Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16/06/2024, 21:34
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
58ee6938d85e79b1b51d6f4718e9fa3c358eaa9353ae7a3a62ad8e45568110ff.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
58ee6938d85e79b1b51d6f4718e9fa3c358eaa9353ae7a3a62ad8e45568110ff.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
58ee6938d85e79b1b51d6f4718e9fa3c358eaa9353ae7a3a62ad8e45568110ff.exe
-
Size
243KB
-
MD5
0fbdc59ca2a7e1cef74056c7ca66e097
-
SHA1
fcec8d36dec850ca3568851d9712432ded4f19ec
-
SHA256
58ee6938d85e79b1b51d6f4718e9fa3c358eaa9353ae7a3a62ad8e45568110ff
-
SHA512
8bb351da8d781dca2814a87305b1645e11de59f3311507297addeb059e14b4c9430efc4c338901a0939268684e8c2c94987ec874ad2332577cf491c76fc38067
-
SSDEEP
3072:iPMcDePJuQkKz8lHXtlU2Nhluy78nwTxyIvXQWBaolfC4VJ62Q:iPpePJuQkKzwdlU2zlNgwTnAWtlhjQ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdlkiepd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oddpfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcampgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilqpdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djmicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liplnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mabgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pndpajgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Endhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnhnbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Illgimph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knklagmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lapnnafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aniimjbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeenochi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgbfamff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jejhecaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhfipcid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfoqmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abeemhkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdlkiepd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adpkee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekelld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcfqkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ookmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odhfob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajpjakhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baadng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjdhbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ginnnooi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqilooij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpjdjmfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnomcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbelgood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmmkcoap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpjhkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpjdjmfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjfccn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mponel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npagjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjldghjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcdbbloa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlngpjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hapicp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikkjbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acmhepko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifkacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmpnhdfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackkppma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biojif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfmdho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amnfnfgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cinfhigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgbfamff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbdnko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmolnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cclkfdnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faigdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkhnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kocbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmgdddmq.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
resource yara_rule behavioral1/files/0x000a0000000122ec-5.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000c000000016103-26.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00070000000164a9-33.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000700000001663f-46.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0007000000016d65-59.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d71-72.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016dde-86.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016eb9-104.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000017477-112.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000017495-128.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0014000000018669-138.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000018686-151.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000186f1-167.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0035000000015f71-186.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001873f-197.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001878d-211.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/1956-220-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019228-228.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001925d-238.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019275-251.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019283-261.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019381-272.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000193a5-280.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019433-290.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019462-302.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000194a8-312.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000194eb-322.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019501-333.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001954b-342.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195a4-353.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001961a-363.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001961e-376.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019620-384.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019624-395.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019628-406.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001967c-419.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019709-427.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019c52-438.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019c56-449.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019d3a-460.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019dc9-471.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019fba-482.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a091-492.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a0b5-505.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a375-513.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a43e-523.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a443-535.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a486-545.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4ab-554.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4b6-563.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4cd-572.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4d1-582.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4d5-594.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4d9-602.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4dd-611.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4e1-620.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4e9-638.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4e5-628.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4ed-649.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4f1-663.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4f6-676.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4fa-687.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4fe-698.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a503-710.dat INDICATOR_EXE_Packed_MPress -
Executes dropped EXE 64 IoCs
pid Process 2424 Gdopkn32.exe 2996 Gmgdddmq.exe 2700 Gmjaic32.exe 2624 Hgbebiao.exe 2840 Hmlnoc32.exe 2664 Hdfflm32.exe 2964 Hicodd32.exe 1344 Hggomh32.exe 2968 Hobcak32.exe 2788 Hlfdkoin.exe 2232 Hodpgjha.exe 2668 Hjjddchg.exe 1552 Hogmmjfo.exe 1176 Ioijbj32.exe 2016 Iokfhi32.exe 1956 Idklfpon.exe 656 Icmlam32.exe 988 Icpigm32.exe 2252 Jcbellac.exe 2560 Jgnamk32.exe 1528 Joifam32.exe 764 Jcdbbloa.exe 2336 Jjojofgn.exe 2052 Jicgpb32.exe 3008 Jejhecaj.exe 2400 Jgidao32.exe 2676 Joplbl32.exe 2584 Kgkafo32.exe 2640 Kgnnln32.exe 2716 Kjljhjkl.exe 1732 Kfbkmk32.exe 2516 Kjnfniii.exe 2508 Kpkofpgq.exe 3004 Kfegbj32.exe 2792 Kifpdelo.exe 1600 Lldlqakb.exe 872 Llfifq32.exe 2824 Loeebl32.exe 2480 Lbcnhjnj.exe 2104 Lhpfqama.exe 1968 Lkppbl32.exe 1720 Lmolnh32.exe 1152 Monhhk32.exe 2904 Mamddf32.exe 1472 Mhgmapfi.exe 2036 Mmceigep.exe 2912 Mdmmfa32.exe 1316 Mkgfckcj.exe 1592 Mijfnh32.exe 1964 Mpdnkb32.exe 1700 Mcbjgn32.exe 1548 Mimbdhhb.exe 2600 Mmhodf32.exe 2132 Moiklogi.exe 2616 Mgqcmlgl.exe 2884 Miooigfo.exe 2728 Mhbped32.exe 2540 Mlmlecec.exe 2960 Mpigfa32.exe 2992 Ncgdbmmp.exe 1420 Nefpnhlc.exe 1244 Nialog32.exe 1356 Nlphkb32.exe 1928 Ncjqhmkm.exe -
Loads dropped DLL 64 IoCs
pid Process 2212 58ee6938d85e79b1b51d6f4718e9fa3c358eaa9353ae7a3a62ad8e45568110ff.exe 2212 58ee6938d85e79b1b51d6f4718e9fa3c358eaa9353ae7a3a62ad8e45568110ff.exe 2424 Gdopkn32.exe 2424 Gdopkn32.exe 2996 Gmgdddmq.exe 2996 Gmgdddmq.exe 2700 Gmjaic32.exe 2700 Gmjaic32.exe 2624 Hgbebiao.exe 2624 Hgbebiao.exe 2840 Hmlnoc32.exe 2840 Hmlnoc32.exe 2664 Hdfflm32.exe 2664 Hdfflm32.exe 2964 Hicodd32.exe 2964 Hicodd32.exe 1344 Hggomh32.exe 1344 Hggomh32.exe 2968 Hobcak32.exe 2968 Hobcak32.exe 2788 Hlfdkoin.exe 2788 Hlfdkoin.exe 2232 Hodpgjha.exe 2232 Hodpgjha.exe 2668 Hjjddchg.exe 2668 Hjjddchg.exe 1552 Hogmmjfo.exe 1552 Hogmmjfo.exe 1176 Ioijbj32.exe 1176 Ioijbj32.exe 2016 Iokfhi32.exe 2016 Iokfhi32.exe 1956 Idklfpon.exe 1956 Idklfpon.exe 656 Icmlam32.exe 656 Icmlam32.exe 988 Icpigm32.exe 988 Icpigm32.exe 2252 Jcbellac.exe 2252 Jcbellac.exe 2560 Jgnamk32.exe 2560 Jgnamk32.exe 1528 Joifam32.exe 1528 Joifam32.exe 764 Jcdbbloa.exe 764 Jcdbbloa.exe 2336 Jjojofgn.exe 2336 Jjojofgn.exe 2052 Jicgpb32.exe 2052 Jicgpb32.exe 3008 Jejhecaj.exe 3008 Jejhecaj.exe 2400 Jgidao32.exe 2400 Jgidao32.exe 2676 Joplbl32.exe 2676 Joplbl32.exe 2584 Kgkafo32.exe 2584 Kgkafo32.exe 2640 Kgnnln32.exe 2640 Kgnnln32.exe 2716 Kjljhjkl.exe 2716 Kjljhjkl.exe 1732 Kfbkmk32.exe 1732 Kfbkmk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lmnppf32.dll Niebhf32.exe File created C:\Windows\SysWOW64\Nacgdhlp.exe Njlockkm.exe File created C:\Windows\SysWOW64\Pbqpqcoj.dll Pgplkb32.exe File created C:\Windows\SysWOW64\Baakhm32.exe Bbokmqie.exe File created C:\Windows\SysWOW64\Mpcnkg32.dll Lclnemgd.exe File created C:\Windows\SysWOW64\Nnplna32.dll Kgkafo32.exe File created C:\Windows\SysWOW64\Nblnkb32.dll Ofjfhk32.exe File opened for modification C:\Windows\SysWOW64\Bldcpf32.exe Bhigphio.exe File created C:\Windows\SysWOW64\Labkdack.exe Lndohedg.exe File opened for modification C:\Windows\SysWOW64\Npagjpcd.exe Nmbknddp.exe File created C:\Windows\SysWOW64\Dqehhb32.dll Mamddf32.exe File created C:\Windows\SysWOW64\Fikjha32.dll Abmbhn32.exe File created C:\Windows\SysWOW64\Cnmehnan.exe Cojema32.exe File created C:\Windows\SysWOW64\Dlpajg32.dll Hpefdl32.exe File opened for modification C:\Windows\SysWOW64\Iheddndj.exe Iefhhbef.exe File created C:\Windows\SysWOW64\Cpdcnhnl.dll Jjbpgd32.exe File created C:\Windows\SysWOW64\Agmceh32.dll Kbdklf32.exe File opened for modification C:\Windows\SysWOW64\Ncbplk32.exe Npccpo32.exe File created C:\Windows\SysWOW64\Lkmkpl32.dll Eqgnokip.exe File opened for modification C:\Windows\SysWOW64\Fmpkjkma.exe Fjaonpnn.exe File created C:\Windows\SysWOW64\Gpgmpikn.dll Hlngpjlj.exe File created C:\Windows\SysWOW64\Lcfqkl32.exe Lpjdjmfp.exe File created C:\Windows\SysWOW64\Kpkdli32.dll Ocdmaj32.exe File opened for modification C:\Windows\SysWOW64\Pmjqcc32.exe Pjldghjm.exe File opened for modification C:\Windows\SysWOW64\Ofjfhk32.exe Oclilp32.exe File opened for modification C:\Windows\SysWOW64\Eqijej32.exe Efcfga32.exe File created C:\Windows\SysWOW64\Jjpcbe32.exe Jkmcfhkc.exe File created C:\Windows\SysWOW64\Iggbhk32.dll Mlfojn32.exe File opened for modification C:\Windows\SysWOW64\Cmgechbh.exe Chkmkacq.exe File created C:\Windows\SysWOW64\Aheefb32.dll Cbdnko32.exe File created C:\Windows\SysWOW64\Icpigm32.exe Icmlam32.exe File opened for modification C:\Windows\SysWOW64\Lkppbl32.exe Lhpfqama.exe File opened for modification C:\Windows\SysWOW64\Oqmmpd32.exe Ohfeog32.exe File created C:\Windows\SysWOW64\Fhneehek.exe Fikejl32.exe File opened for modification C:\Windows\SysWOW64\Hpefdl32.exe Hmfjha32.exe File created C:\Windows\SysWOW64\Fbpljhnf.dll Magqncba.exe File created C:\Windows\SysWOW64\Hbgodfkh.dll Nkeelohh.exe File created C:\Windows\SysWOW64\Oceaboqg.dll Nkiogn32.exe File created C:\Windows\SysWOW64\Blgpef32.exe Bhkdeggl.exe File created C:\Windows\SysWOW64\Gmdadnkh.exe Gfjhgdck.exe File created C:\Windows\SysWOW64\Mjapln32.dll Hanlnp32.exe File created C:\Windows\SysWOW64\Jicgpb32.exe Jjojofgn.exe File opened for modification C:\Windows\SysWOW64\Llfifq32.exe Lldlqakb.exe File created C:\Windows\SysWOW64\Bgagbb32.dll Mpdnkb32.exe File created C:\Windows\SysWOW64\Mclgfa32.dll Bdgafdfp.exe File created C:\Windows\SysWOW64\Jfiilbkl.dll Dnoomqbg.exe File created C:\Windows\SysWOW64\Bkfeekif.dll Gfobbc32.exe File opened for modification C:\Windows\SysWOW64\Cinfhigl.exe Cklfll32.exe File opened for modification C:\Windows\SysWOW64\Hdfflm32.exe Hmlnoc32.exe File created C:\Windows\SysWOW64\Loeebl32.exe Llfifq32.exe File opened for modification C:\Windows\SysWOW64\Ocimgp32.exe Ojahnj32.exe File created C:\Windows\SysWOW64\Ngdifkpi.exe Magqncba.exe File created C:\Windows\SysWOW64\Ogkkfmml.exe Odlojanh.exe File created C:\Windows\SysWOW64\Jgidao32.exe Jejhecaj.exe File created C:\Windows\SysWOW64\Dempblao.dll Iimjmbae.exe File opened for modification C:\Windows\SysWOW64\Kiqpop32.exe Kfbcbd32.exe File opened for modification C:\Windows\SysWOW64\Cjdfmo32.exe Cdgneh32.exe File created C:\Windows\SysWOW64\Faigdn32.exe Fmmkcoap.exe File opened for modification C:\Windows\SysWOW64\Kicmdo32.exe Knmhgf32.exe File created C:\Windows\SysWOW64\Emfmdo32.dll Abeemhkh.exe File opened for modification C:\Windows\SysWOW64\Qpecfc32.exe Pikkiijf.exe File created C:\Windows\SysWOW64\Qbelgood.exe Qpgpkcpp.exe File created C:\Windows\SysWOW64\Chpmpg32.exe Cddaphkn.exe File created C:\Windows\SysWOW64\Dpcfqoam.dll Jgojpjem.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5704 5672 WerFault.exe 510 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohaeia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjbcfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnajilng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bafidiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mledlaqd.dll" Dbkknojp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoamgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljmlbfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaebnq32.dll" Lfpclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngdifkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcbjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obojmk32.dll" Hhehek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipjoplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Labkdack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohendqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbkbgjcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdlkiepd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgkafo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abhimnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idgjaf32.dll" Gfjhgdck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhehek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifkacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apoooa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhppho32.dll" Ncbplk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgpeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmlmd32.dll" Acmhepko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oikojfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjlqhoba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfamcogo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqphdm32.dll" Joplbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bghjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll" Baadng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlnbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbamma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmgpon32.dll" Inkccpgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhhpeafc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lghjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmojocel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aibajhdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqddb32.dll" Emkaol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijdqna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiqpop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mimbdhhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mimbdhhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bafidiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkoplhip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeieqod.dll" Kicmdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogbknfbl.dll" Knklagmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnqkpajk.dll" Mdacop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onpjghhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll" Hicodd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdgneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eofjhkoj.dll" Doehqead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmfgh32.dll" Hhgdkjol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blkioa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndbcpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkeqmgm.dll" Pdaoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnomcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mholen32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2424 2212 58ee6938d85e79b1b51d6f4718e9fa3c358eaa9353ae7a3a62ad8e45568110ff.exe 28 PID 2212 wrote to memory of 2424 2212 58ee6938d85e79b1b51d6f4718e9fa3c358eaa9353ae7a3a62ad8e45568110ff.exe 28 PID 2212 wrote to memory of 2424 2212 58ee6938d85e79b1b51d6f4718e9fa3c358eaa9353ae7a3a62ad8e45568110ff.exe 28 PID 2212 wrote to memory of 2424 2212 58ee6938d85e79b1b51d6f4718e9fa3c358eaa9353ae7a3a62ad8e45568110ff.exe 28 PID 2424 wrote to memory of 2996 2424 Gdopkn32.exe 29 PID 2424 wrote to memory of 2996 2424 Gdopkn32.exe 29 PID 2424 wrote to memory of 2996 2424 Gdopkn32.exe 29 PID 2424 wrote to memory of 2996 2424 Gdopkn32.exe 29 PID 2996 wrote to memory of 2700 2996 Gmgdddmq.exe 30 PID 2996 wrote to memory of 2700 2996 Gmgdddmq.exe 30 PID 2996 wrote to memory of 2700 2996 Gmgdddmq.exe 30 PID 2996 wrote to memory of 2700 2996 Gmgdddmq.exe 30 PID 2700 wrote to memory of 2624 2700 Gmjaic32.exe 31 PID 2700 wrote to memory of 2624 2700 Gmjaic32.exe 31 PID 2700 wrote to memory of 2624 2700 Gmjaic32.exe 31 PID 2700 wrote to memory of 2624 2700 Gmjaic32.exe 31 PID 2624 wrote to memory of 2840 2624 Hgbebiao.exe 32 PID 2624 wrote to memory of 2840 2624 Hgbebiao.exe 32 PID 2624 wrote to memory of 2840 2624 Hgbebiao.exe 32 PID 2624 wrote to memory of 2840 2624 Hgbebiao.exe 32 PID 2840 wrote to memory of 2664 2840 Hmlnoc32.exe 33 PID 2840 wrote to memory of 2664 2840 Hmlnoc32.exe 33 PID 2840 wrote to memory of 2664 2840 Hmlnoc32.exe 33 PID 2840 wrote to memory of 2664 2840 Hmlnoc32.exe 33 PID 2664 wrote to memory of 2964 2664 Hdfflm32.exe 34 PID 2664 wrote to memory of 2964 2664 Hdfflm32.exe 34 PID 2664 wrote to memory of 2964 2664 Hdfflm32.exe 34 PID 2664 wrote to memory of 2964 2664 Hdfflm32.exe 34 PID 2964 wrote to memory of 1344 2964 Hicodd32.exe 35 PID 2964 wrote to memory of 1344 2964 Hicodd32.exe 35 PID 2964 wrote to memory of 1344 2964 Hicodd32.exe 35 PID 2964 wrote to memory of 1344 2964 Hicodd32.exe 35 PID 1344 wrote to memory of 2968 1344 Hggomh32.exe 36 PID 1344 wrote to memory of 2968 1344 Hggomh32.exe 36 PID 1344 wrote to memory of 2968 1344 Hggomh32.exe 36 PID 1344 wrote to memory of 2968 1344 Hggomh32.exe 36 PID 2968 wrote to memory of 2788 2968 Hobcak32.exe 37 PID 2968 wrote to memory of 2788 2968 Hobcak32.exe 37 PID 2968 wrote to memory of 2788 2968 Hobcak32.exe 37 PID 2968 wrote to memory of 2788 2968 Hobcak32.exe 37 PID 2788 wrote to memory of 2232 2788 Hlfdkoin.exe 38 PID 2788 wrote to memory of 2232 2788 Hlfdkoin.exe 38 PID 2788 wrote to memory of 2232 2788 Hlfdkoin.exe 38 PID 2788 wrote to memory of 2232 2788 Hlfdkoin.exe 38 PID 2232 wrote to memory of 2668 2232 Hodpgjha.exe 39 PID 2232 wrote to memory of 2668 2232 Hodpgjha.exe 39 PID 2232 wrote to memory of 2668 2232 Hodpgjha.exe 39 PID 2232 wrote to memory of 2668 2232 Hodpgjha.exe 39 PID 2668 wrote to memory of 1552 2668 Hjjddchg.exe 40 PID 2668 wrote to memory of 1552 2668 Hjjddchg.exe 40 PID 2668 wrote to memory of 1552 2668 Hjjddchg.exe 40 PID 2668 wrote to memory of 1552 2668 Hjjddchg.exe 40 PID 1552 wrote to memory of 1176 1552 Hogmmjfo.exe 41 PID 1552 wrote to memory of 1176 1552 Hogmmjfo.exe 41 PID 1552 wrote to memory of 1176 1552 Hogmmjfo.exe 41 PID 1552 wrote to memory of 1176 1552 Hogmmjfo.exe 41 PID 1176 wrote to memory of 2016 1176 Ioijbj32.exe 42 PID 1176 wrote to memory of 2016 1176 Ioijbj32.exe 42 PID 1176 wrote to memory of 2016 1176 Ioijbj32.exe 42 PID 1176 wrote to memory of 2016 1176 Ioijbj32.exe 42 PID 2016 wrote to memory of 1956 2016 Iokfhi32.exe 43 PID 2016 wrote to memory of 1956 2016 Iokfhi32.exe 43 PID 2016 wrote to memory of 1956 2016 Iokfhi32.exe 43 PID 2016 wrote to memory of 1956 2016 Iokfhi32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\58ee6938d85e79b1b51d6f4718e9fa3c358eaa9353ae7a3a62ad8e45568110ff.exe"C:\Users\Admin\AppData\Local\Temp\58ee6938d85e79b1b51d6f4718e9fa3c358eaa9353ae7a3a62ad8e45568110ff.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:656 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:988 -
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:764 -
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe33⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe34⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe35⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe36⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe39⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe40⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Lkppbl32.exeC:\Windows\system32\Lkppbl32.exe42⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe44⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe46⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe47⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe48⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe49⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe50⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe54⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe55⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe56⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe57⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe58⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe59⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe60⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe61⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe62⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe63⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe64⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe65⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe66⤵PID:1080
-
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe67⤵PID:608
-
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1972 -
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe69⤵
- Drops file in System32 directory
PID:1856 -
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe70⤵PID:1744
-
C:\Windows\SysWOW64\Naoniipe.exeC:\Windows\system32\Naoniipe.exe71⤵PID:756
-
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe72⤵PID:3012
-
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe73⤵PID:3056
-
C:\Windows\SysWOW64\Nocnbmoo.exeC:\Windows\system32\Nocnbmoo.exe74⤵PID:2696
-
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe75⤵PID:2088
-
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe76⤵PID:2568
-
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe77⤵PID:2852
-
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe78⤵
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe79⤵
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe80⤵PID:2552
-
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe81⤵
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe82⤵PID:1984
-
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe83⤵PID:576
-
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe84⤵PID:888
-
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1792 -
C:\Windows\SysWOW64\Ojahnj32.exeC:\Windows\system32\Ojahnj32.exe86⤵
- Drops file in System32 directory
PID:1436 -
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe87⤵PID:3028
-
C:\Windows\SysWOW64\Ohfeog32.exeC:\Windows\system32\Ohfeog32.exe88⤵
- Drops file in System32 directory
PID:352 -
C:\Windows\SysWOW64\Oqmmpd32.exeC:\Windows\system32\Oqmmpd32.exe89⤵PID:3048
-
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe90⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Ofjfhk32.exeC:\Windows\system32\Ofjfhk32.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe92⤵PID:2732
-
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe93⤵PID:2612
-
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe94⤵PID:2980
-
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe95⤵
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe96⤵PID:2836
-
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe97⤵
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Pgplkb32.exeC:\Windows\system32\Pgplkb32.exe98⤵
- Drops file in System32 directory
PID:340 -
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe99⤵PID:2040
-
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe100⤵PID:1224
-
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe101⤵PID:2032
-
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe102⤵PID:944
-
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe103⤵PID:1996
-
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe104⤵PID:2092
-
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe106⤵PID:3068
-
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe107⤵
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe108⤵PID:2944
-
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe109⤵PID:2000
-
C:\Windows\SysWOW64\Pflomnkb.exeC:\Windows\system32\Pflomnkb.exe110⤵PID:2932
-
C:\Windows\SysWOW64\Pikkiijf.exeC:\Windows\system32\Pikkiijf.exe111⤵
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe112⤵PID:2620
-
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe113⤵PID:3060
-
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe114⤵PID:2556
-
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe115⤵PID:2864
-
C:\Windows\SysWOW64\Qpgpkcpp.exeC:\Windows\system32\Qpgpkcpp.exe116⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Qbelgood.exeC:\Windows\system32\Qbelgood.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2024 -
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe118⤵PID:1272
-
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe119⤵PID:1748
-
C:\Windows\SysWOW64\Abhimnma.exeC:\Windows\system32\Abhimnma.exe120⤵
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe121⤵PID:2856
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-