Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
63s -
max time network
59s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25/06/2024, 03:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e8a453d582ac19fa383c7f299b22d8727e59ffc27ad7f240267f53f99f1551dc.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
e8a453d582ac19fa383c7f299b22d8727e59ffc27ad7f240267f53f99f1551dc.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
e8a453d582ac19fa383c7f299b22d8727e59ffc27ad7f240267f53f99f1551dc.exe
-
Size
128KB
-
MD5
da2c0078a201bede8eb8458cf40200b5
-
SHA1
3fbfcd3c155bbe4a0785c8afc43161de55c615d1
-
SHA256
e8a453d582ac19fa383c7f299b22d8727e59ffc27ad7f240267f53f99f1551dc
-
SHA512
22a3aac05f83f07d49f00731d7b3f2058a65a6a3a87b5efb210c2ce3c68d1cabbc75d84076fbf53a27040b7b47ecbf751b2525f65889978227cfefb30f9c97dc
-
SSDEEP
3072:Qis+D2mx6UOyxGN2/BhHmiImXJ2fYdV46nfPyxWhj8NCM/r:tWC67yxC4BhHmNEcYj9nhV8NCU
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkhdqoac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjbkgfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkmdkgob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbgdlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hioiji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpppnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpkiph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaamlecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Papfgbmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mahnhhod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmflbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bidqko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daediilg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajneip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnonbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iafonaao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmikeaap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhjfhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nemcjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhpqaiji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhbgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocbddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hammhcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jodjhkkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbkcpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hobkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekjfcipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpijnqkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lalnmiia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeklag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnlgleef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llemdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fajnfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhmmjbkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqpnombl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mckemg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmpijp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhijijbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iokgal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhpgofm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flngfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 4568 Okhfjh32.exe 604 Oqdoboli.exe 4540 Odpjcm32.exe 1636 Onholckc.exe 2096 Ocegdjij.exe 456 Ogaceh32.exe 1020 Obfhba32.exe 412 Ocgdji32.exe 3800 Okolkg32.exe 1624 Obidhaog.exe 704 Pgemphmn.exe 2964 Pnpemb32.exe 3900 Peimil32.exe 836 Pjffbc32.exe 2132 Pqpnombl.exe 2356 Pcojkhap.exe 3268 Pjhbgb32.exe 964 Pengdk32.exe 3576 Pjkombfj.exe 3188 Pcccfh32.exe 3596 Qcepkg32.exe 4528 Qbgqio32.exe 3420 Qchmagie.exe 5048 Qnnanphk.exe 1648 Agffge32.exe 680 Abkjdnoa.exe 3036 Acmflf32.exe 4372 Anbkio32.exe 4364 Aaqgek32.exe 4512 Ajiknpjj.exe 4148 Abpcon32.exe 3320 Ahmlgd32.exe 3372 Abbpem32.exe 2352 Adcmmeog.exe 3172 Ajneip32.exe 3100 Abemjmgg.exe 648 Becifhfj.exe 4056 Bjpaooda.exe 1676 Bnlnon32.exe 4384 Bdhfhe32.exe 4804 Blpnib32.exe 1316 Bnnjen32.exe 212 Balfaiil.exe 1696 Blbknaib.exe 2720 Bopgjmhe.exe 1060 Bdmpcdfm.exe 3484 Bjghpn32.exe 2536 Baaplhef.exe 3040 Bhkhibmc.exe 4728 Cbqlfkmi.exe 1368 Ceoibflm.exe 404 Cklaknjd.exe 4848 Cddecc32.exe 1516 Clkndpag.exe 2488 Cbefaj32.exe 4488 Chbnia32.exe 2440 Ckpjfm32.exe 3948 Cajcbgml.exe 2644 Chdkoa32.exe 4780 Conclk32.exe 3264 Camphf32.exe 4480 Cdkldb32.exe 1828 Ckedalaj.exe 2220 Daolnf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Djdmffnn.exe Dfiafg32.exe File created C:\Windows\SysWOW64\Bepdhaek.dll Ccnncgmc.exe File opened for modification C:\Windows\SysWOW64\Cglgjeci.exe Cpeohh32.exe File created C:\Windows\SysWOW64\Ncdpoaed.dll Oocmii32.exe File created C:\Windows\SysWOW64\Cpgbgamd.dll Bcddcbab.exe File created C:\Windows\SysWOW64\Mdfggeba.dll Efccmidp.exe File created C:\Windows\SysWOW64\Kbgbpn32.dll Process not Found File created C:\Windows\SysWOW64\Kpbmco32.exe Kmdqgd32.exe File opened for modification C:\Windows\SysWOW64\Kofdhd32.exe Process not Found File created C:\Windows\SysWOW64\Lbmhlihl.exe Llcpoo32.exe File created C:\Windows\SysWOW64\Bfbghcbm.dll Miaboe32.exe File opened for modification C:\Windows\SysWOW64\Ebommi32.exe Eppqqn32.exe File opened for modification C:\Windows\SysWOW64\Gncchb32.exe Process not Found File created C:\Windows\SysWOW64\Pcojkhap.exe Pqpnombl.exe File created C:\Windows\SysWOW64\Klljnp32.exe Kmijbcpl.exe File created C:\Windows\SysWOW64\Goaojagc.dll Nlmllkja.exe File opened for modification C:\Windows\SysWOW64\Gochjpho.exe Gglpibgm.exe File created C:\Windows\SysWOW64\Qfildi32.dll Ikcdlmgf.exe File created C:\Windows\SysWOW64\Phigif32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bhkhibmc.exe Baaplhef.exe File created C:\Windows\SysWOW64\Fnaokmco.exe Fkcboack.exe File created C:\Windows\SysWOW64\Mcpeiqdc.dll Djfcaohp.exe File created C:\Windows\SysWOW64\Lmdemd32.exe Process not Found File created C:\Windows\SysWOW64\Fooclapd.exe Process not Found File created C:\Windows\SysWOW64\Ojqhdcii.dll Process not Found File created C:\Windows\SysWOW64\Nckkfp32.exe Process not Found File created C:\Windows\SysWOW64\Qihfjd32.dll Bjddphlq.exe File created C:\Windows\SysWOW64\Kijjbofj.exe Kflnfcgg.exe File created C:\Windows\SysWOW64\Dmennnni.exe Process not Found File created C:\Windows\SysWOW64\Gldglf32.exe Process not Found File created C:\Windows\SysWOW64\Cdpagn32.dll Goljqnpd.exe File created C:\Windows\SysWOW64\Cmpdihki.dll Process not Found File created C:\Windows\SysWOW64\Nmfcok32.exe Process not Found File created C:\Windows\SysWOW64\Lhnhajba.exe Process not Found File created C:\Windows\SysWOW64\Ijcomn32.dll Process not Found File created C:\Windows\SysWOW64\Hihbijhn.exe Hfifmnij.exe File created C:\Windows\SysWOW64\Njiegl32.exe Nhkikq32.exe File created C:\Windows\SysWOW64\Qdhogopn.dll Process not Found File created C:\Windows\SysWOW64\Jpbhgp32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dccbbhld.exe Dhnnep32.exe File created C:\Windows\SysWOW64\Ppjbmc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Foclgq32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ijogmdqm.exe Igqkqiai.exe File created C:\Windows\SysWOW64\Kclgmq32.exe Process not Found File created C:\Windows\SysWOW64\Kiodpebj.dll Process not Found File created C:\Windows\SysWOW64\Obidhaog.exe Okolkg32.exe File created C:\Windows\SysWOW64\Glgmkm32.dll Oponmilc.exe File created C:\Windows\SysWOW64\Cmnpgb32.exe Cfdhkhjj.exe File opened for modification C:\Windows\SysWOW64\Ddmaok32.exe Dmcibama.exe File created C:\Windows\SysWOW64\Micoed32.exe Mbighjdd.exe File created C:\Windows\SysWOW64\Gcedencn.dll Process not Found File opened for modification C:\Windows\SysWOW64\Icgjmapi.exe Ikpaldog.exe File created C:\Windows\SysWOW64\Mhppji32.exe Lfodbqfa.exe File created C:\Windows\SysWOW64\Ohfaap32.dll Oidhlb32.exe File opened for modification C:\Windows\SysWOW64\Lopmii32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Egohdegl.exe Process not Found File created C:\Windows\SysWOW64\Eefaomcg.exe Eajeon32.exe File created C:\Windows\SysWOW64\Qopkop32.dll Bebblb32.exe File opened for modification C:\Windows\SysWOW64\Gdgfce32.exe Gnmnfkia.exe File created C:\Windows\SysWOW64\Fmgejhgn.exe Efmmmn32.exe File opened for modification C:\Windows\SysWOW64\Njfagf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pfccogfc.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mgkjhe32.exe Mcpnhfhf.exe File created C:\Windows\SysWOW64\Haffcnib.dll Bfedoc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 17128 15832 Process not Found 1810 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbhpb32.dll" Kkhpdcab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klimip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Achnlqjp.dll" Acokhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icgjmapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdcoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mojhgbdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ackigjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afhohlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdkidohn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjjghcfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enqjamin.dll" Jjopcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okjnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmifiap.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hemikcpm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgicnp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eabbjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcafnn32.dll" Hbpphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikaqhj32.dll" Mhppji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pibdmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnipccc.dll" Gkhkjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhpapf32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpgodhkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfaqhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Micoed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlllhigk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohqbhdpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcklla32.dll" Efdjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hammhcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahcajk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elbhjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apgnjp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghgmioe.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmmljnd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhbgqohi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knegmo32.dll" Olgemcli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngcglo32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfgmjqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opdghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbgalmej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjcakafa.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll" Pmoahijl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idcepgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaiann32.dll" Meiaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pleaoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boipmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Codhnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhqndghj.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njiegl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 868 wrote to memory of 4568 868 e8a453d582ac19fa383c7f299b22d8727e59ffc27ad7f240267f53f99f1551dc.exe 81 PID 868 wrote to memory of 4568 868 e8a453d582ac19fa383c7f299b22d8727e59ffc27ad7f240267f53f99f1551dc.exe 81 PID 868 wrote to memory of 4568 868 e8a453d582ac19fa383c7f299b22d8727e59ffc27ad7f240267f53f99f1551dc.exe 81 PID 4568 wrote to memory of 604 4568 Okhfjh32.exe 82 PID 4568 wrote to memory of 604 4568 Okhfjh32.exe 82 PID 4568 wrote to memory of 604 4568 Okhfjh32.exe 82 PID 604 wrote to memory of 4540 604 Oqdoboli.exe 83 PID 604 wrote to memory of 4540 604 Oqdoboli.exe 83 PID 604 wrote to memory of 4540 604 Oqdoboli.exe 83 PID 4540 wrote to memory of 1636 4540 Odpjcm32.exe 84 PID 4540 wrote to memory of 1636 4540 Odpjcm32.exe 84 PID 4540 wrote to memory of 1636 4540 Odpjcm32.exe 84 PID 1636 wrote to memory of 2096 1636 Onholckc.exe 85 PID 1636 wrote to memory of 2096 1636 Onholckc.exe 85 PID 1636 wrote to memory of 2096 1636 Onholckc.exe 85 PID 2096 wrote to memory of 456 2096 Ocegdjij.exe 86 PID 2096 wrote to memory of 456 2096 Ocegdjij.exe 86 PID 2096 wrote to memory of 456 2096 Ocegdjij.exe 86 PID 456 wrote to memory of 1020 456 Ogaceh32.exe 87 PID 456 wrote to memory of 1020 456 Ogaceh32.exe 87 PID 456 wrote to memory of 1020 456 Ogaceh32.exe 87 PID 1020 wrote to memory of 412 1020 Obfhba32.exe 88 PID 1020 wrote to memory of 412 1020 Obfhba32.exe 88 PID 1020 wrote to memory of 412 1020 Obfhba32.exe 88 PID 412 wrote to memory of 3800 412 Ocgdji32.exe 89 PID 412 wrote to memory of 3800 412 Ocgdji32.exe 89 PID 412 wrote to memory of 3800 412 Ocgdji32.exe 89 PID 3800 wrote to memory of 1624 3800 Okolkg32.exe 90 PID 3800 wrote to memory of 1624 3800 Okolkg32.exe 90 PID 3800 wrote to memory of 1624 3800 Okolkg32.exe 90 PID 1624 wrote to memory of 704 1624 Obidhaog.exe 91 PID 1624 wrote to memory of 704 1624 Obidhaog.exe 91 PID 1624 wrote to memory of 704 1624 Obidhaog.exe 91 PID 704 wrote to memory of 2964 704 Pgemphmn.exe 92 PID 704 wrote to memory of 2964 704 Pgemphmn.exe 92 PID 704 wrote to memory of 2964 704 Pgemphmn.exe 92 PID 2964 wrote to memory of 3900 2964 Pnpemb32.exe 93 PID 2964 wrote to memory of 3900 2964 Pnpemb32.exe 93 PID 2964 wrote to memory of 3900 2964 Pnpemb32.exe 93 PID 3900 wrote to memory of 836 3900 Peimil32.exe 94 PID 3900 wrote to memory of 836 3900 Peimil32.exe 94 PID 3900 wrote to memory of 836 3900 Peimil32.exe 94 PID 836 wrote to memory of 2132 836 Pjffbc32.exe 95 PID 836 wrote to memory of 2132 836 Pjffbc32.exe 95 PID 836 wrote to memory of 2132 836 Pjffbc32.exe 95 PID 2132 wrote to memory of 2356 2132 Pqpnombl.exe 96 PID 2132 wrote to memory of 2356 2132 Pqpnombl.exe 96 PID 2132 wrote to memory of 2356 2132 Pqpnombl.exe 96 PID 2356 wrote to memory of 3268 2356 Pcojkhap.exe 97 PID 2356 wrote to memory of 3268 2356 Pcojkhap.exe 97 PID 2356 wrote to memory of 3268 2356 Pcojkhap.exe 97 PID 3268 wrote to memory of 964 3268 Pjhbgb32.exe 98 PID 3268 wrote to memory of 964 3268 Pjhbgb32.exe 98 PID 3268 wrote to memory of 964 3268 Pjhbgb32.exe 98 PID 964 wrote to memory of 3576 964 Pengdk32.exe 99 PID 964 wrote to memory of 3576 964 Pengdk32.exe 99 PID 964 wrote to memory of 3576 964 Pengdk32.exe 99 PID 3576 wrote to memory of 3188 3576 Pjkombfj.exe 100 PID 3576 wrote to memory of 3188 3576 Pjkombfj.exe 100 PID 3576 wrote to memory of 3188 3576 Pjkombfj.exe 100 PID 3188 wrote to memory of 3596 3188 Pcccfh32.exe 101 PID 3188 wrote to memory of 3596 3188 Pcccfh32.exe 101 PID 3188 wrote to memory of 3596 3188 Pcccfh32.exe 101 PID 3596 wrote to memory of 4528 3596 Qcepkg32.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8a453d582ac19fa383c7f299b22d8727e59ffc27ad7f240267f53f99f1551dc.exe"C:\Users\Admin\AppData\Local\Temp\e8a453d582ac19fa383c7f299b22d8727e59ffc27ad7f240267f53f99f1551dc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe23⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe24⤵
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe25⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe26⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe27⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe28⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe29⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe30⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe31⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe32⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe33⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe34⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe35⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe37⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe38⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe39⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe40⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe41⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe42⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe43⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe44⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe45⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe46⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe47⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe48⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe50⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe51⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe52⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe53⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Cddecc32.exeC:\Windows\system32\Cddecc32.exe54⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe55⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe56⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe57⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe58⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe59⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Chdkoa32.exeC:\Windows\system32\Chdkoa32.exe60⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe61⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe62⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe63⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe64⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe65⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe66⤵PID:2168
-
C:\Windows\SysWOW64\Dboigi32.exeC:\Windows\system32\Dboigi32.exe67⤵PID:3200
-
C:\Windows\SysWOW64\Ddpeoafg.exeC:\Windows\system32\Ddpeoafg.exe68⤵PID:2624
-
C:\Windows\SysWOW64\Dlgmpogj.exeC:\Windows\system32\Dlgmpogj.exe69⤵PID:2248
-
C:\Windows\SysWOW64\Dbaemi32.exeC:\Windows\system32\Dbaemi32.exe70⤵PID:4784
-
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe71⤵PID:2504
-
C:\Windows\SysWOW64\Dhnnep32.exeC:\Windows\system32\Dhnnep32.exe72⤵
- Drops file in System32 directory
PID:1288 -
C:\Windows\SysWOW64\Dccbbhld.exeC:\Windows\system32\Dccbbhld.exe73⤵PID:4312
-
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe74⤵PID:5112
-
C:\Windows\SysWOW64\Dllfkn32.exeC:\Windows\system32\Dllfkn32.exe75⤵PID:2100
-
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe76⤵PID:3168
-
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe77⤵PID:4380
-
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe78⤵
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe79⤵PID:1672
-
C:\Windows\SysWOW64\Eefhjc32.exeC:\Windows\system32\Eefhjc32.exe80⤵PID:4984
-
C:\Windows\SysWOW64\Ekcpbj32.exeC:\Windows\system32\Ekcpbj32.exe81⤵PID:3680
-
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe82⤵PID:2492
-
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe83⤵PID:1248
-
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe84⤵PID:4748
-
C:\Windows\SysWOW64\Eapedd32.exeC:\Windows\system32\Eapedd32.exe85⤵PID:3092
-
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe86⤵PID:1508
-
C:\Windows\SysWOW64\Eabbjc32.exeC:\Windows\system32\Eabbjc32.exe87⤵
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe88⤵PID:3024
-
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4004 -
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe90⤵PID:4588
-
C:\Windows\SysWOW64\Fljcmlfd.exeC:\Windows\system32\Fljcmlfd.exe91⤵PID:2228
-
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe92⤵PID:5076
-
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe93⤵PID:2756
-
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe94⤵PID:3292
-
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe95⤵PID:3160
-
C:\Windows\SysWOW64\Fojlngce.exeC:\Windows\system32\Fojlngce.exe96⤵PID:2232
-
C:\Windows\SysWOW64\Ffddka32.exeC:\Windows\system32\Ffddka32.exe97⤵PID:2892
-
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe98⤵PID:1532
-
C:\Windows\SysWOW64\Fomhdg32.exeC:\Windows\system32\Fomhdg32.exe99⤵PID:1436
-
C:\Windows\SysWOW64\Fakdpb32.exeC:\Windows\system32\Fakdpb32.exe100⤵PID:4368
-
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe101⤵PID:4140
-
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe102⤵PID:4068
-
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe103⤵PID:5024
-
C:\Windows\SysWOW64\Fdlnbm32.exeC:\Windows\system32\Fdlnbm32.exe104⤵PID:3008
-
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe105⤵PID:1736
-
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe106⤵PID:60
-
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:652 -
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe108⤵PID:3960
-
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe109⤵PID:4800
-
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe110⤵PID:372
-
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe111⤵PID:4992
-
C:\Windows\SysWOW64\Gcagkdba.exeC:\Windows\system32\Gcagkdba.exe112⤵PID:440
-
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe113⤵PID:912
-
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe114⤵PID:4840
-
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe115⤵PID:5004
-
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1092 -
C:\Windows\SysWOW64\Gdeqhl32.exeC:\Windows\system32\Gdeqhl32.exe117⤵PID:1924
-
C:\Windows\SysWOW64\Gmlhii32.exeC:\Windows\system32\Gmlhii32.exe118⤵PID:2260
-
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe119⤵PID:1224
-
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe120⤵PID:3464
-
C:\Windows\SysWOW64\Gicinj32.exeC:\Windows\system32\Gicinj32.exe121⤵PID:5140
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-