Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
104s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21/07/2024, 03:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5b92e6d5ef2fbc2fa130a24448fffbd0N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
5b92e6d5ef2fbc2fa130a24448fffbd0N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
5b92e6d5ef2fbc2fa130a24448fffbd0N.exe
-
Size
80KB
-
MD5
5b92e6d5ef2fbc2fa130a24448fffbd0
-
SHA1
b365c527161b488513d94b96b3cc581bf080191e
-
SHA256
d46ab20f81ec341955cb5be932079fe97667c4872b11412cff38a1da87cef372
-
SHA512
7586d8064534e9754a6eeb0b639338458337532affb0c6f98d79e5b7351b9f4bc60b364b04e35d056c27ff1b6b96e5979d9646054e7fe8116ed6b91e4646fa74
-
SSDEEP
1536:bOM3PIthh7+2jeL4GLPOOkvNpznASIeWakmZFeJuqnhCN:qM3Ui2SBBkrASZQmZFeJLCN
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meepdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjjbjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcgpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onkidm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjokgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jddnfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oodcdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmipdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbkkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkokcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpbflg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npbceggm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nceefd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkadfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpjmnjqn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cflkpblf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eaindh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlgpod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlgepanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olehhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjicdmmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bebjdgmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkiaej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmenca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdoihpbk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhccj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npgmpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocaebc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agiamhdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpaleglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Modgdicm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjpbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aompak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efblbbqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glipgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlpeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jedccfqg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibaeen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Embddb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjohde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eehicoel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imiehfao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcelpggq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qljjjqlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aojlaeei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmmbbejp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efepbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdigadjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqiipljg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojbacd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmieae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkhgmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqglkmlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcjiff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glcaambb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkegpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Impliekg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnhdgpii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agdhbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Felbnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 3572 Lbqklb32.exe 396 Leoghn32.exe 4980 Llipehgk.exe 3944 Lpekef32.exe 2288 Lfodbqfa.exe 3728 Mhppji32.exe 2852 Mpghkf32.exe 2140 Mfaqhp32.exe 4972 Mhbmphjm.exe 3028 Mbhamajc.exe 3908 Mefmimif.exe 3364 Mlpeff32.exe 2420 Mbjnbqhp.exe 1040 Mehjol32.exe 1608 Mpnnle32.exe 4936 Mfhfhong.exe 4424 Mhicpg32.exe 2040 Mockmala.exe 3208 Nemcjk32.exe 1544 Npchgdcd.exe 960 Ngmpcn32.exe 1184 Niklpj32.exe 2796 Npedmdab.exe 2968 Nohehq32.exe 1568 Ngomin32.exe 536 Nhpiafnm.exe 4664 Nojanpej.exe 2900 Ngaionfl.exe 4172 Nipekiep.exe 3152 Npjnhc32.exe 3952 Nibbqicm.exe 4860 Nplkmckj.exe 4744 Ncjginjn.exe 3732 Oidofh32.exe 1676 Olckbd32.exe 2464 Ocmconhk.exe 2392 Olehhc32.exe 3484 Ocopdn32.exe 2548 Oiihahme.exe 3892 Ocamjm32.exe 3700 Oljaccjf.exe 3672 Oebflhaf.exe 4008 Ohqbhdpj.exe 904 Ophjiaql.exe 1612 Pgbbek32.exe 2116 Ploknb32.exe 4976 Pcicklnn.exe 3636 Pfgogh32.exe 380 Plagcbdn.exe 1592 Poodpmca.exe 1696 Pgflqkdd.exe 4368 Plcdiabk.exe 2404 Pgihfj32.exe 320 Phjenbhp.exe 4996 Podmkm32.exe 1020 Pgkelj32.exe 924 Pfnegggi.exe 116 Phlacbfm.exe 3300 Plhnda32.exe 4308 Qcbfakec.exe 3264 Qfpbmfdf.exe 3628 Qjlnnemp.exe 264 Qljjjqlc.exe 3524 Qcdbfk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Eppqqn32.exe Embddb32.exe File opened for modification C:\Windows\SysWOW64\Ejfeng32.exe Ebommi32.exe File created C:\Windows\SysWOW64\Oljaccjf.exe Ocamjm32.exe File created C:\Windows\SysWOW64\Jkghalnb.dll Eipinkib.exe File created C:\Windows\SysWOW64\Meebmkdh.dll Liqihglg.exe File created C:\Windows\SysWOW64\Nmfgbl32.dll Npjnhc32.exe File created C:\Windows\SysWOW64\Cpfoag32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Phjenbhp.exe Pgihfj32.exe File created C:\Windows\SysWOW64\Aleckinj.exe Ajggomog.exe File opened for modification C:\Windows\SysWOW64\Embddb32.exe Efhlhh32.exe File opened for modification C:\Windows\SysWOW64\Phaahggp.exe Pecellgl.exe File created C:\Windows\SysWOW64\Elpkep32.exe Ejoomhmi.exe File created C:\Windows\SysWOW64\Iloidijb.exe Ijqmhnko.exe File opened for modification C:\Windows\SysWOW64\Hipmfjee.exe Hfaajnfb.exe File created C:\Windows\SysWOW64\Ijikdfig.dll Process not Found File created C:\Windows\SysWOW64\Pgbbek32.exe Ophjiaql.exe File created C:\Windows\SysWOW64\Gccjmkko.dll Aokcklid.exe File created C:\Windows\SysWOW64\Qeidhb32.dll Indfca32.exe File opened for modification C:\Windows\SysWOW64\Jnfcia32.exe Jkhgmf32.exe File created C:\Windows\SysWOW64\Bchace32.dll Lbkkgl32.exe File created C:\Windows\SysWOW64\Eiobceef.exe Efafgifc.exe File opened for modification C:\Windows\SysWOW64\Aefjii32.exe Anobgl32.exe File created C:\Windows\SysWOW64\Gmfplibd.exe Geohklaa.exe File created C:\Windows\SysWOW64\Fechok32.dll Odalmibl.exe File created C:\Windows\SysWOW64\Qaqegecm.exe Qmeigg32.exe File created C:\Windows\SysWOW64\Nclbpf32.exe Nqmfdj32.exe File created C:\Windows\SysWOW64\Efkphnbd.exe Edmclccp.exe File created C:\Windows\SysWOW64\Jlgkbp32.dll Pcjiff32.exe File created C:\Windows\SysWOW64\Fdqfll32.exe Fpejlmcf.exe File created C:\Windows\SysWOW64\Fmcldc32.dll Fphnlcdo.exe File created C:\Windows\SysWOW64\Aopemh32.exe Process not Found File created C:\Windows\SysWOW64\Jhijep32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bjaqpbkh.exe Bcghch32.exe File opened for modification C:\Windows\SysWOW64\Dhclmp32.exe Dfdpad32.exe File created C:\Windows\SysWOW64\Lgdidgjg.exe Lomqcjie.exe File opened for modification C:\Windows\SysWOW64\Ddcqedkk.exe Daediilg.exe File created C:\Windows\SysWOW64\Bmabggdm.exe Bheffh32.exe File created C:\Windows\SysWOW64\Dnjfibml.dll Bemqih32.exe File opened for modification C:\Windows\SysWOW64\Cgifbhid.exe Process not Found File created C:\Windows\SysWOW64\Gpengmlg.dll Qfpbmfdf.exe File created C:\Windows\SysWOW64\Laniklje.dll Dpehof32.exe File created C:\Windows\SysWOW64\Qkdbgdbg.dll Gpaqbbld.exe File created C:\Windows\SysWOW64\Cbbdjm32.exe Ckilmcgb.exe File opened for modification C:\Windows\SysWOW64\Lmpkadnm.exe Lknojl32.exe File opened for modification C:\Windows\SysWOW64\Aamknj32.exe Aonoao32.exe File opened for modification C:\Windows\SysWOW64\Fpgpgfmh.exe Fmhdkknd.exe File opened for modification C:\Windows\SysWOW64\Apaadpng.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ocopdn32.exe Olehhc32.exe File opened for modification C:\Windows\SysWOW64\Fhofmq32.exe Fphnlcdo.exe File created C:\Windows\SysWOW64\Ndlapjeg.dll Jgadgf32.exe File created C:\Windows\SysWOW64\Mnggge32.dll Lbinam32.exe File created C:\Windows\SysWOW64\Ljilqnlm.exe Llflea32.exe File opened for modification C:\Windows\SysWOW64\Bohbhmfm.exe Bhnikc32.exe File created C:\Windows\SysWOW64\Kncaec32.exe Kgiiiidd.exe File opened for modification C:\Windows\SysWOW64\Pcmeke32.exe Pkenjh32.exe File opened for modification C:\Windows\SysWOW64\Ejpfhnpe.exe Edemkd32.exe File opened for modification C:\Windows\SysWOW64\Jgkdbacp.exe Jdmgfedl.exe File created C:\Windows\SysWOW64\Lmpkadnm.exe Lknojl32.exe File created C:\Windows\SysWOW64\Qofmkc32.dll Nnkpnclp.exe File opened for modification C:\Windows\SysWOW64\Ncqlkemc.exe Nqbpojnp.exe File created C:\Windows\SysWOW64\Jebiel32.dll Nmigoagp.exe File opened for modification C:\Windows\SysWOW64\Hdjbiheb.exe Hpofii32.exe File opened for modification C:\Windows\SysWOW64\Ipmbjgpi.exe Innfnl32.exe File created C:\Windows\SysWOW64\Oeddnh32.dll Gjfnedho.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 20008 19928 Process not Found 1181 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfdpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eifaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgjmg32.dll" Hmmfmhll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmomlnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpgbgamd.dll" Bkmmaeap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojbacd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baiinofi.dll" Ngndaccj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qhngolpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnangaoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pogppn32.dll" Mpnnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njghbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikdcmpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pejkmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oanokhdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oodcdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qlgpod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbnpcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeddnh32.dll" Gjfnedho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmpjalb.dll" Hammhcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clddmhpl.dll" Lqikmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgnqimah.dll" Ojbacd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oabhfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcdala32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qaqegecm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aggegh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kaehljpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooaafghm.dll" Hlhccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcggio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phfjcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domdocba.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cibncf32.dll" Gkdhjknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecgcfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfiddm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgkelj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmipdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jboqnpjm.dll" Mbjnbqhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbackgod.dll" Cidjbmcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paihbi32.dll" Jhijqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oemefcap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qaflgago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilmmni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkjiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qcdbfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dannij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phganm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjicdmmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blnoga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmpdfhi.dll" Lgffic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjjpnlbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmdlffhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qcdbfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddjmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hidgai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmncdk32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahchda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cglgjeci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jibmgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkpiopih.dll" Qmhlgmmm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4244 wrote to memory of 3572 4244 5b92e6d5ef2fbc2fa130a24448fffbd0N.exe 84 PID 4244 wrote to memory of 3572 4244 5b92e6d5ef2fbc2fa130a24448fffbd0N.exe 84 PID 4244 wrote to memory of 3572 4244 5b92e6d5ef2fbc2fa130a24448fffbd0N.exe 84 PID 3572 wrote to memory of 396 3572 Lbqklb32.exe 85 PID 3572 wrote to memory of 396 3572 Lbqklb32.exe 85 PID 3572 wrote to memory of 396 3572 Lbqklb32.exe 85 PID 396 wrote to memory of 4980 396 Leoghn32.exe 86 PID 396 wrote to memory of 4980 396 Leoghn32.exe 86 PID 396 wrote to memory of 4980 396 Leoghn32.exe 86 PID 4980 wrote to memory of 3944 4980 Llipehgk.exe 87 PID 4980 wrote to memory of 3944 4980 Llipehgk.exe 87 PID 4980 wrote to memory of 3944 4980 Llipehgk.exe 87 PID 3944 wrote to memory of 2288 3944 Lpekef32.exe 88 PID 3944 wrote to memory of 2288 3944 Lpekef32.exe 88 PID 3944 wrote to memory of 2288 3944 Lpekef32.exe 88 PID 2288 wrote to memory of 3728 2288 Lfodbqfa.exe 89 PID 2288 wrote to memory of 3728 2288 Lfodbqfa.exe 89 PID 2288 wrote to memory of 3728 2288 Lfodbqfa.exe 89 PID 3728 wrote to memory of 2852 3728 Mhppji32.exe 90 PID 3728 wrote to memory of 2852 3728 Mhppji32.exe 90 PID 3728 wrote to memory of 2852 3728 Mhppji32.exe 90 PID 2852 wrote to memory of 2140 2852 Mpghkf32.exe 91 PID 2852 wrote to memory of 2140 2852 Mpghkf32.exe 91 PID 2852 wrote to memory of 2140 2852 Mpghkf32.exe 91 PID 2140 wrote to memory of 4972 2140 Mfaqhp32.exe 92 PID 2140 wrote to memory of 4972 2140 Mfaqhp32.exe 92 PID 2140 wrote to memory of 4972 2140 Mfaqhp32.exe 92 PID 4972 wrote to memory of 3028 4972 Mhbmphjm.exe 93 PID 4972 wrote to memory of 3028 4972 Mhbmphjm.exe 93 PID 4972 wrote to memory of 3028 4972 Mhbmphjm.exe 93 PID 3028 wrote to memory of 3908 3028 Mbhamajc.exe 94 PID 3028 wrote to memory of 3908 3028 Mbhamajc.exe 94 PID 3028 wrote to memory of 3908 3028 Mbhamajc.exe 94 PID 3908 wrote to memory of 3364 3908 Mefmimif.exe 95 PID 3908 wrote to memory of 3364 3908 Mefmimif.exe 95 PID 3908 wrote to memory of 3364 3908 Mefmimif.exe 95 PID 3364 wrote to memory of 2420 3364 Mlpeff32.exe 96 PID 3364 wrote to memory of 2420 3364 Mlpeff32.exe 96 PID 3364 wrote to memory of 2420 3364 Mlpeff32.exe 96 PID 2420 wrote to memory of 1040 2420 Mbjnbqhp.exe 98 PID 2420 wrote to memory of 1040 2420 Mbjnbqhp.exe 98 PID 2420 wrote to memory of 1040 2420 Mbjnbqhp.exe 98 PID 1040 wrote to memory of 1608 1040 Mehjol32.exe 99 PID 1040 wrote to memory of 1608 1040 Mehjol32.exe 99 PID 1040 wrote to memory of 1608 1040 Mehjol32.exe 99 PID 1608 wrote to memory of 4936 1608 Mpnnle32.exe 100 PID 1608 wrote to memory of 4936 1608 Mpnnle32.exe 100 PID 1608 wrote to memory of 4936 1608 Mpnnle32.exe 100 PID 4936 wrote to memory of 4424 4936 Mfhfhong.exe 102 PID 4936 wrote to memory of 4424 4936 Mfhfhong.exe 102 PID 4936 wrote to memory of 4424 4936 Mfhfhong.exe 102 PID 4424 wrote to memory of 2040 4424 Mhicpg32.exe 103 PID 4424 wrote to memory of 2040 4424 Mhicpg32.exe 103 PID 4424 wrote to memory of 2040 4424 Mhicpg32.exe 103 PID 2040 wrote to memory of 3208 2040 Mockmala.exe 104 PID 2040 wrote to memory of 3208 2040 Mockmala.exe 104 PID 2040 wrote to memory of 3208 2040 Mockmala.exe 104 PID 3208 wrote to memory of 1544 3208 Nemcjk32.exe 106 PID 3208 wrote to memory of 1544 3208 Nemcjk32.exe 106 PID 3208 wrote to memory of 1544 3208 Nemcjk32.exe 106 PID 1544 wrote to memory of 960 1544 Npchgdcd.exe 107 PID 1544 wrote to memory of 960 1544 Npchgdcd.exe 107 PID 1544 wrote to memory of 960 1544 Npchgdcd.exe 107 PID 960 wrote to memory of 1184 960 Ngmpcn32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b92e6d5ef2fbc2fa130a24448fffbd0N.exe"C:\Users\Admin\AppData\Local\Temp\5b92e6d5ef2fbc2fa130a24448fffbd0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Llipehgk.exeC:\Windows\system32\Llipehgk.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Mpnnle32.exeC:\Windows\system32\Mpnnle32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Niklpj32.exeC:\Windows\system32\Niklpj32.exe23⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe24⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe25⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe26⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe27⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Nojanpej.exeC:\Windows\system32\Nojanpej.exe28⤵
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe29⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe30⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3152 -
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe32⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Nplkmckj.exeC:\Windows\system32\Nplkmckj.exe33⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe34⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe35⤵
- Executes dropped EXE
PID:3732 -
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe36⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe37⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe39⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe40⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3892 -
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe42⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe43⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe44⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:904 -
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe46⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe47⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe48⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe49⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe50⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe51⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe52⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe53⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Pgihfj32.exeC:\Windows\system32\Pgihfj32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe55⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe56⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Pfnegggi.exeC:\Windows\system32\Pfnegggi.exe58⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Phlacbfm.exeC:\Windows\system32\Phlacbfm.exe59⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe60⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe61⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3264 -
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe63⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Qljjjqlc.exeC:\Windows\system32\Qljjjqlc.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:3524 -
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe66⤵PID:2308
-
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe67⤵PID:1680
-
C:\Windows\SysWOW64\Aokcklid.exeC:\Windows\system32\Aokcklid.exe68⤵
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe69⤵
- Modifies registry class
PID:4268 -
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2220 -
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1620 -
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe72⤵PID:4732
-
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe73⤵PID:2012
-
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe74⤵
- Modifies registry class
PID:3920 -
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe75⤵PID:1432
-
C:\Windows\SysWOW64\Aqoiqn32.exeC:\Windows\system32\Aqoiqn32.exe76⤵PID:1848
-
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2792 -
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe78⤵PID:4948
-
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe79⤵PID:696
-
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe80⤵PID:1976
-
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe81⤵PID:1380
-
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe82⤵PID:5076
-
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe83⤵PID:5060
-
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe84⤵PID:3704
-
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe85⤵PID:1400
-
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe86⤵PID:1084
-
C:\Windows\SysWOW64\Bcghch32.exeC:\Windows\system32\Bcghch32.exe87⤵
- Drops file in System32 directory
PID:4456 -
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe88⤵PID:2888
-
C:\Windows\SysWOW64\Bmomlnjk.exeC:\Windows\system32\Bmomlnjk.exe89⤵
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe90⤵PID:4924
-
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe91⤵PID:3076
-
C:\Windows\SysWOW64\Bqmeal32.exeC:\Windows\system32\Bqmeal32.exe92⤵PID:2856
-
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe93⤵PID:1852
-
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe94⤵PID:4896
-
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe95⤵PID:3844
-
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe96⤵PID:4856
-
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe97⤵PID:5136
-
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5188 -
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe99⤵PID:5252
-
C:\Windows\SysWOW64\Cmfclm32.exeC:\Windows\system32\Cmfclm32.exe100⤵PID:5304
-
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe101⤵PID:5368
-
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe102⤵
- Modifies registry class
PID:5416 -
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe103⤵PID:5460
-
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe104⤵PID:5532
-
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe105⤵PID:5588
-
C:\Windows\SysWOW64\Ccchof32.exeC:\Windows\system32\Ccchof32.exe106⤵PID:5656
-
C:\Windows\SysWOW64\Cgndoeag.exeC:\Windows\system32\Cgndoeag.exe107⤵PID:5704
-
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe108⤵PID:5748
-
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe109⤵PID:5796
-
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe110⤵PID:5840
-
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe111⤵PID:5888
-
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe112⤵PID:5932
-
C:\Windows\SysWOW64\Cfcqpa32.exeC:\Windows\system32\Cfcqpa32.exe113⤵PID:5976
-
C:\Windows\SysWOW64\Cibmlmeb.exeC:\Windows\system32\Cibmlmeb.exe114⤵PID:6028
-
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe115⤵PID:6080
-
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe116⤵PID:6124
-
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe117⤵PID:5144
-
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe118⤵
- Modifies registry class
PID:5236 -
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe119⤵PID:5344
-
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe120⤵PID:5404
-
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe121⤵PID:5516
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-