93 PID 1696 wrote to memory of 3600 1696 Cpgqpe32.exe 93 PID 3600 wrote to memory of 3172 3600 Cojqkbdf.exe 94 PID 3600 wrote to memory of 3172 3600 Cojqkbdf.exe 94 PID 3600 wrote to memory of 3172 3600 Cojqkbdf.exe 94 PID 3172 wrote to memory of 3244 3172 Caimgncj.exe 95 PID 3172 wrote to memory of 3244 3172 Caimgncj.exe 95 PID 3172 wrote to memory of 3244 3172 Caimgncj.exe 95 PID 3244 wrote to memory of 3120 3244 Cedihl32.exe 96 PID 3244 wrote to memory of 3120 3244 Cedihl32.exe 96 PID 3244 wrote to memory of 3120 3244 Cedihl32.exe 96 PID 3120 wrote to memory of 2976 3120 Chbedh32.exe 97 PID 3120 wrote to memory of 2976 3120 Chbedh32.exe 97 PID 3120 wrote to memory of 2976 3120 Chbedh32.exe 97 PID 2976 wrote to memory of 2056 2976 Clnadfbp.exe 98 PID 2976 wrote to memory of 2056 2976 Clnadfbp.exe 98 PID 2976 wrote to memory of 2056 2976 Clnadfbp.exe 98 PID 2056 wrote to memory of 2992 2056 Commqb32.exe 99 PID 2056 wrote to memory of 2992 2056 Commqb32.exe 99 PID 2056 wrote to memory of 2992 2056 Commqb32.exe 99 PID 2992 wrote to memory of 4928 2992 Cchiaqjm.exe 100 PID 2992 wrote to memory of 4928 2992 Cchiaqjm.exe 100 PID 2992 wrote to memory of 4928 2992 Cchiaqjm.exe 100 PID 4928 wrote to memory of 4412 4928 Cakjmm32.exe 101 PID 4928 wrote to memory of 4412 4928 Cakjmm32.exe 101 PID 4928 wrote to memory of 4412 4928 Cakjmm32.exe 101 PID 4412 wrote to memory of 1092 4412 Cibank32.exe 102 PID 4412 wrote to memory of 1092 4412 Cibank32.exe 102 PID 4412 wrote to memory of 1092 4412 Cibank32.exe 102 PID 1092 wrote to memory of 2452 1092 Chebighd.exe 103 PID 1092 wrote to memory of 2452 1092 Chebighd.exe 103 PID 1092 wrote to memory of 2452 1092 Chebighd.exe 103 PID 2452 wrote to memory of 3936 2452 Cpljkdig.exe 104 PID 2452 wrote to memory of 3936 2452 Cpljkdig.exe 104 PID 2452 wrote to memory of 3936 2452 Cpljkdig.exe 104 PID 3936 wrote to memory of 4532 3936 Coojfa32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6d9098230a48191316a041eba6c8db0c61a7ce19dd7e809b4023d20c996c8b5.exe"C:\Users\Admin\AppData\Local\Temp\b6d9098230a48191316a041eba6c8db0c61a7ce19dd7e809b4023d20c996c8b5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Bibigmpl.exeC:\Windows\system32\Bibigmpl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Blpechop.exeC:\Windows\system32\Blpechop.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Bpnnig32.exeC:\Windows\system32\Bpnnig32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Bockjc32.exeC:\Windows\system32\Bockjc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\Blgkdg32.exeC:\Windows\system32\Blgkdg32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Cpedjf32.exeC:\Windows\system32\Cpedjf32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Cccpfa32.exeC:\Windows\system32\Cccpfa32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\Chphoh32.exeC:\Windows\system32\Chphoh32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Cpgqpe32.exeC:\Windows\system32\Cpgqpe32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Cojqkbdf.exeC:\Windows\system32\Cojqkbdf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Caimgncj.exeC:\Windows\system32\Caimgncj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Cedihl32.exeC:\Windows\system32\Cedihl32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\Chbedh32.exeC:\Windows\system32\Chbedh32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\Clnadfbp.exeC:\Windows\system32\Clnadfbp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Commqb32.exeC:\Windows\system32\Commqb32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Cchiaqjm.exeC:\Windows\system32\Cchiaqjm.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Cakjmm32.exeC:\Windows\system32\Cakjmm32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\Cibank32.exeC:\Windows\system32\Cibank32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Chebighd.exeC:\Windows\system32\Chebighd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\Cpljkdig.exeC:\Windows\system32\Cpljkdig.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Coojfa32.exeC:\Windows\system32\Coojfa32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Camfbm32.exeC:\Windows\system32\Camfbm32.exe23⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Ceibclgn.exeC:\Windows\system32\Ceibclgn.exe24⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Chgoogfa.exeC:\Windows\system32\Chgoogfa.exe25⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Clckpf32.exeC:\Windows\system32\Clckpf32.exe26⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Coagla32.exeC:\Windows\system32\Coagla32.exe27⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Ccmclp32.exeC:\Windows\system32\Ccmclp32.exe28⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Cekohk32.exeC:\Windows\system32\Cekohk32.exe29⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Digkijmd.exeC:\Windows\system32\Digkijmd.exe30⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Doccaall.exeC:\Windows\system32\Doccaall.exe31⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Dcopbp32.exeC:\Windows\system32\Dcopbp32.exe32⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Denlnk32.exeC:\Windows\system32\Denlnk32.exe33⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Diihojkb.exeC:\Windows\system32\Diihojkb.exe34⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Dhlhjf32.exeC:\Windows\system32\Dhlhjf32.exe35⤵
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\Dpcpkc32.exeC:\Windows\system32\Dpcpkc32.exe36⤵
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Dofpgqji.exeC:\Windows\system32\Dofpgqji.exe37⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Dcalgo32.exeC:\Windows\system32\Dcalgo32.exe38⤵
- Executes dropped EXE
PID:3784 -
C:\Windows\SysWOW64\Dephckaf.exeC:\Windows\system32\Dephckaf.exe39⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Djlddi32.exeC:\Windows\system32\Djlddi32.exe40⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Dljqpd32.exeC:\Windows\system32\Dljqpd32.exe41⤵
- Executes dropped EXE
PID:3720 -
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3948 -
C:\Windows\SysWOW64\Dcdimopp.exeC:\Windows\system32\Dcdimopp.exe43⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Djnaji32.exeC:\Windows\system32\Djnaji32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Dhqaefng.exeC:\Windows\system32\Dhqaefng.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Dphifcoi.exeC:\Windows\system32\Dphifcoi.exe46⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Dokjbp32.exeC:\Windows\system32\Dokjbp32.exe47⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Daifnk32.exeC:\Windows\system32\Daifnk32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4224 -
C:\Windows\SysWOW64\Djpnohej.exeC:\Windows\system32\Djpnohej.exe49⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Dhcnke32.exeC:\Windows\system32\Dhcnke32.exe50⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Dpjflb32.exeC:\Windows\system32\Dpjflb32.exe51⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Domfgpca.exeC:\Windows\system32\Domfgpca.exe52⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe53⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Efgodj32.exeC:\Windows\system32\Efgodj32.exe54⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Ehekqe32.exeC:\Windows\system32\Ehekqe32.exe55⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Elagacbk.exeC:\Windows\system32\Elagacbk.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe57⤵
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\Eckonn32.exeC:\Windows\system32\Eckonn32.exe58⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Efikji32.exeC:\Windows\system32\Efikji32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3828 -
C:\Windows\SysWOW64\Elccfc32.exeC:\Windows\system32\Elccfc32.exe61⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Eoapbo32.exeC:\Windows\system32\Eoapbo32.exe62⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Ecmlcmhe.exeC:\Windows\system32\Ecmlcmhe.exe63⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Eflhoigi.exeC:\Windows\system32\Eflhoigi.exe64⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Ejgdpg32.exeC:\Windows\system32\Ejgdpg32.exe65⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe66⤵PID:628
-
C:\Windows\SysWOW64\Eqalmafo.exeC:\Windows\system32\Eqalmafo.exe67⤵PID:764
-
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe68⤵PID:1952
-
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe69⤵PID:1300
-
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe70⤵PID:1664
-
C:\Windows\SysWOW64\Elhmablc.exeC:\Windows\system32\Elhmablc.exe71⤵PID:3472
-
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe72⤵PID:4316
-
C:\Windows\SysWOW64\Eofinnkf.exeC:\Windows\system32\Eofinnkf.exe73⤵PID:436
-
C:\Windows\SysWOW64\Ebeejijj.exeC:\Windows\system32\Ebeejijj.exe74⤵PID:2580
-
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe75⤵PID:5088
-
C:\Windows\SysWOW64\Ejlmkgkl.exeC:\Windows\system32\Ejlmkgkl.exe76⤵PID:4464
-
C:\Windows\SysWOW64\Emjjgbjp.exeC:\Windows\system32\Emjjgbjp.exe77⤵PID:1484
-
C:\Windows\SysWOW64\Eqfeha32.exeC:\Windows\system32\Eqfeha32.exe78⤵PID:5152
-
C:\Windows\SysWOW64\Eoifcnid.exeC:\Windows\system32\Eoifcnid.exe79⤵PID:5188
-
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe80⤵PID:5220
-
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe81⤵PID:5260
-
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe82⤵PID:5296
-
C:\Windows\SysWOW64\Fmmfmbhn.exeC:\Windows\system32\Fmmfmbhn.exe83⤵PID:5332
-
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe84⤵PID:5364
-
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe85⤵PID:5428
-
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe86⤵PID:5536
-
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe87⤵PID:5612
-
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe88⤵PID:5656
-
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe89⤵PID:5712
-
C:\Windows\SysWOW64\Gfqjafdq.exeC:\Windows\system32\Gfqjafdq.exe90⤵PID:5748
-
C:\Windows\SysWOW64\Gcidfi32.exeC:\Windows\system32\Gcidfi32.exe91⤵PID:5784
-
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe92⤵PID:5864
-
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe93⤵PID:5912
-
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe94⤵PID:5964
-
C:\Windows\SysWOW64\Hbeghene.exeC:\Windows\system32\Hbeghene.exe95⤵PID:6024
-
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe96⤵PID:6060
-
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe97⤵PID:6104
-
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe98⤵PID:6140
-
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe99⤵PID:264
-
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe100⤵PID:216
-
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe101⤵PID:636
-
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe102⤵PID:5016
-
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe103⤵PID:5108
-
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe104⤵PID:4388
-
C:\Windows\SysWOW64\Imdnklfp.exeC:\Windows\system32\Imdnklfp.exe105⤵PID:3660
-
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe106⤵PID:5180
-
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe107⤵PID:5280
-
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe108⤵PID:5320
-
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe109⤵
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5444 -
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe111⤵PID:5456
-
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe112⤵PID:2512
-
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe113⤵PID:5620
-
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe114⤵PID:5648
-
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe115⤵
- Drops file in System32 directory
PID:5556 -
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe116⤵PID:5668
-
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe117⤵PID:5796
-
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe118⤵PID:5920
-
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe119⤵PID:5840
-
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe120⤵PID:6004
-
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe121⤵PID:6072
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-