Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
125s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 19:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2a84dc77e981cb6631f99a274eab95ac8ea87cfe2448faee84cc4f8fe85a2ba5.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
2a84dc77e981cb6631f99a274eab95ac8ea87cfe2448faee84cc4f8fe85a2ba5.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
2a84dc77e981cb6631f99a274eab95ac8ea87cfe2448faee84cc4f8fe85a2ba5.exe
-
Size
99KB
-
MD5
5efceb587354da265e2b5cb92ec186dc
-
SHA1
23e5f3ca50ae4dada45c273f481f921be5be7d90
-
SHA256
2a84dc77e981cb6631f99a274eab95ac8ea87cfe2448faee84cc4f8fe85a2ba5
-
SHA512
0ea8a7bab17698e5fb7feead341da3feb4a42451ee3becf182fd793d2034a69c8216e44937d8f230b481d096b75fe480fb834bbe1b2a0ac88f4e70cc9f6b17b8
-
SSDEEP
3072:6NHpY5f/Y7AooiDywSzQbFHeyQpwoTRBmDRGGurhUI:EYB/YkoocyIoem7UI
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khbiello.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlkedai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcifkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnfkdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkcndeen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhgonidg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fecadghc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dijbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jebfng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aajhndkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dglkoeio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlikkkhn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oflmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlpfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgkmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ieccbbkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpiqfima.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aagdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hffken32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oakbehfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Feqeog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiipmhmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpcapp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doccpcja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lomjicei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iikmbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Johnamkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdmfllhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mqhfoebo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oblhcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fealin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmfplibd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngjkfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkmfolf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qamago32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" 2a84dc77e981cb6631f99a274eab95ac8ea87cfe2448faee84cc4f8fe85a2ba5.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbdjeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dooaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glbjggof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieagmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhcali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abhqefpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgmhcaac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjlhgaqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahaceo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhdbhifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gaqhjggp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifmmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdocph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmbhoeid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kheekkjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkcndeen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcoljagj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enkmfolf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edeeci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppnenlka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imiehfao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbhoeid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiiicf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aopemh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjknfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhplpl32.exe -
Executes dropped EXE 64 IoCs
pid Process 3992 Coadnlnb.exe 4872 Cfkmkf32.exe 2936 Ckhecmcf.exe 448 Cocacl32.exe 4808 Cfnjpfcl.exe 2316 Cdpjlb32.exe 4988 Clgbmp32.exe 5052 Cofnik32.exe 648 Cbdjeg32.exe 4172 Cdbfab32.exe 4424 Cohkokgj.exe 3660 Cdecgbfa.exe 2224 Dbicpfdk.exe 4432 Ddgplado.exe 1796 Dmohno32.exe 3580 Dfglfdkb.exe 3232 Dheibpje.exe 3400 Dooaoj32.exe 2468 Dbnmke32.exe 1468 Dkfadkgf.exe 3616 Dndnpf32.exe 2184 Dijbno32.exe 1892 Dkhnjk32.exe 2756 Deqcbpld.exe 2204 Ebdcld32.exe 4004 Ekmhejao.exe 4044 Efblbbqd.exe 3708 Ekodjiol.exe 3340 Eehicoel.exe 400 Epmmqheb.exe 3832 Efgemb32.exe 1080 Eppjfgcp.exe 1000 Efjbcakl.exe 4400 Fpbflg32.exe 2080 Fneggdhg.exe 2600 Fligqhga.exe 3224 Fpdcag32.exe 1128 Fealin32.exe 3500 Flkdfh32.exe 5040 Ffqhcq32.exe 3376 Fmkqpkla.exe 1168 Fpimlfke.exe 392 Fbgihaji.exe 4820 Fmmmfj32.exe 4680 Flpmagqi.exe 1276 Fnnjmbpm.exe 5104 Gehbjm32.exe 1996 Glbjggof.exe 4868 Gblbca32.exe 1864 Gfhndpol.exe 1392 Gmafajfi.exe 4136 Gbnoiqdq.exe 3196 Gmdcfidg.exe 4928 Glgcbf32.exe 3588 Gikdkj32.exe 1444 Gmfplibd.exe 5056 Gpelhd32.exe 3612 Gbchdp32.exe 3932 Geaepk32.exe 904 Gimqajgh.exe 2624 Glkmmefl.exe 768 Gpgind32.exe 4392 Gbeejp32.exe 2268 Hedafk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eppjfgcp.exe Efgemb32.exe File opened for modification C:\Windows\SysWOW64\Glgcbf32.exe Gmdcfidg.exe File opened for modification C:\Windows\SysWOW64\Jcoaglhk.exe Jpaekqhh.exe File opened for modification C:\Windows\SysWOW64\Cnjdpaki.exe Cklhcfle.exe File created C:\Windows\SysWOW64\Inebjihf.exe Hihibbjo.exe File opened for modification C:\Windows\SysWOW64\Dgbanq32.exe Ddcebe32.exe File opened for modification C:\Windows\SysWOW64\Dmohno32.exe Ddgplado.exe File opened for modification C:\Windows\SysWOW64\Jpcapp32.exe Jlgepanl.exe File created C:\Windows\SysWOW64\Fajbjh32.exe Fnkfmm32.exe File created C:\Windows\SysWOW64\Mjpnkbfj.dll Lhgkgijg.exe File opened for modification C:\Windows\SysWOW64\Dooaoj32.exe Dheibpje.exe File opened for modification C:\Windows\SysWOW64\Hehkajig.exe Hffken32.exe File created C:\Windows\SysWOW64\Pccopc32.dll Hfjdqmng.exe File created C:\Windows\SysWOW64\Eihcbonm.dll Ohlqcagj.exe File created C:\Windows\SysWOW64\Edionhpn.exe Ebkbbmqj.exe File opened for modification C:\Windows\SysWOW64\Figgdg32.exe Fdlkdhnk.exe File created C:\Windows\SysWOW64\Nlkppnab.dll Ddcebe32.exe File created C:\Windows\SysWOW64\Hfjdqmng.exe Hoclopne.exe File opened for modification C:\Windows\SysWOW64\Nbnlaldg.exe Noppeaed.exe File created C:\Windows\SysWOW64\Fpdcag32.exe Fligqhga.exe File created C:\Windows\SysWOW64\Lmdnbn32.exe Lfjfecno.exe File created C:\Windows\SysWOW64\Lnjkcfod.dll Fnbcgn32.exe File opened for modification C:\Windows\SysWOW64\Lakfeodm.exe Lomjicei.exe File created C:\Windows\SysWOW64\Mdcajc32.dll Mcfbkpab.exe File created C:\Windows\SysWOW64\Chfhllkp.dll Holfoqcm.exe File created C:\Windows\SysWOW64\Klcekpdo.exe Kjeiodek.exe File created C:\Windows\SysWOW64\Qkicbhla.dll Cglbhhga.exe File opened for modification C:\Windows\SysWOW64\Oqmhqapg.exe Ojcpdg32.exe File created C:\Windows\SysWOW64\Bqjoqdcl.dll Coadnlnb.exe File created C:\Windows\SysWOW64\Cofnik32.exe Clgbmp32.exe File created C:\Windows\SysWOW64\Gpelhd32.exe Gmfplibd.exe File created C:\Windows\SysWOW64\Nfohgqlg.exe Nmfcok32.exe File created C:\Windows\SysWOW64\Jafdcbge.exe Jpegkj32.exe File created C:\Windows\SysWOW64\Paenokbf.dll Aaiqcnhg.exe File created C:\Windows\SysWOW64\Ebdcld32.exe Eofgpikj.exe File created C:\Windows\SysWOW64\Fbqdpi32.dll Ilnbicff.exe File created C:\Windows\SysWOW64\Ojdgnn32.exe Oakbehfe.exe File opened for modification C:\Windows\SysWOW64\Dkcndeen.exe Dhdbhifj.exe File created C:\Windows\SysWOW64\Ekellcop.dll Eklajcmc.exe File created C:\Windows\SysWOW64\Jeocna32.exe Joekag32.exe File created C:\Windows\SysWOW64\Cghane32.dll Ckhecmcf.exe File created C:\Windows\SysWOW64\Oaifpi32.exe Nfcabp32.exe File opened for modification C:\Windows\SysWOW64\Doccpcja.exe Dglkoeio.exe File created C:\Windows\SysWOW64\Egened32.exe Eqlfhjig.exe File created C:\Windows\SysWOW64\Ihbponja.exe Ieccbbkn.exe File created C:\Windows\SysWOW64\Goniok32.dll Iialhaad.exe File opened for modification C:\Windows\SysWOW64\Jpegkj32.exe Jlikkkhn.exe File created C:\Windows\SysWOW64\Flkdfh32.exe Fealin32.exe File created C:\Windows\SysWOW64\Ocoaob32.dll Glbjggof.exe File created C:\Windows\SysWOW64\Mhegobpi.dll Iplkpa32.exe File created C:\Windows\SysWOW64\Almoijfo.dll Knenkbio.exe File created C:\Windows\SysWOW64\Mgbefe32.exe Mjodla32.exe File opened for modification C:\Windows\SysWOW64\Fdlkdhnk.exe Fnbcgn32.exe File created C:\Windows\SysWOW64\Mhanngbl.exe Mbgeqmjp.exe File opened for modification C:\Windows\SysWOW64\Fbgihaji.exe Fpimlfke.exe File created C:\Windows\SysWOW64\Eomffaag.exe Egened32.exe File created C:\Windows\SysWOW64\Pmphaaln.exe Pfepdg32.exe File created C:\Windows\SysWOW64\Glofjfnn.dll Bigbmpco.exe File opened for modification C:\Windows\SysWOW64\Ddgplado.exe Dbicpfdk.exe File created C:\Windows\SysWOW64\Damlpgkc.dll Njbgmjgl.exe File created C:\Windows\SysWOW64\Omgmeigd.exe Ofmdio32.exe File opened for modification C:\Windows\SysWOW64\Galoohke.exe Gnnccl32.exe File created C:\Windows\SysWOW64\Nohjfifo.dll Pcgdhkem.exe File opened for modification C:\Windows\SysWOW64\Kibeoo32.exe Kbhmbdle.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12252 11628 WerFault.exe 602 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aajhndkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Glhimp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgigo32.dll" Kpjgaoqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iijfhbhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lindkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Inebjihf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njjmni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhekleo.dll" Abmjqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gepgfb32.dll" Fealin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hlnjbedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmijpchc.dll" Ahaceo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Edionhpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oghghb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Omgmeigd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jppnpjel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnebjidl.dll" Lohqnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oblhcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iheocj32.dll" Pbekii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aagdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eehicoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doepmnag.dll" Jllokajf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfpagon.dll" Qmgelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnekbm32.dll" Lomjicei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lhnhajba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdkcj32.dll" Lancko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aimogakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ahfmpnql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Baannc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkibgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngekilj.dll" Ihpcinld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aammfkln.dll" Dmjmekgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ekodjiol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigbqakg.dll" Efgemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lalceb32.dll" Bjhkmbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcominjm.dll" Bpjmph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgiohbfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgmjmjnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cglbhhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehenqf32.dll" Dglkoeio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckpamabg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mfhbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kiikpnmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmcpoedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahhjomjk.dll" Oblhcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkllcbh.dll" Dkhnjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fealin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lokdnjkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mqfpckhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pblajhje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qfmfefni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gijmad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckmcadl.dll" Ojnfihmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmpjoloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dgbanq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afakoidm.dll" Ickglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjgeedch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmbjcljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hknfelnj.dll" Damfao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foniaq32.dll" Lepleocn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lakfeodm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hlepcdoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npldbgic.dll" Mgnlkfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbkmokh.dll" Edeeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnjancb.dll" Glhimp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2736 wrote to memory of 3992 2736 2a84dc77e981cb6631f99a274eab95ac8ea87cfe2448faee84cc4f8fe85a2ba5.exe 88 PID 2736 wrote to memory of 3992 2736 2a84dc77e981cb6631f99a274eab95ac8ea87cfe2448faee84cc4f8fe85a2ba5.exe 88 PID 2736 wrote to memory of 3992 2736 2a84dc77e981cb6631f99a274eab95ac8ea87cfe2448faee84cc4f8fe85a2ba5.exe 88 PID 3992 wrote to memory of 4872 3992 Coadnlnb.exe 89 PID 3992 wrote to memory of 4872 3992 Coadnlnb.exe 89 PID 3992 wrote to memory of 4872 3992 Coadnlnb.exe 89 PID 4872 wrote to memory of 2936 4872 Cfkmkf32.exe 90 PID 4872 wrote to memory of 2936 4872 Cfkmkf32.exe 90 PID 4872 wrote to memory of 2936 4872 Cfkmkf32.exe 90 PID 2936 wrote to memory of 448 2936 Ckhecmcf.exe 91 PID 2936 wrote to memory of 448 2936 Ckhecmcf.exe 91 PID 2936 wrote to memory of 448 2936 Ckhecmcf.exe 91 PID 448 wrote to memory of 4808 448 Cocacl32.exe 92 PID 448 wrote to memory of 4808 448 Cocacl32.exe 92 PID 448 wrote to memory of 4808 448 Cocacl32.exe 92 PID 4808 wrote to memory of 2316 4808 Cfnjpfcl.exe 93 PID 4808 wrote to memory of 2316 4808 Cfnjpfcl.exe 93 PID 4808 wrote to memory of 2316 4808 Cfnjpfcl.exe 93 PID 2316 wrote to memory of 4988 2316 Cdpjlb32.exe 94 PID 2316 wrote to memory of 4988 2316 Cdpjlb32.exe 94 PID 2316 wrote to memory of 4988 2316 Cdpjlb32.exe 94 PID 4988 wrote to memory of 5052 4988 Clgbmp32.exe 95 PID 4988 wrote to memory of 5052 4988 Clgbmp32.exe 95 PID 4988 wrote to memory of 5052 4988 Clgbmp32.exe 95 PID 5052 wrote to memory of 648 5052 Cofnik32.exe 97 PID 5052 wrote to memory of 648 5052 Cofnik32.exe 97 PID 5052 wrote to memory of 648 5052 Cofnik32.exe 97 PID 648 wrote to memory of 4172 648 Cbdjeg32.exe 98 PID 648 wrote to memory of 4172 648 Cbdjeg32.exe 98 PID 648 wrote to memory of 4172 648 Cbdjeg32.exe 98 PID 4172 wrote to memory of 4424 4172 Cdbfab32.exe 100 PID 4172 wrote to memory of 4424 4172 Cdbfab32.exe 100 PID 4172 wrote to memory of 4424 4172 Cdbfab32.exe 100 PID 4424 wrote to memory of 3660 4424 Cohkokgj.exe 101 PID 4424 wrote to memory of 3660 4424 Cohkokgj.exe 101 PID 4424 wrote to memory of 3660 4424 Cohkokgj.exe 101 PID 3660 wrote to memory of 2224 3660 Cdecgbfa.exe 102 PID 3660 wrote to memory of 2224 3660 Cdecgbfa.exe 102 PID 3660 wrote to memory of 2224 3660 Cdecgbfa.exe 102 PID 2224 wrote to memory of 4432 2224 Dbicpfdk.exe 103 PID 2224 wrote to memory of 4432 2224 Dbicpfdk.exe 103 PID 2224 wrote to memory of 4432 2224 Dbicpfdk.exe 103 PID 4432 wrote to memory of 1796 4432 Ddgplado.exe 104 PID 4432 wrote to memory of 1796 4432 Ddgplado.exe 104 PID 4432 wrote to memory of 1796 4432 Ddgplado.exe 104 PID 1796 wrote to memory of 3580 1796 Dmohno32.exe 105 PID 1796 wrote to memory of 3580 1796 Dmohno32.exe 105 PID 1796 wrote to memory of 3580 1796 Dmohno32.exe 105 PID 3580 wrote to memory of 3232 3580 Dfglfdkb.exe 106 PID 3580 wrote to memory of 3232 3580 Dfglfdkb.exe 106 PID 3580 wrote to memory of 3232 3580 Dfglfdkb.exe 106 PID 3232 wrote to memory of 3400 3232 Dheibpje.exe 107 PID 3232 wrote to memory of 3400 3232 Dheibpje.exe 107 PID 3232 wrote to memory of 3400 3232 Dheibpje.exe 107 PID 3400 wrote to memory of 2468 3400 Dooaoj32.exe 109 PID 3400 wrote to memory of 2468 3400 Dooaoj32.exe 109 PID 3400 wrote to memory of 2468 3400 Dooaoj32.exe 109 PID 2468 wrote to memory of 1468 2468 Dbnmke32.exe 110 PID 2468 wrote to memory of 1468 2468 Dbnmke32.exe 110 PID 2468 wrote to memory of 1468 2468 Dbnmke32.exe 110 PID 1468 wrote to memory of 3616 1468 Dkfadkgf.exe 111 PID 1468 wrote to memory of 3616 1468 Dkfadkgf.exe 111 PID 1468 wrote to memory of 3616 1468 Dkfadkgf.exe 111 PID 3616 wrote to memory of 2184 3616 Dndnpf32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a84dc77e981cb6631f99a274eab95ac8ea87cfe2448faee84cc4f8fe85a2ba5.exe"C:\Users\Admin\AppData\Local\Temp\2a84dc77e981cb6631f99a274eab95ac8ea87cfe2448faee84cc4f8fe85a2ba5.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Coadnlnb.exeC:\Windows\system32\Coadnlnb.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\Cfkmkf32.exeC:\Windows\system32\Cfkmkf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Ckhecmcf.exeC:\Windows\system32\Ckhecmcf.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Cocacl32.exeC:\Windows\system32\Cocacl32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Cfnjpfcl.exeC:\Windows\system32\Cfnjpfcl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Cdpjlb32.exeC:\Windows\system32\Cdpjlb32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Clgbmp32.exeC:\Windows\system32\Clgbmp32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Cofnik32.exeC:\Windows\system32\Cofnik32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Cbdjeg32.exeC:\Windows\system32\Cbdjeg32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\Cdbfab32.exeC:\Windows\system32\Cdbfab32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\Cohkokgj.exeC:\Windows\system32\Cohkokgj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Cdecgbfa.exeC:\Windows\system32\Cdecgbfa.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\Dbicpfdk.exeC:\Windows\system32\Dbicpfdk.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Ddgplado.exeC:\Windows\system32\Ddgplado.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Dmohno32.exeC:\Windows\system32\Dmohno32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Dfglfdkb.exeC:\Windows\system32\Dfglfdkb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\Dheibpje.exeC:\Windows\system32\Dheibpje.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\Dooaoj32.exeC:\Windows\system32\Dooaoj32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\Dbnmke32.exeC:\Windows\system32\Dbnmke32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Dkfadkgf.exeC:\Windows\system32\Dkfadkgf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Dndnpf32.exeC:\Windows\system32\Dndnpf32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\Dijbno32.exeC:\Windows\system32\Dijbno32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Dkhnjk32.exeC:\Windows\system32\Dkhnjk32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:1892 -
C:\Windows\SysWOW64\Deqcbpld.exeC:\Windows\system32\Deqcbpld.exe25⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Eofgpikj.exeC:\Windows\system32\Eofgpikj.exe26⤵
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Ebdcld32.exeC:\Windows\system32\Ebdcld32.exe27⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Ekmhejao.exeC:\Windows\system32\Ekmhejao.exe28⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Efblbbqd.exeC:\Windows\system32\Efblbbqd.exe29⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Ekodjiol.exeC:\Windows\system32\Ekodjiol.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:3708 -
C:\Windows\SysWOW64\Eehicoel.exeC:\Windows\system32\Eehicoel.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:3340 -
C:\Windows\SysWOW64\Epmmqheb.exeC:\Windows\system32\Epmmqheb.exe32⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Efgemb32.exeC:\Windows\system32\Efgemb32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3832 -
C:\Windows\SysWOW64\Eppjfgcp.exeC:\Windows\system32\Eppjfgcp.exe34⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Efjbcakl.exeC:\Windows\system32\Efjbcakl.exe35⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Fpbflg32.exeC:\Windows\system32\Fpbflg32.exe36⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Fneggdhg.exeC:\Windows\system32\Fneggdhg.exe37⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Fligqhga.exeC:\Windows\system32\Fligqhga.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Fpdcag32.exeC:\Windows\system32\Fpdcag32.exe39⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Fealin32.exeC:\Windows\system32\Fealin32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1128 -
C:\Windows\SysWOW64\Flkdfh32.exeC:\Windows\system32\Flkdfh32.exe41⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Ffqhcq32.exeC:\Windows\system32\Ffqhcq32.exe42⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Fmkqpkla.exeC:\Windows\system32\Fmkqpkla.exe43⤵
- Executes dropped EXE
PID:3376 -
C:\Windows\SysWOW64\Fpimlfke.exeC:\Windows\system32\Fpimlfke.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1168 -
C:\Windows\SysWOW64\Fbgihaji.exeC:\Windows\system32\Fbgihaji.exe45⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Fmmmfj32.exeC:\Windows\system32\Fmmmfj32.exe46⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Flpmagqi.exeC:\Windows\system32\Flpmagqi.exe47⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Fnnjmbpm.exeC:\Windows\system32\Fnnjmbpm.exe48⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Gehbjm32.exeC:\Windows\system32\Gehbjm32.exe49⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Glbjggof.exeC:\Windows\system32\Glbjggof.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Gblbca32.exeC:\Windows\system32\Gblbca32.exe51⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Gfhndpol.exeC:\Windows\system32\Gfhndpol.exe52⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Gmafajfi.exeC:\Windows\system32\Gmafajfi.exe53⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Gbnoiqdq.exeC:\Windows\system32\Gbnoiqdq.exe54⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Gmdcfidg.exeC:\Windows\system32\Gmdcfidg.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3196 -
C:\Windows\SysWOW64\Glgcbf32.exeC:\Windows\system32\Glgcbf32.exe56⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Gikdkj32.exeC:\Windows\system32\Gikdkj32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Gmfplibd.exeC:\Windows\system32\Gmfplibd.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1444 -
C:\Windows\SysWOW64\Gpelhd32.exeC:\Windows\system32\Gpelhd32.exe59⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Gbchdp32.exeC:\Windows\system32\Gbchdp32.exe60⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Geaepk32.exeC:\Windows\system32\Geaepk32.exe61⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Gimqajgh.exeC:\Windows\system32\Gimqajgh.exe62⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Glkmmefl.exeC:\Windows\system32\Glkmmefl.exe63⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Gpgind32.exeC:\Windows\system32\Gpgind32.exe64⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Gbeejp32.exeC:\Windows\system32\Gbeejp32.exe65⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Hedafk32.exeC:\Windows\system32\Hedafk32.exe66⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Hmkigh32.exeC:\Windows\system32\Hmkigh32.exe67⤵PID:4852
-
C:\Windows\SysWOW64\Hlnjbedi.exeC:\Windows\system32\Hlnjbedi.exe68⤵
- Modifies registry class
PID:3496 -
C:\Windows\SysWOW64\Holfoqcm.exeC:\Windows\system32\Holfoqcm.exe69⤵
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Hfcnpn32.exeC:\Windows\system32\Hfcnpn32.exe70⤵PID:5176
-
C:\Windows\SysWOW64\Hibjli32.exeC:\Windows\system32\Hibjli32.exe71⤵PID:5224
-
C:\Windows\SysWOW64\Hlpfhe32.exeC:\Windows\system32\Hlpfhe32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5268 -
C:\Windows\SysWOW64\Hoobdp32.exeC:\Windows\system32\Hoobdp32.exe73⤵PID:5308
-
C:\Windows\SysWOW64\Hffken32.exeC:\Windows\system32\Hffken32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5352 -
C:\Windows\SysWOW64\Hehkajig.exeC:\Windows\system32\Hehkajig.exe75⤵PID:5396
-
C:\Windows\SysWOW64\Hlbcnd32.exeC:\Windows\system32\Hlbcnd32.exe76⤵PID:5448
-
C:\Windows\SysWOW64\Hoaojp32.exeC:\Windows\system32\Hoaojp32.exe77⤵PID:5492
-
C:\Windows\SysWOW64\Hlepcdoa.exeC:\Windows\system32\Hlepcdoa.exe78⤵
- Modifies registry class
PID:5536 -
C:\Windows\SysWOW64\Hoclopne.exeC:\Windows\system32\Hoclopne.exe79⤵
- Drops file in System32 directory
PID:5584 -
C:\Windows\SysWOW64\Hfjdqmng.exeC:\Windows\system32\Hfjdqmng.exe80⤵
- Drops file in System32 directory
PID:5628 -
C:\Windows\SysWOW64\Hiipmhmk.exeC:\Windows\system32\Hiipmhmk.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5672 -
C:\Windows\SysWOW64\Hlglidlo.exeC:\Windows\system32\Hlglidlo.exe82⤵PID:5716
-
C:\Windows\SysWOW64\Hoeieolb.exeC:\Windows\system32\Hoeieolb.exe83⤵PID:5760
-
C:\Windows\SysWOW64\Ifmqfm32.exeC:\Windows\system32\Ifmqfm32.exe84⤵PID:5796
-
C:\Windows\SysWOW64\Iikmbh32.exeC:\Windows\system32\Iikmbh32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5844 -
C:\Windows\SysWOW64\Iliinc32.exeC:\Windows\system32\Iliinc32.exe86⤵PID:5888
-
C:\Windows\SysWOW64\Ipeeobbe.exeC:\Windows\system32\Ipeeobbe.exe87⤵PID:5932
-
C:\Windows\SysWOW64\Ibcaknbi.exeC:\Windows\system32\Ibcaknbi.exe88⤵PID:5980
-
C:\Windows\SysWOW64\Ifomll32.exeC:\Windows\system32\Ifomll32.exe89⤵PID:6024
-
C:\Windows\SysWOW64\Iinjhh32.exeC:\Windows\system32\Iinjhh32.exe90⤵PID:6068
-
C:\Windows\SysWOW64\Imiehfao.exeC:\Windows\system32\Imiehfao.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6116 -
C:\Windows\SysWOW64\Ipgbdbqb.exeC:\Windows\system32\Ipgbdbqb.exe92⤵PID:5140
-
C:\Windows\SysWOW64\Ibfnqmpf.exeC:\Windows\system32\Ibfnqmpf.exe93⤵PID:5216
-
C:\Windows\SysWOW64\Ilnbicff.exeC:\Windows\system32\Ilnbicff.exe94⤵
- Drops file in System32 directory
PID:5288 -
C:\Windows\SysWOW64\Iomoenej.exeC:\Windows\system32\Iomoenej.exe95⤵PID:5384
-
C:\Windows\SysWOW64\Iibccgep.exeC:\Windows\system32\Iibccgep.exe96⤵PID:5480
-
C:\Windows\SysWOW64\Imnocf32.exeC:\Windows\system32\Imnocf32.exe97⤵PID:5556
-
C:\Windows\SysWOW64\Iplkpa32.exeC:\Windows\system32\Iplkpa32.exe98⤵
- Drops file in System32 directory
PID:5616 -
C:\Windows\SysWOW64\Ioolkncg.exeC:\Windows\system32\Ioolkncg.exe99⤵PID:5688
-
C:\Windows\SysWOW64\Ickglm32.exeC:\Windows\system32\Ickglm32.exe100⤵
- Modifies registry class
PID:5756 -
C:\Windows\SysWOW64\Ieidhh32.exeC:\Windows\system32\Ieidhh32.exe101⤵PID:5828
-
C:\Windows\SysWOW64\Impliekg.exeC:\Windows\system32\Impliekg.exe102⤵PID:5912
-
C:\Windows\SysWOW64\Ilcldb32.exeC:\Windows\system32\Ilcldb32.exe103⤵PID:5972
-
C:\Windows\SysWOW64\Ipoheakj.exeC:\Windows\system32\Ipoheakj.exe104⤵PID:4532
-
C:\Windows\SysWOW64\Jcmdaljn.exeC:\Windows\system32\Jcmdaljn.exe105⤵PID:4980
-
C:\Windows\SysWOW64\Jghpbk32.exeC:\Windows\system32\Jghpbk32.exe106⤵PID:6100
-
C:\Windows\SysWOW64\Jekqmhia.exeC:\Windows\system32\Jekqmhia.exe107⤵PID:5172
-
C:\Windows\SysWOW64\Jmbhoeid.exeC:\Windows\system32\Jmbhoeid.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5256 -
C:\Windows\SysWOW64\Jleijb32.exeC:\Windows\system32\Jleijb32.exe109⤵PID:5404
-
C:\Windows\SysWOW64\Jpaekqhh.exeC:\Windows\system32\Jpaekqhh.exe110⤵
- Drops file in System32 directory
PID:5528 -
C:\Windows\SysWOW64\Jcoaglhk.exeC:\Windows\system32\Jcoaglhk.exe111⤵PID:5648
-
C:\Windows\SysWOW64\Jgkmgk32.exeC:\Windows\system32\Jgkmgk32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5744 -
C:\Windows\SysWOW64\Jiiicf32.exeC:\Windows\system32\Jiiicf32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5864 -
C:\Windows\SysWOW64\Jlgepanl.exeC:\Windows\system32\Jlgepanl.exe114⤵
- Drops file in System32 directory
PID:5880 -
C:\Windows\SysWOW64\Jpcapp32.exeC:\Windows\system32\Jpcapp32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6012 -
C:\Windows\SysWOW64\Jofalmmp.exeC:\Windows\system32\Jofalmmp.exe116⤵PID:6056
-
C:\Windows\SysWOW64\Jgmjmjnb.exeC:\Windows\system32\Jgmjmjnb.exe117⤵
- Modifies registry class
PID:4024 -
C:\Windows\SysWOW64\Jilfifme.exeC:\Windows\system32\Jilfifme.exe118⤵PID:5296
-
C:\Windows\SysWOW64\Jngbjd32.exeC:\Windows\system32\Jngbjd32.exe119⤵PID:5524
-
C:\Windows\SysWOW64\Jljbeali.exeC:\Windows\system32\Jljbeali.exe120⤵PID:5668
-
C:\Windows\SysWOW64\Johnamkm.exeC:\Windows\system32\Johnamkm.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5804
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-