Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
54s -
max time network
50s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2024, 21:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
42d883c9c996b39808aacdee8c912f503519367bd96427f85b9cf0dbd6aee1a9.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
42d883c9c996b39808aacdee8c912f503519367bd96427f85b9cf0dbd6aee1a9.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
42d883c9c996b39808aacdee8c912f503519367bd96427f85b9cf0dbd6aee1a9.exe
-
Size
844KB
-
MD5
b3bfb619d1edfe46a51f1c1835c31f4e
-
SHA1
793a2788008345207f1e3e47d9a9ada37fdb8a4b
-
SHA256
42d883c9c996b39808aacdee8c912f503519367bd96427f85b9cf0dbd6aee1a9
-
SHA512
e934974013a4face03c5aa54a053661662754c62607cdf76e9cb3016867c4aeaa686a651a981007b31b072af6b0b52184b9700ebc6362bbd411a52624b8408f9
-
SSDEEP
24576:6/itH5W3Tnbc53cp6p5vihMpQnqrdX72LbY6x46uR/qYglMS:+itH5W3TbGBihw+cdX2x46uhqllMS
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Miemjaci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpdfnolo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Falcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahode32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njciko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hglaej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqkpeopg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqmidndd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndfqbhia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikokan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcllonma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idebdcdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcbfakec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmppcbjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eemgplno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dikpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hflcbngh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdhcgaic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgffic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfhfhong.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpnlpnih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghaliknf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcppfaka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbbmmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlleaeff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hacbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aompak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjahe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdfoio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Licfngjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kimghn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghniielm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpghkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilidbbgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfjhkjle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fehfljca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogfcjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhgjblfq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdoihpbk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eefaomcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlklkgei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nilcjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fajgkfio.exe -
Executes dropped EXE 64 IoCs
pid Process 1752 Qjbena32.exe 2076 Acjjfggb.exe 3272 Ajdbcano.exe 3236 Aanjpk32.exe 4496 Acmflf32.exe 4004 Acocaf32.exe 3396 Ahmlgd32.exe 3044 Angddopp.exe 4180 Aaepqjpd.exe 3248 Adcmmeog.exe 2152 Ajneip32.exe 2212 Aniajnnn.exe 880 Bahmfj32.exe 2756 Bdfibe32.exe 3000 Bhaebcen.exe 4492 Bjpaooda.exe 1772 Bnlnon32.exe 3676 Bajjli32.exe 748 Beeflhdh.exe 1176 Bhdbhcck.exe 2816 Bnnjen32.exe 888 Balfaiil.exe 536 Bdkcmdhp.exe 3204 Blbknaib.exe 3704 Bopgjmhe.exe 4416 Baocghgi.exe 3292 Bejogg32.exe 2384 Bhikcb32.exe 2008 Bldgdago.exe 3452 Bobcpmfc.exe 3972 Baaplhef.exe 2052 Bhkhibmc.exe 2936 Bkidenlg.exe 3184 Boepel32.exe 5108 Cbqlfkmi.exe 3940 Ceoibflm.exe 924 Cdainc32.exe 952 Cliaoq32.exe 2760 Cklaknjd.exe 4168 Cbcilkjg.exe 2944 Cafigg32.exe 2780 Cddecc32.exe 4896 Chpada32.exe 116 Cknnpm32.exe 2704 Cbefaj32.exe 4488 Cahfmgoo.exe 5048 Cdfbibnb.exe 4172 Chbnia32.exe 2876 Ckpjfm32.exe 3968 Cbgbgj32.exe 32 Cefoce32.exe 1012 Cdiooblp.exe 1148 Clpgpp32.exe 2216 Conclk32.exe 4476 Camphf32.exe 736 Cehkhecb.exe 4188 Chghdqbf.exe 1996 Ckedalaj.exe 2400 Dbllbibl.exe 2344 Daolnf32.exe 2196 Ddmhja32.exe 1140 Dldpkoil.exe 4016 Docmgjhp.exe 4980 Dboigi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gbobfjdp.dll Process not Found File created C:\Windows\SysWOW64\Eehicoel.exe Process not Found File created C:\Windows\SysWOW64\Mlampmdo.exe Mibpda32.exe File created C:\Windows\SysWOW64\Fqhajknb.dll Aqkpeopg.exe File created C:\Windows\SysWOW64\Elcfgpga.dll Kjpijpdg.exe File opened for modification C:\Windows\SysWOW64\Mfjcnold.exe Mockmala.exe File created C:\Windows\SysWOW64\Pkpimfpo.dll Ghpendjj.exe File created C:\Windows\SysWOW64\Mhdjehhj.exe Mefmimif.exe File opened for modification C:\Windows\SysWOW64\Maodigil.exe Process not Found File created C:\Windows\SysWOW64\Lgpjggdi.dll Ghipne32.exe File created C:\Windows\SysWOW64\Egneae32.dll Cpbbch32.exe File created C:\Windows\SysWOW64\Oiknlagg.exe Process not Found File created C:\Windows\SysWOW64\Kahobhgo.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gcagkdba.exe Gkkojgao.exe File created C:\Windows\SysWOW64\Conjbj32.dll Fedmqk32.exe File opened for modification C:\Windows\SysWOW64\Kldmckic.exe Jieagojp.exe File created C:\Windows\SysWOW64\Dpmcmd32.dll Aqmlknnd.exe File created C:\Windows\SysWOW64\Nfamlc32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Qoelkp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bdmmeo32.exe Process not Found File created C:\Windows\SysWOW64\Bnbmefbg.exe Bfkedibe.exe File created C:\Windows\SysWOW64\Fhmpagkp.exe Feocelll.exe File created C:\Windows\SysWOW64\Bpapcb32.dll Fkcboack.exe File opened for modification C:\Windows\SysWOW64\Gkglja32.exe Ghipne32.exe File created C:\Windows\SysWOW64\Kfcfimfi.dll Process not Found File created C:\Windows\SysWOW64\Flfelggh.dll Mdhdajea.exe File created C:\Windows\SysWOW64\Kcllei32.dll Cglgjeci.exe File opened for modification C:\Windows\SysWOW64\Nlkngo32.exe Process not Found File created C:\Windows\SysWOW64\Gfqnichl.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ojaelm32.exe Ofeilobp.exe File opened for modification C:\Windows\SysWOW64\Ehfcfb32.exe Epokedmj.exe File created C:\Windows\SysWOW64\Gikgni32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cjpckf32.exe Cdfkolkf.exe File opened for modification C:\Windows\SysWOW64\Djdmffnn.exe Calhnpgn.exe File opened for modification C:\Windows\SysWOW64\Npedmdab.exe Nlihle32.exe File created C:\Windows\SysWOW64\Hkjjlhle.exe Hgnoki32.exe File created C:\Windows\SysWOW64\Ihgnkkbd.exe Idkbkl32.exe File created C:\Windows\SysWOW64\Mblcnj32.exe Process not Found File created C:\Windows\SysWOW64\Ddalgo32.dll Process not Found File created C:\Windows\SysWOW64\Lmdina32.exe Liimncmf.exe File created C:\Windows\SysWOW64\Nggjdc32.exe Nckndeni.exe File opened for modification C:\Windows\SysWOW64\Jgakbm32.exe Jiokfpph.exe File created C:\Windows\SysWOW64\Jgnboabc.dll Fipbdikp.exe File created C:\Windows\SysWOW64\Hncfnebg.dll Ghkeio32.exe File opened for modification C:\Windows\SysWOW64\Igigla32.exe Process not Found File created C:\Windows\SysWOW64\Cjijid32.dll Process not Found File created C:\Windows\SysWOW64\Ffkjlp32.exe Fbpnkama.exe File created C:\Windows\SysWOW64\Mkfepj32.dll Aggegh32.exe File opened for modification C:\Windows\SysWOW64\Ckfphc32.exe Process not Found File created C:\Windows\SysWOW64\Anfjipgp.dll Process not Found File created C:\Windows\SysWOW64\Qjkmdp32.dll Ndaggimg.exe File created C:\Windows\SysWOW64\Lfodbqfa.exe Lbchba32.exe File created C:\Windows\SysWOW64\Lmeffoid.dll Nojanpej.exe File created C:\Windows\SysWOW64\Dppadp32.dll Aimkjp32.exe File opened for modification C:\Windows\SysWOW64\Flfkkhid.exe Process not Found File created C:\Windows\SysWOW64\Cqopkcbn.dll Process not Found File created C:\Windows\SysWOW64\Gohhpe32.exe Gmjlcj32.exe File created C:\Windows\SysWOW64\Ebdijfii.dll Beglgani.exe File created C:\Windows\SysWOW64\Fhdohp32.exe Fdhcgaic.exe File created C:\Windows\SysWOW64\Lejgch32.exe Lankbigo.exe File opened for modification C:\Windows\SysWOW64\Kebbafoj.exe Kdqejn32.exe File created C:\Windows\SysWOW64\Gnmnfkia.exe Gkobjpin.exe File created C:\Windows\SysWOW64\Mockmala.exe Mpqkad32.exe File created C:\Windows\SysWOW64\Niniei32.exe Nebmekoi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7036 11960 Process not Found 1658 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfpjcbmh.dll" Lpekef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjdiliki.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlednamo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqknig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pggbkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icgcab32.dll" Bmkcqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Milidebi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kollmhpg.dll" Eagaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhikcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll" Pflplnlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfklhhcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeheme32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkjbip32.dll" Ihdafkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhgfkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qljjjqlc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkfjo32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpiljh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Molelb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmaplg32.dll" Pgihfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lalbjhdj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbqlfkmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olckbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iamfph32.dll" Cimcan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdcjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpihol32.dll" Fmlneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhclbphg.dll" Fckajehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jeklag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfnegggi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enqjamin.dll" Jjopcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oapgek32.dll" Conclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcioiood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjecajf.dll" Klngdpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfjal32.dll" Mipcob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npmagine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddoeojd.dll" Dhbgqohi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhkgkgoe.dll" Kflnfcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibgpcd32.dll" Leenhhdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gepmlimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbngpi32.dll" Cjomap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdcjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhkjegqi.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbqlfkmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omhebonp.dll" Qlmgopjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfoplpla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdliee32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Beeflhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edihepnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnifigpa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1060 wrote to memory of 1752 1060 42d883c9c996b39808aacdee8c912f503519367bd96427f85b9cf0dbd6aee1a9.exe 80 PID 1060 wrote to memory of 1752 1060 42d883c9c996b39808aacdee8c912f503519367bd96427f85b9cf0dbd6aee1a9.exe 80 PID 1060 wrote to memory of 1752 1060 42d883c9c996b39808aacdee8c912f503519367bd96427f85b9cf0dbd6aee1a9.exe 80 PID 1752 wrote to memory of 2076 1752 Qjbena32.exe 81 PID 1752 wrote to memory of 2076 1752 Qjbena32.exe 81 PID 1752 wrote to memory of 2076 1752 Qjbena32.exe 81 PID 2076 wrote to memory of 3272 2076 Acjjfggb.exe 82 PID 2076 wrote to memory of 3272 2076 Acjjfggb.exe 82 PID 2076 wrote to memory of 3272 2076 Acjjfggb.exe 82 PID 3272 wrote to memory of 3236 3272 Ajdbcano.exe 1268 PID 3272 wrote to memory of 3236 3272 Ajdbcano.exe 1268 PID 3272 wrote to memory of 3236 3272 Ajdbcano.exe 1268 PID 3236 wrote to memory of 4496 3236 Aanjpk32.exe 84 PID 3236 wrote to memory of 4496 3236 Aanjpk32.exe 84 PID 3236 wrote to memory of 4496 3236 Aanjpk32.exe 84 PID 4496 wrote to memory of 4004 4496 Acmflf32.exe 85 PID 4496 wrote to memory of 4004 4496 Acmflf32.exe 85 PID 4496 wrote to memory of 4004 4496 Acmflf32.exe 85 PID 4004 wrote to memory of 3396 4004 Acocaf32.exe 86 PID 4004 wrote to memory of 3396 4004 Acocaf32.exe 86 PID 4004 wrote to memory of 3396 4004 Acocaf32.exe 86 PID 3396 wrote to memory of 3044 3396 Ahmlgd32.exe 87 PID 3396 wrote to memory of 3044 3396 Ahmlgd32.exe 87 PID 3396 wrote to memory of 3044 3396 Ahmlgd32.exe 87 PID 3044 wrote to memory of 4180 3044 Angddopp.exe 88 PID 3044 wrote to memory of 4180 3044 Angddopp.exe 88 PID 3044 wrote to memory of 4180 3044 Angddopp.exe 88 PID 4180 wrote to memory of 3248 4180 Aaepqjpd.exe 89 PID 4180 wrote to memory of 3248 4180 Aaepqjpd.exe 89 PID 4180 wrote to memory of 3248 4180 Aaepqjpd.exe 89 PID 3248 wrote to memory of 2152 3248 Adcmmeog.exe 90 PID 3248 wrote to memory of 2152 3248 Adcmmeog.exe 90 PID 3248 wrote to memory of 2152 3248 Adcmmeog.exe 90 PID 2152 wrote to memory of 2212 2152 Ajneip32.exe 91 PID 2152 wrote to memory of 2212 2152 Ajneip32.exe 91 PID 2152 wrote to memory of 2212 2152 Ajneip32.exe 91 PID 2212 wrote to memory of 880 2212 Aniajnnn.exe 92 PID 2212 wrote to memory of 880 2212 Aniajnnn.exe 92 PID 2212 wrote to memory of 880 2212 Aniajnnn.exe 92 PID 880 wrote to memory of 2756 880 Bahmfj32.exe 93 PID 880 wrote to memory of 2756 880 Bahmfj32.exe 93 PID 880 wrote to memory of 2756 880 Bahmfj32.exe 93 PID 2756 wrote to memory of 3000 2756 Bdfibe32.exe 94 PID 2756 wrote to memory of 3000 2756 Bdfibe32.exe 94 PID 2756 wrote to memory of 3000 2756 Bdfibe32.exe 94 PID 3000 wrote to memory of 4492 3000 Bhaebcen.exe 95 PID 3000 wrote to memory of 4492 3000 Bhaebcen.exe 95 PID 3000 wrote to memory of 4492 3000 Bhaebcen.exe 95 PID 4492 wrote to memory of 1772 4492 Bjpaooda.exe 96 PID 4492 wrote to memory of 1772 4492 Bjpaooda.exe 96 PID 4492 wrote to memory of 1772 4492 Bjpaooda.exe 96 PID 1772 wrote to memory of 3676 1772 Bnlnon32.exe 97 PID 1772 wrote to memory of 3676 1772 Bnlnon32.exe 97 PID 1772 wrote to memory of 3676 1772 Bnlnon32.exe 97 PID 3676 wrote to memory of 748 3676 Bajjli32.exe 98 PID 3676 wrote to memory of 748 3676 Bajjli32.exe 98 PID 3676 wrote to memory of 748 3676 Bajjli32.exe 98 PID 748 wrote to memory of 1176 748 Beeflhdh.exe 99 PID 748 wrote to memory of 1176 748 Beeflhdh.exe 99 PID 748 wrote to memory of 1176 748 Beeflhdh.exe 99 PID 1176 wrote to memory of 2816 1176 Bhdbhcck.exe 100 PID 1176 wrote to memory of 2816 1176 Bhdbhcck.exe 100 PID 1176 wrote to memory of 2816 1176 Bhdbhcck.exe 100 PID 2816 wrote to memory of 888 2816 Bnnjen32.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\42d883c9c996b39808aacdee8c912f503519367bd96427f85b9cf0dbd6aee1a9.exe"C:\Users\Admin\AppData\Local\Temp\42d883c9c996b39808aacdee8c912f503519367bd96427f85b9cf0dbd6aee1a9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe23⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe24⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe25⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe26⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe27⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe28⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe30⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Bobcpmfc.exeC:\Windows\system32\Bobcpmfc.exe31⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe32⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe33⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe34⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe35⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:5108 -
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe37⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe38⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe39⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe40⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe41⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe42⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Cddecc32.exeC:\Windows\system32\Cddecc32.exe43⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe44⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe45⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe46⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe47⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe48⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe49⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe50⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe51⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe52⤵
- Executes dropped EXE
PID:32 -
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe53⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe54⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe56⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe57⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe58⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe59⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe60⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe61⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe62⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe63⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe64⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Dboigi32.exeC:\Windows\system32\Dboigi32.exe65⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Ddpeoafg.exeC:\Windows\system32\Ddpeoafg.exe66⤵PID:1620
-
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe67⤵PID:1760
-
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe68⤵PID:3436
-
C:\Windows\SysWOW64\Dbaemi32.exeC:\Windows\system32\Dbaemi32.exe69⤵PID:1484
-
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe70⤵PID:2040
-
C:\Windows\SysWOW64\Dhnnep32.exeC:\Windows\system32\Dhnnep32.exe71⤵PID:2928
-
C:\Windows\SysWOW64\Dkljak32.exeC:\Windows\system32\Dkljak32.exe72⤵PID:4912
-
C:\Windows\SysWOW64\Dccbbhld.exeC:\Windows\system32\Dccbbhld.exe73⤵PID:2100
-
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe74⤵PID:5100
-
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe75⤵PID:2112
-
C:\Windows\SysWOW64\Dllfkn32.exeC:\Windows\system32\Dllfkn32.exe76⤵PID:3276
-
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe77⤵PID:1368
-
C:\Windows\SysWOW64\Dahode32.exeC:\Windows\system32\Dahode32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3100 -
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe79⤵PID:3372
-
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe80⤵
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe81⤵PID:1112
-
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe82⤵PID:4408
-
C:\Windows\SysWOW64\Eefhjc32.exeC:\Windows\system32\Eefhjc32.exe83⤵PID:4528
-
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe84⤵
- Modifies registry class
PID:4976 -
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe85⤵PID:2292
-
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe86⤵PID:4776
-
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe87⤵PID:4720
-
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe88⤵PID:4664
-
C:\Windows\SysWOW64\Ehgqln32.exeC:\Windows\system32\Ehgqln32.exe89⤵PID:904
-
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe90⤵PID:4156
-
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe91⤵PID:2160
-
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe92⤵PID:4860
-
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe93⤵PID:676
-
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe94⤵PID:4656
-
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe95⤵PID:2284
-
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe96⤵PID:3200
-
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe97⤵
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe98⤵PID:1932
-
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4588 -
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe100⤵PID:1036
-
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe101⤵
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Ffkjlp32.exeC:\Windows\system32\Ffkjlp32.exe102⤵PID:1328
-
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe103⤵PID:1256
-
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe104⤵PID:4632
-
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe105⤵PID:3684
-
C:\Windows\SysWOW64\Gfngap32.exeC:\Windows\system32\Gfngap32.exe106⤵PID:4484
-
C:\Windows\SysWOW64\Ghlcnk32.exeC:\Windows\system32\Ghlcnk32.exe107⤵PID:3688
-
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe108⤵PID:2448
-
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe109⤵
- Drops file in System32 directory
PID:3168 -
C:\Windows\SysWOW64\Gcagkdba.exeC:\Windows\system32\Gcagkdba.exe110⤵PID:1160
-
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe111⤵PID:3124
-
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe112⤵PID:3848
-
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe113⤵
- Drops file in System32 directory
PID:5020 -
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe114⤵PID:1728
-
C:\Windows\SysWOW64\Gcddpdpo.exeC:\Windows\system32\Gcddpdpo.exe115⤵PID:4696
-
C:\Windows\SysWOW64\Gfbploob.exeC:\Windows\system32\Gfbploob.exe116⤵PID:2824
-
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:556 -
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe118⤵PID:4428
-
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe119⤵PID:5144
-
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe120⤵PID:5184
-
C:\Windows\SysWOW64\Gicinj32.exeC:\Windows\system32\Gicinj32.exe121⤵PID:5220
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-