Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
07/07/2024, 01:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a304075d96518a55dad2c8d103c3cbdf9010e9ae94301498055271160248fd8d.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
a304075d96518a55dad2c8d103c3cbdf9010e9ae94301498055271160248fd8d.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
a304075d96518a55dad2c8d103c3cbdf9010e9ae94301498055271160248fd8d.exe
-
Size
224KB
-
MD5
41ab273ad3e0317eead9ff2e8fc6512f
-
SHA1
b468001fe45a2b9635239ac2eba5ac3a6f8e71bb
-
SHA256
a304075d96518a55dad2c8d103c3cbdf9010e9ae94301498055271160248fd8d
-
SHA512
2a4bdd4ce0b3b23e02e99cfcc2e5ea3bce88c04b577ce6f735563839d6b66a58ffc026a4619703ea1e1b0ea21be982cfe893051bd4ea51e56738485bc3fa3737
-
SSDEEP
6144:QLnIXsE4f9FIUpOVw86CmOJfTo9FIUIhrcflDML:FaAD6RrI1+lDML
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aanbhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojiiafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncnofeof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaajed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdkoch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemqih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbmingjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjhkmbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njmhhefi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihagaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phaahggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efjbcakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmdhcddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdojjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doccpcja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjaleemj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fipkjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qikgco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmnhcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oophlo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hplicjok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iikmbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ondljl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qacameaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filiii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdjapgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aamknj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdcmkgmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oklkdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhkdof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphnnafb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liqihglg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adgmoigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ooqqdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glcaambb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gljgbllj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knalji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omnjojpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ipdndloi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgccinoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkbjjbda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fechomko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcidmkpq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpcecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehhpla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgifbhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phodcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Keqdmihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pldcjeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lafmjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgfapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gidnkkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekajec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iiopca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Filiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdaile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkogiikb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlmfeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhoahh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iddljmpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gjcmngnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oikjkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Falcae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjimhnh.exe -
Executes dropped EXE 64 IoCs
pid Process 2940 Eigonjcj.exe 524 Ehhpla32.exe 2868 Emehdh32.exe 3980 Filiii32.exe 1016 Facqkg32.exe 1200 Ffpicn32.exe 2244 Fhofmq32.exe 116 Fmlneg32.exe 1128 Fajgkfio.exe 3488 Fkbkdkpp.exe 1388 Falcae32.exe 3712 Ggilil32.exe 1636 Gigheh32.exe 2908 Gkgeoklj.exe 1424 Gdoihpbk.exe 3164 Gilapgqb.exe 432 Ggpbjkpl.exe 2004 Gnjjfegi.exe 2208 Gddbcp32.exe 3224 Gahcmd32.exe 4364 Hkpheidp.exe 4240 Hhdhon32.exe 4512 Hpomcp32.exe 636 Hjhalefe.exe 4984 Hglaej32.exe 1064 Haafcb32.exe 4076 Hgnoki32.exe 768 Idbodn32.exe 4660 Iklgah32.exe 868 Iddljmpc.exe 4120 Inmpcc32.exe 4464 Ihbdplfi.exe 3948 Inomhbeq.exe 2136 Ihdafkdg.exe 3524 Ikcmbfcj.exe 4176 Ibmeoq32.exe 3176 Ihgnkkbd.exe 1156 Indfca32.exe 1940 Jkhgmf32.exe 1264 Jbaojpgb.exe 2396 Jhlgfj32.exe 3012 Jnhpoamf.exe 1412 Jgadgf32.exe 3008 Jnkldqkc.exe 444 Jkomneim.exe 2016 Jqlefl32.exe 3624 Kiejmi32.exe 4236 Knbbep32.exe 3468 Kgjgne32.exe 3484 Kbpkkn32.exe 1812 Kkhpdcab.exe 2112 Knflpoqf.exe 1848 Keqdmihc.exe 1268 Kkjlic32.exe 2636 Kecabifp.exe 3648 Knkekn32.exe 4020 Liqihglg.exe 1036 Lkofdbkj.exe 4852 Lalnmiia.exe 1328 Lgffic32.exe 1404 Lnpofnhk.exe 2188 Lejgch32.exe 4368 Lghcocol.exe 992 Lnbklm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Amcehdod.exe Akdilipp.exe File opened for modification C:\Windows\SysWOW64\Bdojjo32.exe Bobabg32.exe File created C:\Windows\SysWOW64\Dkcndeen.exe Ddifgk32.exe File created C:\Windows\SysWOW64\Gmflgn32.dll Fkbkdkpp.exe File opened for modification C:\Windows\SysWOW64\Hiiggoaf.exe Hmbfbn32.exe File opened for modification C:\Windows\SysWOW64\Kapfiqoj.exe Kpnjah32.exe File created C:\Windows\SysWOW64\Kemooo32.exe Kpqggh32.exe File created C:\Windows\SysWOW64\Ddjmba32.exe Dnpdegjp.exe File created C:\Windows\SysWOW64\Jcdjbk32.exe Jngbjd32.exe File opened for modification C:\Windows\SysWOW64\Kodnmkap.exe Kflide32.exe File created C:\Windows\SysWOW64\Ncqlkemc.exe Nmfcok32.exe File created C:\Windows\SysWOW64\Oakbehfe.exe Ojajin32.exe File created C:\Windows\SysWOW64\Dgdncplk.exe Dahfkimd.exe File created C:\Windows\SysWOW64\Mnggge32.dll Lkofdbkj.exe File created C:\Windows\SysWOW64\Dbkjdh32.dll Qebhhp32.exe File opened for modification C:\Windows\SysWOW64\Bbhildae.exe Bmladm32.exe File created C:\Windows\SysWOW64\Lgkpdcmi.exe Lnbklm32.exe File opened for modification C:\Windows\SysWOW64\Gnblnlhl.exe Gghdaa32.exe File created C:\Windows\SysWOW64\Ggmmlamj.exe Geoapenf.exe File created C:\Windows\SysWOW64\Oqpakfgb.dll Akffafgg.exe File created C:\Windows\SysWOW64\Pgfcalbj.dll Qhmqdemc.exe File created C:\Windows\SysWOW64\Eiahpo32.dll Calfpk32.exe File created C:\Windows\SysWOW64\Oghdfilo.dll Dlkbjqgm.exe File opened for modification C:\Windows\SysWOW64\Jkimho32.exe Jdodkebj.exe File created C:\Windows\SysWOW64\Nbdfqocb.dll Hffken32.exe File created C:\Windows\SysWOW64\Bknlbhhe.exe Baegibae.exe File opened for modification C:\Windows\SysWOW64\Glcaambb.exe Fjadje32.exe File created C:\Windows\SysWOW64\Hcblpdgg.exe Hlhccj32.exe File created C:\Windows\SysWOW64\Hmmfmhll.exe Hfcnpn32.exe File created C:\Windows\SysWOW64\Jpegkj32.exe Jikoopij.exe File opened for modification C:\Windows\SysWOW64\Kbpkkn32.exe Kgjgne32.exe File created C:\Windows\SysWOW64\Oldamm32.exe Oaompd32.exe File created C:\Windows\SysWOW64\Cjgjmg32.dll Hmmfmhll.exe File created C:\Windows\SysWOW64\Omjbpn32.dll Dkndie32.exe File opened for modification C:\Windows\SysWOW64\Fkhpfbce.exe Fqbliicp.exe File created C:\Windows\SysWOW64\Bmidnm32.exe Babcil32.exe File created C:\Windows\SysWOW64\Iddljmpc.exe Iklgah32.exe File created C:\Windows\SysWOW64\Bjfjgifo.dll Lnpofnhk.exe File created C:\Windows\SysWOW64\Mhcmcm32.dll Ddjmba32.exe File created C:\Windows\SysWOW64\Mnmmboed.exe Mokmdh32.exe File created C:\Windows\SysWOW64\Njedbjej.exe Nckkfp32.exe File created C:\Windows\SysWOW64\Mpnmig32.dll Jpegkj32.exe File opened for modification C:\Windows\SysWOW64\Afappe32.exe Acccdj32.exe File created C:\Windows\SysWOW64\Kgjgne32.exe Knbbep32.exe File created C:\Windows\SysWOW64\Jflbhhom.dll Ffceip32.exe File created C:\Windows\SysWOW64\Hmkigh32.exe Hedafk32.exe File opened for modification C:\Windows\SysWOW64\Hnlodjpa.exe Hhaggp32.exe File opened for modification C:\Windows\SysWOW64\Jocnlg32.exe Jifecp32.exe File created C:\Windows\SysWOW64\Npakijcp.dll Mpclce32.exe File created C:\Windows\SysWOW64\Achgjc32.dll Kgjgne32.exe File created C:\Windows\SysWOW64\Cdbijb32.dll Nmnqjp32.exe File created C:\Windows\SysWOW64\Oeheqm32.exe Onnmdcjm.exe File created C:\Windows\SysWOW64\Gpelhd32.exe Gmfplibd.exe File opened for modification C:\Windows\SysWOW64\Hbenoi32.exe Hlkfbocp.exe File opened for modification C:\Windows\SysWOW64\Dgpeha32.exe Cdaile32.exe File created C:\Windows\SysWOW64\Fcekfnkb.exe Fnhbmgmk.exe File created C:\Windows\SysWOW64\Pemomqcn.exe Plejdkmm.exe File created C:\Windows\SysWOW64\Ocgmoc32.dll Ahgjejhd.exe File created C:\Windows\SysWOW64\Lbandhne.dll Qacameaj.exe File opened for modification C:\Windows\SysWOW64\Malgcg32.exe Mnnkgl32.exe File created C:\Windows\SysWOW64\Ijqmhnko.exe Idcepgmg.exe File opened for modification C:\Windows\SysWOW64\Knalji32.exe Kkconn32.exe File opened for modification C:\Windows\SysWOW64\Qkipkani.exe Qhkdof32.exe File opened for modification C:\Windows\SysWOW64\Bhblllfo.exe Bnlhncgi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5388 5544 WerFault.exe 872 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlhkgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knkekn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpdndomn.dll" Majjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jcmdaljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ehndnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhpfk32.dll" Djgdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aknhkd32.dll" Fpkibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqdmimbf.dll" Gbchdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ilqoobdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lckiihok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgqjbf32.dll" Mnhdgpii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fajbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodebo32.dll" Ccppmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kiejmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnkapdda.dll" Aanbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgdcdg32.dll" Adjjeieh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbjebjh.dll" Popbpqjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghjnkpdc.dll" Glgcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilchfdgp.dll" Dmcain32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddmhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgdojhec.dll" Iljpij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mjkblhfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qkipkani.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcbfe32.dll" Jinboekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpqlc32.dll" Fkfcqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hiacacpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgpfqchb.dll" Jpbjfjci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbaojpgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ffobhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjccdkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmpkall.dll" Bigbmpco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ihgnkkbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jkomneim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmaamn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amlogfel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodamh32.dll" Egbken32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpbba32.dll" Eicedn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjbmjjno.dll" Kjblje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fbbpmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bknlbhhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lckboblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Podbibma.dll" Biiobo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bohibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obnbpa32.dll" Mccfdmmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hifcgion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godcje32.dll" Qpcecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlfmfbi.dll" Cpbjkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cancekeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Migidc32.dll" Ggpbjkpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonklp32.dll" Jdfjld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkgiimng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pkbjjbda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbpchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecpfpo32.dll" Bpfkpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acbldmmh.dll" Kefiopki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ejjaqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Phbhcmjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjoiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mpclce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ondljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Amlogfel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cocacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naagioah.dll" Nckkfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccppmc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3480 wrote to memory of 2940 3480 a304075d96518a55dad2c8d103c3cbdf9010e9ae94301498055271160248fd8d.exe 84 PID 3480 wrote to memory of 2940 3480 a304075d96518a55dad2c8d103c3cbdf9010e9ae94301498055271160248fd8d.exe 84 PID 3480 wrote to memory of 2940 3480 a304075d96518a55dad2c8d103c3cbdf9010e9ae94301498055271160248fd8d.exe 84 PID 2940 wrote to memory of 524 2940 Eigonjcj.exe 85 PID 2940 wrote to memory of 524 2940 Eigonjcj.exe 85 PID 2940 wrote to memory of 524 2940 Eigonjcj.exe 85 PID 524 wrote to memory of 2868 524 Ehhpla32.exe 86 PID 524 wrote to memory of 2868 524 Ehhpla32.exe 86 PID 524 wrote to memory of 2868 524 Ehhpla32.exe 86 PID 2868 wrote to memory of 3980 2868 Emehdh32.exe 87 PID 2868 wrote to memory of 3980 2868 Emehdh32.exe 87 PID 2868 wrote to memory of 3980 2868 Emehdh32.exe 87 PID 3980 wrote to memory of 1016 3980 Filiii32.exe 89 PID 3980 wrote to memory of 1016 3980 Filiii32.exe 89 PID 3980 wrote to memory of 1016 3980 Filiii32.exe 89 PID 1016 wrote to memory of 1200 1016 Facqkg32.exe 90 PID 1016 wrote to memory of 1200 1016 Facqkg32.exe 90 PID 1016 wrote to memory of 1200 1016 Facqkg32.exe 90 PID 1200 wrote to memory of 2244 1200 Ffpicn32.exe 91 PID 1200 wrote to memory of 2244 1200 Ffpicn32.exe 91 PID 1200 wrote to memory of 2244 1200 Ffpicn32.exe 91 PID 2244 wrote to memory of 116 2244 Fhofmq32.exe 92 PID 2244 wrote to memory of 116 2244 Fhofmq32.exe 92 PID 2244 wrote to memory of 116 2244 Fhofmq32.exe 92 PID 116 wrote to memory of 1128 116 Fmlneg32.exe 93 PID 116 wrote to memory of 1128 116 Fmlneg32.exe 93 PID 116 wrote to memory of 1128 116 Fmlneg32.exe 93 PID 1128 wrote to memory of 3488 1128 Fajgkfio.exe 94 PID 1128 wrote to memory of 3488 1128 Fajgkfio.exe 94 PID 1128 wrote to memory of 3488 1128 Fajgkfio.exe 94 PID 3488 wrote to memory of 1388 3488 Fkbkdkpp.exe 95 PID 3488 wrote to memory of 1388 3488 Fkbkdkpp.exe 95 PID 3488 wrote to memory of 1388 3488 Fkbkdkpp.exe 95 PID 1388 wrote to memory of 3712 1388 Falcae32.exe 96 PID 1388 wrote to memory of 3712 1388 Falcae32.exe 96 PID 1388 wrote to memory of 3712 1388 Falcae32.exe 96 PID 3712 wrote to memory of 1636 3712 Ggilil32.exe 97 PID 3712 wrote to memory of 1636 3712 Ggilil32.exe 97 PID 3712 wrote to memory of 1636 3712 Ggilil32.exe 97 PID 1636 wrote to memory of 2908 1636 Gigheh32.exe 98 PID 1636 wrote to memory of 2908 1636 Gigheh32.exe 98 PID 1636 wrote to memory of 2908 1636 Gigheh32.exe 98 PID 2908 wrote to memory of 1424 2908 Gkgeoklj.exe 99 PID 2908 wrote to memory of 1424 2908 Gkgeoklj.exe 99 PID 2908 wrote to memory of 1424 2908 Gkgeoklj.exe 99 PID 1424 wrote to memory of 3164 1424 Gdoihpbk.exe 100 PID 1424 wrote to memory of 3164 1424 Gdoihpbk.exe 100 PID 1424 wrote to memory of 3164 1424 Gdoihpbk.exe 100 PID 3164 wrote to memory of 432 3164 Gilapgqb.exe 101 PID 3164 wrote to memory of 432 3164 Gilapgqb.exe 101 PID 3164 wrote to memory of 432 3164 Gilapgqb.exe 101 PID 432 wrote to memory of 2004 432 Ggpbjkpl.exe 102 PID 432 wrote to memory of 2004 432 Ggpbjkpl.exe 102 PID 432 wrote to memory of 2004 432 Ggpbjkpl.exe 102 PID 2004 wrote to memory of 2208 2004 Gnjjfegi.exe 103 PID 2004 wrote to memory of 2208 2004 Gnjjfegi.exe 103 PID 2004 wrote to memory of 2208 2004 Gnjjfegi.exe 103 PID 2208 wrote to memory of 3224 2208 Gddbcp32.exe 104 PID 2208 wrote to memory of 3224 2208 Gddbcp32.exe 104 PID 2208 wrote to memory of 3224 2208 Gddbcp32.exe 104 PID 3224 wrote to memory of 4364 3224 Gahcmd32.exe 105 PID 3224 wrote to memory of 4364 3224 Gahcmd32.exe 105 PID 3224 wrote to memory of 4364 3224 Gahcmd32.exe 105 PID 4364 wrote to memory of 4240 4364 Hkpheidp.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\a304075d96518a55dad2c8d103c3cbdf9010e9ae94301498055271160248fd8d.exe"C:\Users\Admin\AppData\Local\Temp\a304075d96518a55dad2c8d103c3cbdf9010e9ae94301498055271160248fd8d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Ehhpla32.exeC:\Windows\system32\Ehhpla32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Fhofmq32.exeC:\Windows\system32\Fhofmq32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Fmlneg32.exeC:\Windows\system32\Fmlneg32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Fkbkdkpp.exeC:\Windows\system32\Fkbkdkpp.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\Falcae32.exeC:\Windows\system32\Falcae32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Gkgeoklj.exeC:\Windows\system32\Gkgeoklj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Gdoihpbk.exeC:\Windows\system32\Gdoihpbk.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Gilapgqb.exeC:\Windows\system32\Gilapgqb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\Ggpbjkpl.exeC:\Windows\system32\Ggpbjkpl.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Gnjjfegi.exeC:\Windows\system32\Gnjjfegi.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Gahcmd32.exeC:\Windows\system32\Gahcmd32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\Hkpheidp.exeC:\Windows\system32\Hkpheidp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\Hhdhon32.exeC:\Windows\system32\Hhdhon32.exe23⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Hpomcp32.exeC:\Windows\system32\Hpomcp32.exe24⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe25⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe26⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Haafcb32.exeC:\Windows\system32\Haafcb32.exe27⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Hgnoki32.exeC:\Windows\system32\Hgnoki32.exe28⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe29⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4660 -
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Inmpcc32.exeC:\Windows\system32\Inmpcc32.exe32⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Ihbdplfi.exeC:\Windows\system32\Ihbdplfi.exe33⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe34⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Ihdafkdg.exeC:\Windows\system32\Ihdafkdg.exe35⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe36⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe37⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Ihgnkkbd.exeC:\Windows\system32\Ihgnkkbd.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3176 -
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe39⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Jkhgmf32.exeC:\Windows\system32\Jkhgmf32.exe40⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1264 -
C:\Windows\SysWOW64\Jhlgfj32.exeC:\Windows\system32\Jhlgfj32.exe42⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe43⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe44⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Jnkldqkc.exeC:\Windows\system32\Jnkldqkc.exe45⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Jkomneim.exeC:\Windows\system32\Jkomneim.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:444 -
C:\Windows\SysWOW64\Jqlefl32.exeC:\Windows\system32\Jqlefl32.exe47⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Kiejmi32.exeC:\Windows\system32\Kiejmi32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:3624 -
C:\Windows\SysWOW64\Knbbep32.exeC:\Windows\system32\Knbbep32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4236 -
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3468 -
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe51⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Kkhpdcab.exeC:\Windows\system32\Kkhpdcab.exe52⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe53⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Kkjlic32.exeC:\Windows\system32\Kkjlic32.exe55⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe56⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Knkekn32.exeC:\Windows\system32\Knkekn32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:3648 -
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe60⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe61⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1404 -
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe63⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Lghcocol.exeC:\Windows\system32\Lghcocol.exe64⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Lnbklm32.exeC:\Windows\system32\Lnbklm32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:992 -
C:\Windows\SysWOW64\Lgkpdcmi.exeC:\Windows\system32\Lgkpdcmi.exe66⤵PID:232
-
C:\Windows\SysWOW64\Lbpdblmo.exeC:\Windows\system32\Lbpdblmo.exe67⤵PID:2380
-
C:\Windows\SysWOW64\Ljkifn32.exeC:\Windows\system32\Ljkifn32.exe68⤵PID:4844
-
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe69⤵PID:2840
-
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe70⤵PID:1376
-
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe71⤵PID:1588
-
C:\Windows\SysWOW64\Miofjepg.exeC:\Windows\system32\Miofjepg.exe72⤵PID:1612
-
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe73⤵PID:1752
-
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe74⤵
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe75⤵PID:4388
-
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe76⤵
- Drops file in System32 directory
PID:4748 -
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe77⤵PID:3552
-
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe78⤵PID:4948
-
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe79⤵PID:2172
-
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe80⤵PID:4676
-
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe81⤵PID:4456
-
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe82⤵PID:208
-
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe83⤵PID:3600
-
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe84⤵PID:2120
-
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe85⤵PID:3088
-
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe86⤵PID:3996
-
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe87⤵PID:3264
-
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe88⤵PID:4000
-
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe89⤵PID:5024
-
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe90⤵PID:2076
-
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe91⤵PID:5088
-
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3096 -
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe93⤵
- Drops file in System32 directory
PID:3124 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe94⤵PID:2440
-
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4004 -
C:\Windows\SysWOW64\Oihagaji.exeC:\Windows\system32\Oihagaji.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2388 -
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe97⤵PID:3656
-
C:\Windows\SysWOW64\Ohnohn32.exeC:\Windows\system32\Ohnohn32.exe98⤵PID:1552
-
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3668 -
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe100⤵PID:3316
-
C:\Windows\SysWOW64\Oimkbaed.exeC:\Windows\system32\Oimkbaed.exe101⤵PID:3816
-
C:\Windows\SysWOW64\Pkogiikb.exeC:\Windows\system32\Pkogiikb.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1492 -
C:\Windows\SysWOW64\Pahpfc32.exeC:\Windows\system32\Pahpfc32.exe103⤵PID:4632
-
C:\Windows\SysWOW64\Phbhcmjl.exeC:\Windows\system32\Phbhcmjl.exe104⤵
- Modifies registry class
PID:4972 -
C:\Windows\SysWOW64\Pchlpfjb.exeC:\Windows\system32\Pchlpfjb.exe105⤵PID:4656
-
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe106⤵PID:2432
-
C:\Windows\SysWOW64\Pkcadhgm.exeC:\Windows\system32\Pkcadhgm.exe107⤵PID:2540
-
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe108⤵PID:1976
-
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe109⤵PID:4140
-
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe110⤵
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe111⤵PID:5176
-
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe112⤵PID:5216
-
C:\Windows\SysWOW64\Qikgco32.exeC:\Windows\system32\Qikgco32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5268 -
C:\Windows\SysWOW64\Qkmdkgob.exeC:\Windows\system32\Qkmdkgob.exe114⤵PID:5312
-
C:\Windows\SysWOW64\Qebhhp32.exeC:\Windows\system32\Qebhhp32.exe115⤵
- Drops file in System32 directory
PID:5360 -
C:\Windows\SysWOW64\Akoqpg32.exeC:\Windows\system32\Akoqpg32.exe116⤵PID:5400
-
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe117⤵PID:5444
-
C:\Windows\SysWOW64\Akamff32.exeC:\Windows\system32\Akamff32.exe118⤵PID:5492
-
C:\Windows\SysWOW64\Afgacokc.exeC:\Windows\system32\Afgacokc.exe119⤵PID:5536
-
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe120⤵PID:5580
-
C:\Windows\SysWOW64\Aanbhp32.exeC:\Windows\system32\Aanbhp32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-