Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
57s -
max time network
61s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06/07/2024, 03:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
df494d0199ca30615ce88ed8347d545e91d987889297c8898609f8144ae24eb7.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
df494d0199ca30615ce88ed8347d545e91d987889297c8898609f8144ae24eb7.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
df494d0199ca30615ce88ed8347d545e91d987889297c8898609f8144ae24eb7.exe
-
Size
99KB
-
MD5
d57c1cca9a9b475361b374ad8091c615
-
SHA1
74a45c2b10dd4c4b8739f8ea83dde2cc8f66417f
-
SHA256
df494d0199ca30615ce88ed8347d545e91d987889297c8898609f8144ae24eb7
-
SHA512
8a1b4c160ef6594942f2829b1950d5bb8626a418b2901b036b038d5266ce1328723610fbb98ecb05b6181f2d753689248efa6f926fb8939b135c61961fa15c0e
-
SSDEEP
1536:JObXlNpBRd5yL7uM6CiEVMsUpXWg2SRQyuRvwtycORTRQ6mRQQRRQjGmZrhAVK5:QXXDQWM6nXDeyupwoTRBmDRGGurhUI
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Licfngjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iikmbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iedjmioj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lljklo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpolbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hihibbjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngaionfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kqnbkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohkbbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efblbbqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efgemb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjgha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhccj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkphhgfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdbdah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmhocd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqjbddpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpkiph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keqdmihc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llhikacp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiknlagg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcdjbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hifcgion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcanll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhncdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmipblaq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljilqnlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohkbbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjbcakl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpimlfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jeapcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chokikeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbadcpbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jqglkmlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfjpfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdmkhgho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmohno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malgcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aafemk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekaapi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgkiaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddcenpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jekqmhia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpekef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcclld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plkpcfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekodjiol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoeieolb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcncpbmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bapiabak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdbpgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekodjiol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Keifdpif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gnhdkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ophjiaql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlegnjbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkpbin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagpeo32.exe -
Executes dropped EXE 64 IoCs
pid Process 3996 Opakbi32.exe 4436 Ojjolnaq.exe 3904 Opdghh32.exe 4600 Ognpebpj.exe 1860 Olkhmi32.exe 1444 Ofcmfodb.exe 4060 Olmeci32.exe 4188 Ocgmpccl.exe 4332 Pmoahijl.exe 752 Pcijeb32.exe 2424 Pmannhhj.exe 440 Pfjcgn32.exe 2360 Pcncpbmd.exe 748 Pjhlml32.exe 4252 Pcppfaka.exe 2756 Pnfdcjkg.exe 400 Qmkadgpo.exe 3120 Qfcfml32.exe 4556 Qddfkd32.exe 2712 Adgbpc32.exe 2188 Aclpap32.exe 4808 Aepefb32.exe 832 Bmkjkd32.exe 1212 Bebblb32.exe 3588 Bganhm32.exe 1624 Bmpcfdmg.exe 2668 Bfhhoi32.exe 4164 Banllbdn.exe 4364 Bnbmefbg.exe 408 Bapiabak.exe 3224 Cabfga32.exe 4304 Cnffqf32.exe 2904 Chokikeb.exe 4340 Cagobalc.exe 4944 Cjpckf32.exe 2124 Cjbpaf32.exe 2924 Calhnpgn.exe 1440 Dopigd32.exe 4200 Dfknkg32.exe 1344 Daqbip32.exe 1200 Dkifae32.exe 4292 Ddakjkqi.exe 4076 Dogogcpo.exe 2632 Dhocqigp.exe 2084 Dahhio32.exe 2068 Edfdej32.exe 2932 Eolhbc32.exe 1596 Eefaomcg.exe 1688 Ealadnik.exe 3720 Ekefmc32.exe 3000 Edmjfifl.exe 4580 Eobocb32.exe 4020 Eemgplno.exe 3304 Ehkclgmb.exe 2004 Emhldnkj.exe 3308 Fdbdah32.exe 4664 Fgppmd32.exe 3548 Foghnabl.exe 4068 Fhpmgg32.exe 4848 Fknicb32.exe 956 Fedmqk32.exe 1080 Fgeihcme.exe 4904 Fnobem32.exe 4788 Fefjfked.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lmnbjama.dll Pmpolgoi.exe File created C:\Windows\SysWOW64\Dgbanq32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ojjolnaq.exe Opakbi32.exe File opened for modification C:\Windows\SysWOW64\Qikgco32.exe Qepkbpak.exe File created C:\Windows\SysWOW64\Nlkgmh32.exe Nccokk32.exe File created C:\Windows\SysWOW64\Eomffaag.exe Egened32.exe File opened for modification C:\Windows\SysWOW64\Neoieenp.exe Njiegl32.exe File created C:\Windows\SysWOW64\Egjgdg32.dll Akepfpcl.exe File opened for modification C:\Windows\SysWOW64\Chiblk32.exe Cpbjkn32.exe File created C:\Windows\SysWOW64\Nobdbkhf.exe Mldhfpib.exe File created C:\Windows\SysWOW64\Cfldelik.exe Cjecpkcg.exe File created C:\Windows\SysWOW64\Ibcjqgnm.exe Ipdndloi.exe File created C:\Windows\SysWOW64\Oblhcj32.exe Oqklkbbi.exe File created C:\Windows\SysWOW64\Jbdbjf32.exe Jnifigpa.exe File created C:\Windows\SysWOW64\Kkjlic32.exe Keqdmihc.exe File created C:\Windows\SysWOW64\Lgepom32.exe Lqkgbcff.exe File created C:\Windows\SysWOW64\Hajkqfoe.exe Hioflcbj.exe File opened for modification C:\Windows\SysWOW64\Jbagbebm.exe Jhkbdmbg.exe File opened for modification C:\Windows\SysWOW64\Eefaomcg.exe Eolhbc32.exe File created C:\Windows\SysWOW64\Ejoaandc.dll Anclbkbp.exe File created C:\Windows\SysWOW64\Mfbaalbi.exe Mohidbkl.exe File created C:\Windows\SysWOW64\Iiehpahb.exe Inpccihl.exe File created C:\Windows\SysWOW64\Dfggbllc.dll Phcomcng.exe File created C:\Windows\SysWOW64\Fhofmq32.exe Fineoi32.exe File created C:\Windows\SysWOW64\Icfekc32.exe Ilmmni32.exe File created C:\Windows\SysWOW64\Akmmffmb.dll Kbghfc32.exe File created C:\Windows\SysWOW64\Hgagmm32.dll Qfbobf32.exe File created C:\Windows\SysWOW64\Enjgeopm.dll Ncqlkemc.exe File opened for modification C:\Windows\SysWOW64\Ahmjjoig.exe Qpeahb32.exe File created C:\Windows\SysWOW64\Fdkggg32.exe Famjkl32.exe File created C:\Windows\SysWOW64\Oefgjq32.dll Halhfe32.exe File opened for modification C:\Windows\SysWOW64\Oghppm32.exe Opogbbig.exe File created C:\Windows\SysWOW64\Enhodk32.dll Aednci32.exe File created C:\Windows\SysWOW64\Giidol32.dll Pjmjdm32.exe File created C:\Windows\SysWOW64\Jpbhgp32.dll Ebifmm32.exe File created C:\Windows\SysWOW64\Ojqcnhkl.exe Ocgkan32.exe File opened for modification C:\Windows\SysWOW64\Cmfclm32.exe Cjhfpa32.exe File created C:\Windows\SysWOW64\Dikpbl32.exe Dhjckcgi.exe File opened for modification C:\Windows\SysWOW64\Hacbhb32.exe Hgnoki32.exe File opened for modification C:\Windows\SysWOW64\Pifnhpmi.exe Pekbga32.exe File created C:\Windows\SysWOW64\Fdglmkeg.exe Fmndpq32.exe File opened for modification C:\Windows\SysWOW64\Adfgdpmi.exe Amlogfel.exe File created C:\Windows\SysWOW64\Lfjjga32.exe Lppbkgcj.exe File created C:\Windows\SysWOW64\Ajbmdn32.exe Aakebqbj.exe File created C:\Windows\SysWOW64\Ifomll32.exe Iohejo32.exe File created C:\Windows\SysWOW64\Aaenbd32.exe Aogbfi32.exe File created C:\Windows\SysWOW64\Khgbqkhj.exe Keifdpif.exe File created C:\Windows\SysWOW64\Dkjfaikb.dll Ocgkan32.exe File created C:\Windows\SysWOW64\Odalmibl.exe Omgcpokp.exe File created C:\Windows\SysWOW64\Dmlkhofd.exe Cdecgbfa.exe File created C:\Windows\SysWOW64\Gedhfp32.dll Gnnccl32.exe File created C:\Windows\SysWOW64\Hdkjpimd.dll Igjeanmj.exe File created C:\Windows\SysWOW64\Lppbkgcj.exe Lhijijbg.exe File created C:\Windows\SysWOW64\Fpjcgm32.exe Fllkqn32.exe File created C:\Windows\SysWOW64\Mcqjon32.exe Lndagg32.exe File created C:\Windows\SysWOW64\Iojmqe32.dll Cdbfab32.exe File created C:\Windows\SysWOW64\Dbqpfg32.dll Jngbjd32.exe File opened for modification C:\Windows\SysWOW64\Aclpap32.exe Adgbpc32.exe File opened for modification C:\Windows\SysWOW64\Jicdap32.exe Jnnpdg32.exe File opened for modification C:\Windows\SysWOW64\Aamknj32.exe Akccap32.exe File opened for modification C:\Windows\SysWOW64\Nimmifgo.exe Nbbeml32.exe File created C:\Windows\SysWOW64\Hheoid32.exe Hakgmjoh.exe File created C:\Windows\SysWOW64\Aalmimfd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Paiogf32.exe Pjpfjl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10488 10688 Process not Found 1208 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ekefmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnqhicol.dll" Gnkaalkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbojlfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckilmcgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckhecmcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dgcihgaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajndioga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmhkafda.dll" Iinjhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeodmbol.dll" Pciqnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nliaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcqjon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ggmmlamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iacngdgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flinad32.dll" Jlbejloe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll" Qddfkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjjghcfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Knkekn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnkbcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kedlip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hmpjmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ikbfgppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaocia32.dll" Ipoopgnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jncoikmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jnhpoamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkhjph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjokgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jnlkedai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpmapodj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll" Aepefb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fkjmlaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokmqben.dll" Alnfpcag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmifiap.dll" Fpdcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lblldc32.dll" Ibfnqmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll" Bebblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jieqei32.dll" Jiaglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfamapjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hgnoki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Blhpqhlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mmnhcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocgmpccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dlghoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Agdhbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbbfpo32.dll" Aodogdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmmcnn32.dll" Ljobpiql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pdjgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpgbgamd.dll" Bcddcbab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Keifdpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabjq32.dll" Gbnoiqdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjgeopm.dll" Ncqlkemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ompfej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpapnfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdcmh32.dll" Fjadje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmabofh.dll" Kjepjkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opeemh32.dll" Eplnpeol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dndgfpbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmphaaln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Maeachag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efjbcakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chflphjh.dll" Iomoenej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apjfbb32.dll" Lchfib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gaogak32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4564 wrote to memory of 3996 4564 df494d0199ca30615ce88ed8347d545e91d987889297c8898609f8144ae24eb7.exe 81 PID 4564 wrote to memory of 3996 4564 df494d0199ca30615ce88ed8347d545e91d987889297c8898609f8144ae24eb7.exe 81 PID 4564 wrote to memory of 3996 4564 df494d0199ca30615ce88ed8347d545e91d987889297c8898609f8144ae24eb7.exe 81 PID 3996 wrote to memory of 4436 3996 Opakbi32.exe 82 PID 3996 wrote to memory of 4436 3996 Opakbi32.exe 82 PID 3996 wrote to memory of 4436 3996 Opakbi32.exe 82 PID 4436 wrote to memory of 3904 4436 Ojjolnaq.exe 83 PID 4436 wrote to memory of 3904 4436 Ojjolnaq.exe 83 PID 4436 wrote to memory of 3904 4436 Ojjolnaq.exe 83 PID 3904 wrote to memory of 4600 3904 Opdghh32.exe 84 PID 3904 wrote to memory of 4600 3904 Opdghh32.exe 84 PID 3904 wrote to memory of 4600 3904 Opdghh32.exe 84 PID 4600 wrote to memory of 1860 4600 Ognpebpj.exe 85 PID 4600 wrote to memory of 1860 4600 Ognpebpj.exe 85 PID 4600 wrote to memory of 1860 4600 Ognpebpj.exe 85 PID 1860 wrote to memory of 1444 1860 Olkhmi32.exe 86 PID 1860 wrote to memory of 1444 1860 Olkhmi32.exe 86 PID 1860 wrote to memory of 1444 1860 Olkhmi32.exe 86 PID 1444 wrote to memory of 4060 1444 Ofcmfodb.exe 87 PID 1444 wrote to memory of 4060 1444 Ofcmfodb.exe 87 PID 1444 wrote to memory of 4060 1444 Ofcmfodb.exe 87 PID 4060 wrote to memory of 4188 4060 Olmeci32.exe 88 PID 4060 wrote to memory of 4188 4060 Olmeci32.exe 88 PID 4060 wrote to memory of 4188 4060 Olmeci32.exe 88 PID 4188 wrote to memory of 4332 4188 Ocgmpccl.exe 89 PID 4188 wrote to memory of 4332 4188 Ocgmpccl.exe 89 PID 4188 wrote to memory of 4332 4188 Ocgmpccl.exe 89 PID 4332 wrote to memory of 752 4332 Pmoahijl.exe 90 PID 4332 wrote to memory of 752 4332 Pmoahijl.exe 90 PID 4332 wrote to memory of 752 4332 Pmoahijl.exe 90 PID 752 wrote to memory of 2424 752 Pcijeb32.exe 91 PID 752 wrote to memory of 2424 752 Pcijeb32.exe 91 PID 752 wrote to memory of 2424 752 Pcijeb32.exe 91 PID 2424 wrote to memory of 440 2424 Pmannhhj.exe 92 PID 2424 wrote to memory of 440 2424 Pmannhhj.exe 92 PID 2424 wrote to memory of 440 2424 Pmannhhj.exe 92 PID 440 wrote to memory of 2360 440 Pfjcgn32.exe 93 PID 440 wrote to memory of 2360 440 Pfjcgn32.exe 93 PID 440 wrote to memory of 2360 440 Pfjcgn32.exe 93 PID 2360 wrote to memory of 748 2360 Pcncpbmd.exe 94 PID 2360 wrote to memory of 748 2360 Pcncpbmd.exe 94 PID 2360 wrote to memory of 748 2360 Pcncpbmd.exe 94 PID 748 wrote to memory of 4252 748 Pjhlml32.exe 95 PID 748 wrote to memory of 4252 748 Pjhlml32.exe 95 PID 748 wrote to memory of 4252 748 Pjhlml32.exe 95 PID 4252 wrote to memory of 2756 4252 Pcppfaka.exe 96 PID 4252 wrote to memory of 2756 4252 Pcppfaka.exe 96 PID 4252 wrote to memory of 2756 4252 Pcppfaka.exe 96 PID 2756 wrote to memory of 400 2756 Pnfdcjkg.exe 97 PID 2756 wrote to memory of 400 2756 Pnfdcjkg.exe 97 PID 2756 wrote to memory of 400 2756 Pnfdcjkg.exe 97 PID 400 wrote to memory of 3120 400 Qmkadgpo.exe 98 PID 400 wrote to memory of 3120 400 Qmkadgpo.exe 98 PID 400 wrote to memory of 3120 400 Qmkadgpo.exe 98 PID 3120 wrote to memory of 4556 3120 Qfcfml32.exe 99 PID 3120 wrote to memory of 4556 3120 Qfcfml32.exe 99 PID 3120 wrote to memory of 4556 3120 Qfcfml32.exe 99 PID 4556 wrote to memory of 2712 4556 Qddfkd32.exe 100 PID 4556 wrote to memory of 2712 4556 Qddfkd32.exe 100 PID 4556 wrote to memory of 2712 4556 Qddfkd32.exe 100 PID 2712 wrote to memory of 2188 2712 Adgbpc32.exe 101 PID 2712 wrote to memory of 2188 2712 Adgbpc32.exe 101 PID 2712 wrote to memory of 2188 2712 Adgbpc32.exe 101 PID 2188 wrote to memory of 4808 2188 Aclpap32.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\df494d0199ca30615ce88ed8347d545e91d987889297c8898609f8144ae24eb7.exe"C:\Users\Admin\AppData\Local\Temp\df494d0199ca30615ce88ed8347d545e91d987889297c8898609f8144ae24eb7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Opakbi32.exeC:\Windows\system32\Opakbi32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Ojjolnaq.exeC:\Windows\system32\Ojjolnaq.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Opdghh32.exeC:\Windows\system32\Opdghh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Ognpebpj.exeC:\Windows\system32\Ognpebpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Olkhmi32.exeC:\Windows\system32\Olkhmi32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Ofcmfodb.exeC:\Windows\system32\Ofcmfodb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Olmeci32.exeC:\Windows\system32\Olmeci32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\Ocgmpccl.exeC:\Windows\system32\Ocgmpccl.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\Pmoahijl.exeC:\Windows\system32\Pmoahijl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\Pcijeb32.exeC:\Windows\system32\Pcijeb32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Pfjcgn32.exeC:\Windows\system32\Pfjcgn32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\Pcncpbmd.exeC:\Windows\system32\Pcncpbmd.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\Pnfdcjkg.exeC:\Windows\system32\Pnfdcjkg.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Qmkadgpo.exeC:\Windows\system32\Qmkadgpo.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Qfcfml32.exeC:\Windows\system32\Qfcfml32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\Qddfkd32.exeC:\Windows\system32\Qddfkd32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Aepefb32.exeC:\Windows\system32\Aepefb32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:4808 -
C:\Windows\SysWOW64\Bmkjkd32.exeC:\Windows\system32\Bmkjkd32.exe24⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Bebblb32.exeC:\Windows\system32\Bebblb32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:1212 -
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe26⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe27⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe28⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe29⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe30⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe32⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe33⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe36⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe37⤵PID:4844
-
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe38⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe39⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe40⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe41⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe42⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1200 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe44⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe45⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe46⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Dahhio32.exeC:\Windows\system32\Dahhio32.exe47⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Edfdej32.exeC:\Windows\system32\Edfdej32.exe48⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Eolhbc32.exeC:\Windows\system32\Eolhbc32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Eefaomcg.exeC:\Windows\system32\Eefaomcg.exe50⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Ealadnik.exeC:\Windows\system32\Ealadnik.exe51⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Ekefmc32.exeC:\Windows\system32\Ekefmc32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:3720 -
C:\Windows\SysWOW64\Edmjfifl.exeC:\Windows\system32\Edmjfifl.exe53⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Eobocb32.exeC:\Windows\system32\Eobocb32.exe54⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Eemgplno.exeC:\Windows\system32\Eemgplno.exe55⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Ehkclgmb.exeC:\Windows\system32\Ehkclgmb.exe56⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Emhldnkj.exeC:\Windows\system32\Emhldnkj.exe57⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Fdbdah32.exeC:\Windows\system32\Fdbdah32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\Fgppmd32.exeC:\Windows\system32\Fgppmd32.exe59⤵
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\Foghnabl.exeC:\Windows\system32\Foghnabl.exe60⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Fhpmgg32.exeC:\Windows\system32\Fhpmgg32.exe61⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Fknicb32.exeC:\Windows\system32\Fknicb32.exe62⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Fedmqk32.exeC:\Windows\system32\Fedmqk32.exe63⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Fgeihcme.exeC:\Windows\system32\Fgeihcme.exe64⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Fnobem32.exeC:\Windows\system32\Fnobem32.exe65⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Fefjfked.exeC:\Windows\system32\Fefjfked.exe66⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Fkcboack.exeC:\Windows\system32\Fkcboack.exe67⤵PID:804
-
C:\Windows\SysWOW64\Famjkl32.exeC:\Windows\system32\Famjkl32.exe68⤵
- Drops file in System32 directory
PID:4472 -
C:\Windows\SysWOW64\Fdkggg32.exeC:\Windows\system32\Fdkggg32.exe69⤵PID:2352
-
C:\Windows\SysWOW64\Foqkdp32.exeC:\Windows\system32\Foqkdp32.exe70⤵PID:1136
-
C:\Windows\SysWOW64\Gaogak32.exeC:\Windows\system32\Gaogak32.exe71⤵
- Modifies registry class
PID:556 -
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe72⤵PID:2560
-
C:\Windows\SysWOW64\Gochjpho.exeC:\Windows\system32\Gochjpho.exe73⤵PID:4792
-
C:\Windows\SysWOW64\Gdppbfff.exeC:\Windows\system32\Gdppbfff.exe74⤵PID:4632
-
C:\Windows\SysWOW64\Gkjhoq32.exeC:\Windows\system32\Gkjhoq32.exe75⤵PID:4320
-
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4712 -
C:\Windows\SysWOW64\Gadqlkep.exeC:\Windows\system32\Gadqlkep.exe77⤵PID:1916
-
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe78⤵PID:3508
-
C:\Windows\SysWOW64\Ghniielm.exeC:\Windows\system32\Ghniielm.exe79⤵PID:3096
-
C:\Windows\SysWOW64\Gnkaalkd.exeC:\Windows\system32\Gnkaalkd.exe80⤵
- Modifies registry class
PID:5056 -
C:\Windows\SysWOW64\Gnmnfkia.exeC:\Windows\system32\Gnmnfkia.exe81⤵PID:2184
-
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe82⤵PID:1604
-
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe83⤵PID:4400
-
C:\Windows\SysWOW64\Hakgmjoh.exeC:\Windows\system32\Hakgmjoh.exe84⤵
- Drops file in System32 directory
PID:3404 -
C:\Windows\SysWOW64\Hheoid32.exeC:\Windows\system32\Hheoid32.exe85⤵PID:1732
-
C:\Windows\SysWOW64\Hnagak32.exeC:\Windows\system32\Hnagak32.exe86⤵PID:4656
-
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe87⤵PID:756
-
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe88⤵PID:4680
-
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe89⤵PID:2416
-
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe90⤵PID:3040
-
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe91⤵PID:4684
-
C:\Windows\SysWOW64\Hdpiid32.exeC:\Windows\system32\Hdpiid32.exe92⤵PID:3148
-
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe93⤵PID:2016
-
C:\Windows\SysWOW64\Hbdjchgn.exeC:\Windows\system32\Hbdjchgn.exe94⤵PID:3268
-
C:\Windows\SysWOW64\Hgabkoee.exeC:\Windows\system32\Hgabkoee.exe95⤵PID:3644
-
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe96⤵PID:1316
-
C:\Windows\SysWOW64\Ihqoeb32.exeC:\Windows\system32\Ihqoeb32.exe97⤵PID:4984
-
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe98⤵PID:3684
-
C:\Windows\SysWOW64\Idgojc32.exeC:\Windows\system32\Idgojc32.exe99⤵PID:3888
-
C:\Windows\SysWOW64\Ikaggmii.exeC:\Windows\system32\Ikaggmii.exe100⤵PID:4324
-
C:\Windows\SysWOW64\Inpccihl.exeC:\Windows\system32\Inpccihl.exe101⤵
- Drops file in System32 directory
PID:3180 -
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe102⤵PID:1268
-
C:\Windows\SysWOW64\Ioopml32.exeC:\Windows\system32\Ioopml32.exe103⤵PID:2612
-
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe104⤵PID:2296
-
C:\Windows\SysWOW64\Igjeanmj.exeC:\Windows\system32\Igjeanmj.exe105⤵
- Drops file in System32 directory
PID:3152 -
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe106⤵PID:4388
-
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe107⤵PID:4612
-
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe108⤵PID:4184
-
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe109⤵PID:3176
-
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe110⤵
- Drops file in System32 directory
PID:4816 -
C:\Windows\SysWOW64\Jbdbjf32.exeC:\Windows\system32\Jbdbjf32.exe111⤵PID:3700
-
C:\Windows\SysWOW64\Jgakbm32.exeC:\Windows\system32\Jgakbm32.exe112⤵PID:3860
-
C:\Windows\SysWOW64\Jbgoof32.exeC:\Windows\system32\Jbgoof32.exe113⤵PID:1652
-
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe114⤵
- Modifies registry class
PID:5148 -
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe115⤵
- Drops file in System32 directory
PID:5192 -
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe116⤵PID:5236
-
C:\Windows\SysWOW64\Jnpmjf32.exeC:\Windows\system32\Jnpmjf32.exe117⤵PID:5280
-
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe118⤵PID:5324
-
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe119⤵PID:5368
-
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe120⤵PID:5412
-
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe121⤵PID:5456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-