Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 19:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
18de338e8b7d9f6008ae28a450f8e155933237a4a0a9434ab91ec448c9384ac5.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
18de338e8b7d9f6008ae28a450f8e155933237a4a0a9434ab91ec448c9384ac5.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
18de338e8b7d9f6008ae28a450f8e155933237a4a0a9434ab91ec448c9384ac5.exe
-
Size
1.2MB
-
MD5
c914815667e95c87287d46101d49efdc
-
SHA1
d1f3f95bef4f0edccb6a0371320c4b6444486e4c
-
SHA256
18de338e8b7d9f6008ae28a450f8e155933237a4a0a9434ab91ec448c9384ac5
-
SHA512
6c4169c773d322861cb6c283122720fbc24230c7daf3cac713a7f18a9abbc4ee94bf7a2999d1b44db595f3692c4a9dab3d32896be35dbe73f4d153f33e041d0f
-
SSDEEP
12288:IPADYlFiWZCXwpnsKvNA+XTvZHWuEo3oWiQ4ca:ZDYlFiWZpsKv2EvZHp3oWiQ4ca
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghlcnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opdghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiibkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgmcqggf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdhfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdmpcdfm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhqcam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhqjchp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqihnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djlddi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iikopmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iikopmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceaehfjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jplfcpin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbmhlihl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfjcgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eolpmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nggjdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odmgcgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoocmoao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhfnccl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgekbljc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnaikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbhfjljd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbmhlihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjinkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifmcdblq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlbgha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqijje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbpaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iapjlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idacmfkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfkma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmiflbel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeklag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bikkml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Debeijoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dllmfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Habnjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcpllo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcjapi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilghlc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Booaodnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Commqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbioei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibccic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqklmpdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogljjiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbnjmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpgqpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clckpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Denlnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkjjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqihnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdmpcdfm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odapnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlegeemh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebnoikqb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdhfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkljak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eefhjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqbdjfln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmidog32.exe -
Executes dropped EXE 64 IoCs
pid Process 3908 Piockppb.exe 628 Qpikgj32.exe 3872 Qbjdiedp.exe 972 Aldegj32.exe 2292 Abnnddpj.exe 4532 Abqjjd32.exe 3440 Aimoln32.exe 408 Alkkhi32.exe 4484 Bbhqjchp.exe 2524 Bhdibj32.exe 3432 Booaodnd.exe 4312 Behiln32.exe 396 Bhgehi32.exe 4520 Bpnnig32.exe 2472 Boanecla.exe 1940 Baojaoke.exe 668 Bifbbllg.exe 1280 Bhibni32.exe 1168 Bpqjofcd.exe 2812 Bbofkbbh.exe 2796 Baaggo32.exe 4748 Biiohl32.exe 5116 Blgkdg32.exe 2192 Bpcgdfaa.exe 2748 Badcln32.exe 3080 Bikkml32.exe 3300 Clihig32.exe 3256 Cohdebfi.exe 1096 Cafpanem.exe 3488 Cimhckeo.exe 2892 Chphoh32.exe 4624 Cpgqpe32.exe 456 Ccfmla32.exe 1512 Clnadfbp.exe 1852 Cpjmee32.exe 1276 Commqb32.exe 2184 Cakjmm32.exe 736 Cefemliq.exe 2604 Chebighd.exe 4304 Cpljkdig.exe 3828 Camfbm32.exe 4804 Cidncj32.exe 1356 Clckpf32.exe 4448 Coagla32.exe 368 Capchmmb.exe 5084 Cekohk32.exe 2224 Dhjkdg32.exe 4244 Dlegeemh.exe 3884 Doccaall.exe 2336 Dcopbp32.exe 2932 Denlnk32.exe 2376 Dhlhjf32.exe 3356 Dlgdkeje.exe 2144 Dofpgqji.exe 1664 Dcalgo32.exe 3748 Dephckaf.exe 2556 Djlddi32.exe 2136 Dljqpd32.exe 3096 Dohmlp32.exe 1668 Dcdimopp.exe 5036 Debeijoc.exe 5072 Djnaji32.exe 4424 Dllmfd32.exe 5068 Dokjbp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qffbbldm.exe Qqijje32.exe File created C:\Windows\SysWOW64\Dephckaf.exe Dcalgo32.exe File opened for modification C:\Windows\SysWOW64\Njacpf32.exe Nqiogp32.exe File created C:\Windows\SysWOW64\Obangb32.exe Ojjffddl.exe File opened for modification C:\Windows\SysWOW64\Dafbne32.exe Dkljak32.exe File created C:\Windows\SysWOW64\Olpppj32.dll Hkdbpe32.exe File created C:\Windows\SysWOW64\Bgdnaigp.dll Hjolnb32.exe File created C:\Windows\SysWOW64\Mpolqa32.exe Mnapdf32.exe File created C:\Windows\SysWOW64\Gaelmc32.dll Alhhhcal.exe File opened for modification C:\Windows\SysWOW64\Qffbbldm.exe Qqijje32.exe File created C:\Windows\SysWOW64\Mkijij32.dll Cjinkg32.exe File created C:\Windows\SysWOW64\Nkbkiioa.dll Ejjqeg32.exe File created C:\Windows\SysWOW64\Lmmcfa32.dll Kpccnefa.exe File created C:\Windows\SysWOW64\Dalchnkg.dll Ojopad32.exe File created C:\Windows\SysWOW64\Dammlf32.dll Heocnk32.exe File created C:\Windows\SysWOW64\Ipdqba32.exe Icnpmp32.exe File created C:\Windows\SysWOW64\Alabgd32.exe Aegikj32.exe File created C:\Windows\SysWOW64\Ogifjcdp.exe Odkjng32.exe File created C:\Windows\SysWOW64\Bmngqdpj.exe Bganhm32.exe File created C:\Windows\SysWOW64\Cefemliq.exe Cakjmm32.exe File created C:\Windows\SysWOW64\Chebighd.exe Cefemliq.exe File opened for modification C:\Windows\SysWOW64\Fokbim32.exe Fmmfmbhn.exe File opened for modification C:\Windows\SysWOW64\Kkihknfg.exe Kbapjafe.exe File opened for modification C:\Windows\SysWOW64\Ocegdjij.exe Occkojkm.exe File created C:\Windows\SysWOW64\Amjknl32.dll Daekdooc.exe File created C:\Windows\SysWOW64\Hmenjlfh.dll Hmcojh32.exe File opened for modification C:\Windows\SysWOW64\Mdckfk32.exe Lllcen32.exe File opened for modification C:\Windows\SysWOW64\Dokjbp32.exe Dllmfd32.exe File created C:\Windows\SysWOW64\Ficgacna.exe Ffekegon.exe File created C:\Windows\SysWOW64\Icgqggce.exe Haidklda.exe File created C:\Windows\SysWOW64\Manffk32.dll Chdkoa32.exe File opened for modification C:\Windows\SysWOW64\Deoaid32.exe Doeiljfn.exe File opened for modification C:\Windows\SysWOW64\Aqkgpedc.exe Anmjcieo.exe File created C:\Windows\SysWOW64\Hkccjejn.dll Chebighd.exe File created C:\Windows\SysWOW64\Ehhgfdho.exe Efikji32.exe File opened for modification C:\Windows\SysWOW64\Ahhblemi.exe Aanjpk32.exe File created C:\Windows\SysWOW64\Miemjaci.exe Mgfqmfde.exe File created C:\Windows\SysWOW64\Fjegoh32.dll Nlaegk32.exe File created C:\Windows\SysWOW64\Cjinkg32.exe Bcoenmao.exe File created C:\Windows\SysWOW64\Fbcicn32.dll Bhdibj32.exe File created C:\Windows\SysWOW64\Ldooifgl.dll Hpbaqj32.exe File opened for modification C:\Windows\SysWOW64\Hjhfnccl.exe Hbanme32.exe File created C:\Windows\SysWOW64\Odnnnnfe.exe Oboaabga.exe File opened for modification C:\Windows\SysWOW64\Kmkfhc32.exe Kedoge32.exe File created C:\Windows\SysWOW64\Lgokmgjm.exe Lpebpm32.exe File opened for modification C:\Windows\SysWOW64\Njciko32.exe Ncianepl.exe File created C:\Windows\SysWOW64\Ajhddjfn.exe Aqppkd32.exe File opened for modification C:\Windows\SysWOW64\Bikkml32.exe Badcln32.exe File opened for modification C:\Windows\SysWOW64\Clihig32.exe Bikkml32.exe File created C:\Windows\SysWOW64\Lkbhbe32.dll Hbhdmd32.exe File created C:\Windows\SysWOW64\Bnnjen32.exe Bdhfhe32.exe File opened for modification C:\Windows\SysWOW64\Bnnjen32.exe Bdhfhe32.exe File created C:\Windows\SysWOW64\Dddhpjof.exe Daekdooc.exe File created C:\Windows\SysWOW64\Clbceo32.exe Conclk32.exe File created C:\Windows\SysWOW64\Pfjcgn32.exe Pclgkb32.exe File opened for modification C:\Windows\SysWOW64\Aclpap32.exe Aeiofcji.exe File created C:\Windows\SysWOW64\Clckpf32.exe Cidncj32.exe File created C:\Windows\SysWOW64\Omccgkde.dll Dcdimopp.exe File created C:\Windows\SysWOW64\Dcfebonm.exe Dokjbp32.exe File opened for modification C:\Windows\SysWOW64\Fmmfmbhn.exe Fjnjqfij.exe File created C:\Windows\SysWOW64\Dnhqigge.dll Peqcjkfp.exe File created C:\Windows\SysWOW64\Cmnpgb32.exe Cfdhkhjj.exe File opened for modification C:\Windows\SysWOW64\Dhkjej32.exe Daqbip32.exe File opened for modification C:\Windows\SysWOW64\Qbjdiedp.exe Qpikgj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11344 12260 WerFault.exe 584 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aclpap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odnnnnfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alabgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeopki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnkjc32.dll" Kbaipkbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddphck32.dll" Cakjmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqfeha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcneih32.dll" Ghlcnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfenmm32.dll" Miemjaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opdghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll" Aclpap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpgkkioa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojhiqefo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaelmc32.dll" Alhhhcal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icifbang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll" Ndhmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cekohk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll" Ibccic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dboigi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll" Pflplnlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcgblncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deoaid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iejcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqbdjfln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjinkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eofinnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgneampk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alhhhcal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qajadlja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbgkimpf.dll" Ddmhja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbmhlihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjoankoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahhblemi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkoggkjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdkcl32.dll" Kmkfhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfckahdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pflplnlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgllfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idofhfmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll" Jmkdlkph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbkamqmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkmhlekj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbgbgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldleel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbhqjchp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Capchmmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofnckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll" Olkhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll" Bcoenmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkgdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmkfhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkngh32.dll" Klqcioba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll" Ofnckp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Belebq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhdibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jknmmijf.dll" Biiohl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgpjnm32.dll" Dofpgqji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alfkbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcojed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbjcolha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogifjcdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbjdiedp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlojkddn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1640 wrote to memory of 3908 1640 18de338e8b7d9f6008ae28a450f8e155933237a4a0a9434ab91ec448c9384ac5.exe 81 PID 1640 wrote to memory of 3908 1640 18de338e8b7d9f6008ae28a450f8e155933237a4a0a9434ab91ec448c9384ac5.exe 81 PID 1640 wrote to memory of 3908 1640 18de338e8b7d9f6008ae28a450f8e155933237a4a0a9434ab91ec448c9384ac5.exe 81 PID 3908 wrote to memory of 628 3908 Piockppb.exe 82 PID 3908 wrote to memory of 628 3908 Piockppb.exe 82 PID 3908 wrote to memory of 628 3908 Piockppb.exe 82 PID 628 wrote to memory of 3872 628 Qpikgj32.exe 83 PID 628 wrote to memory of 3872 628 Qpikgj32.exe 83 PID 628 wrote to memory of 3872 628 Qpikgj32.exe 83 PID 3872 wrote to memory of 972 3872 Qbjdiedp.exe 84 PID 3872 wrote to memory of 972 3872 Qbjdiedp.exe 84 PID 3872 wrote to memory of 972 3872 Qbjdiedp.exe 84 PID 972 wrote to memory of 2292 972 Aldegj32.exe 85 PID 972 wrote to memory of 2292 972 Aldegj32.exe 85 PID 972 wrote to memory of 2292 972 Aldegj32.exe 85 PID 2292 wrote to memory of 4532 2292 Abnnddpj.exe 86 PID 2292 wrote to memory of 4532 2292 Abnnddpj.exe 86 PID 2292 wrote to memory of 4532 2292 Abnnddpj.exe 86 PID 4532 wrote to memory of 3440 4532 Abqjjd32.exe 87 PID 4532 wrote to memory of 3440 4532 Abqjjd32.exe 87 PID 4532 wrote to memory of 3440 4532 Abqjjd32.exe 87 PID 3440 wrote to memory of 408 3440 Aimoln32.exe 89 PID 3440 wrote to memory of 408 3440 Aimoln32.exe 89 PID 3440 wrote to memory of 408 3440 Aimoln32.exe 89 PID 408 wrote to memory of 4484 408 Alkkhi32.exe 91 PID 408 wrote to memory of 4484 408 Alkkhi32.exe 91 PID 408 wrote to memory of 4484 408 Alkkhi32.exe 91 PID 4484 wrote to memory of 2524 4484 Bbhqjchp.exe 92 PID 4484 wrote to memory of 2524 4484 Bbhqjchp.exe 92 PID 4484 wrote to memory of 2524 4484 Bbhqjchp.exe 92 PID 2524 wrote to memory of 3432 2524 Bhdibj32.exe 93 PID 2524 wrote to memory of 3432 2524 Bhdibj32.exe 93 PID 2524 wrote to memory of 3432 2524 Bhdibj32.exe 93 PID 3432 wrote to memory of 4312 3432 Booaodnd.exe 94 PID 3432 wrote to memory of 4312 3432 Booaodnd.exe 94 PID 3432 wrote to memory of 4312 3432 Booaodnd.exe 94 PID 4312 wrote to memory of 396 4312 Behiln32.exe 95 PID 4312 wrote to memory of 396 4312 Behiln32.exe 95 PID 4312 wrote to memory of 396 4312 Behiln32.exe 95 PID 396 wrote to memory of 4520 396 Bhgehi32.exe 96 PID 396 wrote to memory of 4520 396 Bhgehi32.exe 96 PID 396 wrote to memory of 4520 396 Bhgehi32.exe 96 PID 4520 wrote to memory of 2472 4520 Bpnnig32.exe 97 PID 4520 wrote to memory of 2472 4520 Bpnnig32.exe 97 PID 4520 wrote to memory of 2472 4520 Bpnnig32.exe 97 PID 2472 wrote to memory of 1940 2472 Boanecla.exe 98 PID 2472 wrote to memory of 1940 2472 Boanecla.exe 98 PID 2472 wrote to memory of 1940 2472 Boanecla.exe 98 PID 1940 wrote to memory of 668 1940 Baojaoke.exe 99 PID 1940 wrote to memory of 668 1940 Baojaoke.exe 99 PID 1940 wrote to memory of 668 1940 Baojaoke.exe 99 PID 668 wrote to memory of 1280 668 Bifbbllg.exe 100 PID 668 wrote to memory of 1280 668 Bifbbllg.exe 100 PID 668 wrote to memory of 1280 668 Bifbbllg.exe 100 PID 1280 wrote to memory of 1168 1280 Bhibni32.exe 101 PID 1280 wrote to memory of 1168 1280 Bhibni32.exe 101 PID 1280 wrote to memory of 1168 1280 Bhibni32.exe 101 PID 1168 wrote to memory of 2812 1168 Bpqjofcd.exe 102 PID 1168 wrote to memory of 2812 1168 Bpqjofcd.exe 102 PID 1168 wrote to memory of 2812 1168 Bpqjofcd.exe 102 PID 2812 wrote to memory of 2796 2812 Bbofkbbh.exe 103 PID 2812 wrote to memory of 2796 2812 Bbofkbbh.exe 103 PID 2812 wrote to memory of 2796 2812 Bbofkbbh.exe 103 PID 2796 wrote to memory of 4748 2796 Baaggo32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\18de338e8b7d9f6008ae28a450f8e155933237a4a0a9434ab91ec448c9384ac5.exe"C:\Users\Admin\AppData\Local\Temp\18de338e8b7d9f6008ae28a450f8e155933237a4a0a9434ab91ec448c9384ac5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Piockppb.exeC:\Windows\system32\Piockppb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\Qpikgj32.exeC:\Windows\system32\Qpikgj32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\Qbjdiedp.exeC:\Windows\system32\Qbjdiedp.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\Aldegj32.exeC:\Windows\system32\Aldegj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\Abnnddpj.exeC:\Windows\system32\Abnnddpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Abqjjd32.exeC:\Windows\system32\Abqjjd32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Aimoln32.exeC:\Windows\system32\Aimoln32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\Alkkhi32.exeC:\Windows\system32\Alkkhi32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\Bbhqjchp.exeC:\Windows\system32\Bbhqjchp.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Bhdibj32.exeC:\Windows\system32\Bhdibj32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Booaodnd.exeC:\Windows\system32\Booaodnd.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\Behiln32.exeC:\Windows\system32\Behiln32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\Bhgehi32.exeC:\Windows\system32\Bhgehi32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Bpnnig32.exeC:\Windows\system32\Bpnnig32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Boanecla.exeC:\Windows\system32\Boanecla.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Baojaoke.exeC:\Windows\system32\Baojaoke.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Bifbbllg.exeC:\Windows\system32\Bifbbllg.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\Bhibni32.exeC:\Windows\system32\Bhibni32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Bpqjofcd.exeC:\Windows\system32\Bpqjofcd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Bbofkbbh.exeC:\Windows\system32\Bbofkbbh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Baaggo32.exeC:\Windows\system32\Baaggo32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Biiohl32.exeC:\Windows\system32\Biiohl32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:4748 -
C:\Windows\SysWOW64\Blgkdg32.exeC:\Windows\system32\Blgkdg32.exe24⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Bpcgdfaa.exeC:\Windows\system32\Bpcgdfaa.exe25⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Badcln32.exeC:\Windows\system32\Badcln32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Bikkml32.exeC:\Windows\system32\Bikkml32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3080 -
C:\Windows\SysWOW64\Clihig32.exeC:\Windows\system32\Clihig32.exe28⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Cohdebfi.exeC:\Windows\system32\Cohdebfi.exe29⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Cafpanem.exeC:\Windows\system32\Cafpanem.exe30⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Cimhckeo.exeC:\Windows\system32\Cimhckeo.exe31⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Chphoh32.exeC:\Windows\system32\Chphoh32.exe32⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Cpgqpe32.exeC:\Windows\system32\Cpgqpe32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Ccfmla32.exeC:\Windows\system32\Ccfmla32.exe34⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Clnadfbp.exeC:\Windows\system32\Clnadfbp.exe35⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Cpjmee32.exeC:\Windows\system32\Cpjmee32.exe36⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Commqb32.exeC:\Windows\system32\Commqb32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Cakjmm32.exeC:\Windows\system32\Cakjmm32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Cefemliq.exeC:\Windows\system32\Cefemliq.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:736 -
C:\Windows\SysWOW64\Chebighd.exeC:\Windows\system32\Chebighd.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Cpljkdig.exeC:\Windows\system32\Cpljkdig.exe41⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Camfbm32.exeC:\Windows\system32\Camfbm32.exe42⤵
- Executes dropped EXE
PID:3828 -
C:\Windows\SysWOW64\Cidncj32.exeC:\Windows\system32\Cidncj32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4804 -
C:\Windows\SysWOW64\Clckpf32.exeC:\Windows\system32\Clckpf32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Coagla32.exeC:\Windows\system32\Coagla32.exe45⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Capchmmb.exeC:\Windows\system32\Capchmmb.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:368 -
C:\Windows\SysWOW64\Cekohk32.exeC:\Windows\system32\Cekohk32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:5084 -
C:\Windows\SysWOW64\Dhjkdg32.exeC:\Windows\system32\Dhjkdg32.exe48⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Dlegeemh.exeC:\Windows\system32\Dlegeemh.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Doccaall.exeC:\Windows\system32\Doccaall.exe50⤵
- Executes dropped EXE
PID:3884 -
C:\Windows\SysWOW64\Dcopbp32.exeC:\Windows\system32\Dcopbp32.exe51⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Denlnk32.exeC:\Windows\system32\Denlnk32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Dhlhjf32.exeC:\Windows\system32\Dhlhjf32.exe53⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Dlgdkeje.exeC:\Windows\system32\Dlgdkeje.exe54⤵
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Dofpgqji.exeC:\Windows\system32\Dofpgqji.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Dcalgo32.exeC:\Windows\system32\Dcalgo32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Dephckaf.exeC:\Windows\system32\Dephckaf.exe57⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Djlddi32.exeC:\Windows\system32\Djlddi32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Dljqpd32.exeC:\Windows\system32\Dljqpd32.exe59⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe60⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Dcdimopp.exeC:\Windows\system32\Dcdimopp.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Debeijoc.exeC:\Windows\system32\Debeijoc.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Djnaji32.exeC:\Windows\system32\Djnaji32.exe63⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Dllmfd32.exeC:\Windows\system32\Dllmfd32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4424 -
C:\Windows\SysWOW64\Dokjbp32.exeC:\Windows\system32\Dokjbp32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5068 -
C:\Windows\SysWOW64\Dcfebonm.exeC:\Windows\system32\Dcfebonm.exe66⤵PID:1340
-
C:\Windows\SysWOW64\Dfdbojmq.exeC:\Windows\system32\Dfdbojmq.exe67⤵PID:4864
-
C:\Windows\SysWOW64\Djpnohej.exeC:\Windows\system32\Djpnohej.exe68⤵PID:3716
-
C:\Windows\SysWOW64\Dlojkddn.exeC:\Windows\system32\Dlojkddn.exe69⤵
- Modifies registry class
PID:4500 -
C:\Windows\SysWOW64\Domfgpca.exeC:\Windows\system32\Domfgpca.exe70⤵PID:3012
-
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe71⤵PID:3088
-
C:\Windows\SysWOW64\Efgodj32.exeC:\Windows\system32\Efgodj32.exe72⤵PID:2840
-
C:\Windows\SysWOW64\Ehekqe32.exeC:\Windows\system32\Ehekqe32.exe73⤵PID:4260
-
C:\Windows\SysWOW64\Elagacbk.exeC:\Windows\system32\Elagacbk.exe74⤵PID:2568
-
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:184 -
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2132 -
C:\Windows\SysWOW64\Efikji32.exeC:\Windows\system32\Efikji32.exe77⤵
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe78⤵PID:4128
-
C:\Windows\SysWOW64\Epopgbia.exeC:\Windows\system32\Epopgbia.exe79⤵PID:4888
-
C:\Windows\SysWOW64\Eoapbo32.exeC:\Windows\system32\Eoapbo32.exe80⤵PID:2728
-
C:\Windows\SysWOW64\Ebploj32.exeC:\Windows\system32\Ebploj32.exe81⤵PID:1068
-
C:\Windows\SysWOW64\Ejgdpg32.exeC:\Windows\system32\Ejgdpg32.exe82⤵PID:3560
-
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe83⤵PID:4476
-
C:\Windows\SysWOW64\Eqalmafo.exeC:\Windows\system32\Eqalmafo.exe84⤵PID:3132
-
C:\Windows\SysWOW64\Eodlho32.exeC:\Windows\system32\Eodlho32.exe85⤵PID:5156
-
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe86⤵PID:5192
-
C:\Windows\SysWOW64\Ejjqeg32.exeC:\Windows\system32\Ejjqeg32.exe87⤵
- Drops file in System32 directory
PID:5228 -
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe88⤵PID:5264
-
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe89⤵PID:5300
-
C:\Windows\SysWOW64\Eofinnkf.exeC:\Windows\system32\Eofinnkf.exe90⤵
- Modifies registry class
PID:5336 -
C:\Windows\SysWOW64\Ebeejijj.exeC:\Windows\system32\Ebeejijj.exe91⤵PID:5372
-
C:\Windows\SysWOW64\Ejlmkgkl.exeC:\Windows\system32\Ejlmkgkl.exe92⤵PID:5408
-
C:\Windows\SysWOW64\Emjjgbjp.exeC:\Windows\system32\Emjjgbjp.exe93⤵PID:5444
-
C:\Windows\SysWOW64\Eqfeha32.exeC:\Windows\system32\Eqfeha32.exe94⤵
- Modifies registry class
PID:5480 -
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe95⤵PID:5516
-
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe96⤵PID:5552
-
C:\Windows\SysWOW64\Fjnjqfij.exeC:\Windows\system32\Fjnjqfij.exe97⤵
- Drops file in System32 directory
PID:5588 -
C:\Windows\SysWOW64\Fmmfmbhn.exeC:\Windows\system32\Fmmfmbhn.exe98⤵
- Drops file in System32 directory
PID:5624 -
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe99⤵PID:5660
-
C:\Windows\SysWOW64\Fbioei32.exeC:\Windows\system32\Fbioei32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5696 -
C:\Windows\SysWOW64\Ffekegon.exeC:\Windows\system32\Ffekegon.exe101⤵
- Drops file in System32 directory
PID:5732 -
C:\Windows\SysWOW64\Ficgacna.exeC:\Windows\system32\Ficgacna.exe102⤵PID:5768
-
C:\Windows\SysWOW64\Fqkocpod.exeC:\Windows\system32\Fqkocpod.exe103⤵PID:5804
-
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe104⤵PID:5840
-
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe105⤵
- Drops file in System32 directory
PID:4700 -
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe106⤵
- Drops file in System32 directory
PID:5088 -
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5140 -
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5224 -
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe109⤵PID:5308
-
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe110⤵PID:5392
-
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe111⤵PID:3056
-
C:\Windows\SysWOW64\Hpgkkioa.exeC:\Windows\system32\Hpgkkioa.exe112⤵
- Modifies registry class
PID:5536 -
C:\Windows\SysWOW64\Hbeghene.exeC:\Windows\system32\Hbeghene.exe113⤵PID:5596
-
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe114⤵PID:2992
-
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe115⤵PID:5704
-
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe116⤵PID:3360
-
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe117⤵
- Drops file in System32 directory
PID:3392 -
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe118⤵
- Drops file in System32 directory
PID:5880 -
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe119⤵PID:5908
-
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe120⤵
- Drops file in System32 directory
PID:5972 -
C:\Windows\SysWOW64\Icgqggce.exeC:\Windows\system32\Icgqggce.exe121⤵PID:6008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-