Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
109s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 02:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
50de3bd5f9616c760d134189bc5fd390N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
50de3bd5f9616c760d134189bc5fd390N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
50de3bd5f9616c760d134189bc5fd390N.exe
-
Size
45KB
-
MD5
50de3bd5f9616c760d134189bc5fd390
-
SHA1
0622570384f8833c706036ceef28aa827d882154
-
SHA256
db79a3c7e902f8e95adf8fd5bb41385b9e7ce9038280b860bc53add8c7cd7b8d
-
SHA512
97c27faa349e8f57523edd039002263acb2cf2d9c560d3ef517dc4a068f3d4f6aca86772c3830992d63aa6591fb7fa957ed6f693afee7fd00a6519ad3fd16bb9
-
SSDEEP
768:NKKeiBJjN7/L3EJp0Ysot6d2t/cNW0nuLUF7/1H5Ju:NKv8JNOBvtw2t/EnuL2tW
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chnbbqpn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbnmke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpmggb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maodigil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbcjnilj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hienlpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjdebfnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inmpcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pllgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmnhcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggahedjn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibafp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pajeam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gijekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdglmkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llflea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coiaiakf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpaekqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gohaeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocffempp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjkpoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inainbcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioolkncg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkmnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keonap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgkkkcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdgged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iliinc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgdhgmep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oileggkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdkidohn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjdebfnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gidnkkpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmpmnl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofjpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlmgopjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcbohigp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oemefcap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchppmij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afgacokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elpkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlcalieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibaeen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leadnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efgemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Johnamkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdglmkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlmdbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plmmif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpkiph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pamiaboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebhglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pocpfphe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhndpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqmeal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdqfll32.exe -
Executes dropped EXE 64 IoCs
pid Process 3944 Ggqida32.exe 3508 Gohaeo32.exe 5060 Gfbibikg.exe 2092 Gddinf32.exe 4072 Gkobjpin.exe 4680 Gojnko32.exe 2944 Gahjgj32.exe 824 Ggeboaob.exe 4884 Goljqnpd.exe 628 Hakgmjoh.exe 1556 Hdicienl.exe 1400 Hghoeqmp.exe 5036 Hoogfnnb.exe 1360 Hbmcbime.exe 1164 Hdlpneli.exe 4472 Hgjljpkm.exe 856 Hoadkn32.exe 2132 Hfklhhcl.exe 3188 Hhihdcbp.exe 3984 Hkhdqoac.exe 1116 Hnfamjqg.exe 1900 Hfningai.exe 1552 Hdpiid32.exe 1032 Hgoeep32.exe 1916 Hofmfmhj.exe 2608 Hfpecg32.exe 2916 Hhnbpb32.exe 320 Hkmnln32.exe 2896 Inkjhi32.exe 4320 Idebdcdo.exe 2728 Igcoqocb.exe 1672 Ifdonfka.exe 768 Iickkbje.exe 3692 Ikaggmii.exe 2044 Inpccihl.exe 1716 Ifgldfio.exe 1468 Iiehpahb.exe 1524 Ighhln32.exe 2488 Ioopml32.exe 4620 Ibnligoc.exe 2856 Ieliebnf.exe 744 Igjeanmj.exe 1688 Ioambknl.exe 4496 Ibpiogmp.exe 3884 Ienekbld.exe 64 Iijaka32.exe 4772 Jkhngl32.exe 1268 Jbbfdfkn.exe 3420 Jeqbpb32.exe 1020 Jgonlm32.exe 4696 Joffnk32.exe 4732 Jbdbjf32.exe 5080 Jecofa32.exe 2364 Jiokfpph.exe 540 Joiccj32.exe 3788 Jnkcogno.exe 1016 Jeekkafl.exe 1588 Jgdhgmep.exe 4356 Jpkphjeb.exe 756 Jbileede.exe 5008 Jgfdmlcm.exe 3960 Jnpmjf32.exe 516 Jblijebc.exe 4212 Jejefqaf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ahjgjj32.exe Afkknogn.exe File opened for modification C:\Windows\SysWOW64\Hblkjo32.exe Hpnoncim.exe File created C:\Windows\SysWOW64\Pipeabep.dll Process not Found File created C:\Windows\SysWOW64\Ciipkkdj.dll Process not Found File created C:\Windows\SysWOW64\Fomnhddq.dll Process not Found File opened for modification C:\Windows\SysWOW64\Poliea32.exe Plmmif32.exe File created C:\Windows\SysWOW64\Nglhld32.exe Process not Found File created C:\Windows\SysWOW64\Ldlghq32.dll Hoogfnnb.exe File created C:\Windows\SysWOW64\Hgddfeae.dll Jejefqaf.exe File opened for modification C:\Windows\SysWOW64\Lemkcnaa.exe Lfjjga32.exe File created C:\Windows\SysWOW64\Akhkncql.dll Dflfac32.exe File created C:\Windows\SysWOW64\Cqopkcbn.dll Fpbflg32.exe File created C:\Windows\SysWOW64\Jilfifme.exe Jpcapp32.exe File opened for modification C:\Windows\SysWOW64\Bbnkonbd.exe Bkdcbd32.exe File opened for modification C:\Windows\SysWOW64\Ojbacd32.exe Ohcegi32.exe File opened for modification C:\Windows\SysWOW64\Dpkmal32.exe Process not Found File created C:\Windows\SysWOW64\Inkjhi32.exe Hkmnln32.exe File created C:\Windows\SysWOW64\Hdkidohn.exe Hammhcij.exe File created C:\Windows\SysWOW64\Ohfaap32.dll Olbdhn32.exe File created C:\Windows\SysWOW64\Fedbbjgh.dll Mkjnfkma.exe File opened for modification C:\Windows\SysWOW64\Mjokgg32.exe Mgaokl32.exe File created C:\Windows\SysWOW64\Oeehkn32.exe Nnkpnclp.exe File created C:\Windows\SysWOW64\Jleijb32.exe Jiglnf32.exe File created C:\Windows\SysWOW64\Ajqgidij.exe Acgolj32.exe File created C:\Windows\SysWOW64\Iqbbpm32.exe Ijhjcchb.exe File created C:\Windows\SysWOW64\Kckefh32.dll Phbhcmjl.exe File created C:\Windows\SysWOW64\Emoadlfo.exe Eehicoel.exe File opened for modification C:\Windows\SysWOW64\Qjnkcekm.exe Qcdbfk32.exe File created C:\Windows\SysWOW64\Cimcan32.exe Cabomkll.exe File opened for modification C:\Windows\SysWOW64\Ejoomhmi.exe Ebhglj32.exe File created C:\Windows\SysWOW64\Dhhdcojj.dll Gmiclo32.exe File created C:\Windows\SysWOW64\Aggpfkjj.exe Process not Found File created C:\Windows\SysWOW64\Amjjnh32.dll Nimbkc32.exe File created C:\Windows\SysWOW64\Cihclh32.exe Cjecpkcg.exe File opened for modification C:\Windows\SysWOW64\Llodgnja.exe Lfeljd32.exe File created C:\Windows\SysWOW64\Nabbod32.dll Ejflhm32.exe File created C:\Windows\SysWOW64\Hacbhb32.exe Hjlkge32.exe File created C:\Windows\SysWOW64\Ahpmjejp.exe Addaif32.exe File created C:\Windows\SysWOW64\Aajhndkb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nedjjj32.exe Nojanpej.exe File opened for modification C:\Windows\SysWOW64\Acmobchj.exe Akffafgg.exe File created C:\Windows\SysWOW64\Nggnadib.exe Nqmfdj32.exe File created C:\Windows\SysWOW64\Ebadmmge.dll Ffpicn32.exe File created C:\Windows\SysWOW64\Cclaff32.dll Ginnfgop.exe File created C:\Windows\SysWOW64\Eclmamod.exe Eleepoob.exe File opened for modification C:\Windows\SysWOW64\Jjoiil32.exe Jgpmmp32.exe File created C:\Windows\SysWOW64\Gdkcckgg.dll Nlfnaicd.exe File created C:\Windows\SysWOW64\Kejocggj.dll Ljgpkonp.exe File created C:\Windows\SysWOW64\Oekpkigo.exe Ocmconhk.exe File opened for modification C:\Windows\SysWOW64\Kkhpdcab.exe Kijchhbo.exe File opened for modification C:\Windows\SysWOW64\Keqdmihc.exe Kbbhqn32.exe File opened for modification C:\Windows\SysWOW64\Nmkmjjaa.exe Process not Found File created C:\Windows\SysWOW64\Lemkcnaa.exe Lfjjga32.exe File created C:\Windows\SysWOW64\Ogmijllo.exe Opcqnb32.exe File created C:\Windows\SysWOW64\Gpecbk32.exe Gikkfqmf.exe File opened for modification C:\Windows\SysWOW64\Nndjndbh.exe Nlfnaicd.exe File created C:\Windows\SysWOW64\Cocopa32.dll Eppjfgcp.exe File created C:\Windows\SysWOW64\Iooogokm.dll Kcbfcigf.exe File created C:\Windows\SysWOW64\Mgnlkfal.exe Mmhgmmbf.exe File created C:\Windows\SysWOW64\Mfpqjjgd.dll Kimghn32.exe File created C:\Windows\SysWOW64\Flcmfp32.dll Malgcg32.exe File opened for modification C:\Windows\SysWOW64\Nklbmllg.exe Nhmeapmd.exe File created C:\Windows\SysWOW64\Gdliee32.dll Pojcjh32.exe File created C:\Windows\SysWOW64\Ndflak32.exe Nagpeo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5704 6356 Process not Found 1249 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emoadlfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jilfifme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neppokal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfcqpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbbhqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lihpif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boflmdkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akglloai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knnhjcog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhdlao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idcepgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amdcghbo.dll" Jilfifme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fibojhim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcehifmk.dll" Jqlefl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iohejo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godcje32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lldfjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfqkddfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcgieob.dll" Nlfelogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeheme32.dll" Pemomqcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fngjep32.dll" Mnfnlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knnhjcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gacjadad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjpijpdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfbaonae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfgcakon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmiclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mioaanec.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccchof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlolpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gndcedao.dll" Keqdmihc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odoogi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmeede32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Empoiimf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keaebdpc.dll" Ingpmmgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgaokl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbfgkffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlgcp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oblknjim.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlihle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pidcecbj.dll" Pgkelj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aopmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ephccnmj.dll" Bjpjel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkimho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olicnfco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfafakb.dll" Plcdiabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meefofek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlolpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koodbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doodkl32.dll" 50de3bd5f9616c760d134189bc5fd390N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdcpcm32.dll" Jgfdmlcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqdhfd32.dll" Pfillg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Palbgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbekqdjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojdnid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oejbfmpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgflqkdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dinmhkke.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1480 wrote to memory of 3944 1480 50de3bd5f9616c760d134189bc5fd390N.exe 84 PID 1480 wrote to memory of 3944 1480 50de3bd5f9616c760d134189bc5fd390N.exe 84 PID 1480 wrote to memory of 3944 1480 50de3bd5f9616c760d134189bc5fd390N.exe 84 PID 3944 wrote to memory of 3508 3944 Ggqida32.exe 85 PID 3944 wrote to memory of 3508 3944 Ggqida32.exe 85 PID 3944 wrote to memory of 3508 3944 Ggqida32.exe 85 PID 3508 wrote to memory of 5060 3508 Gohaeo32.exe 86 PID 3508 wrote to memory of 5060 3508 Gohaeo32.exe 86 PID 3508 wrote to memory of 5060 3508 Gohaeo32.exe 86 PID 5060 wrote to memory of 2092 5060 Gfbibikg.exe 87 PID 5060 wrote to memory of 2092 5060 Gfbibikg.exe 87 PID 5060 wrote to memory of 2092 5060 Gfbibikg.exe 87 PID 2092 wrote to memory of 4072 2092 Gddinf32.exe 88 PID 2092 wrote to memory of 4072 2092 Gddinf32.exe 88 PID 2092 wrote to memory of 4072 2092 Gddinf32.exe 88 PID 4072 wrote to memory of 4680 4072 Gkobjpin.exe 89 PID 4072 wrote to memory of 4680 4072 Gkobjpin.exe 89 PID 4072 wrote to memory of 4680 4072 Gkobjpin.exe 89 PID 4680 wrote to memory of 2944 4680 Gojnko32.exe 90 PID 4680 wrote to memory of 2944 4680 Gojnko32.exe 90 PID 4680 wrote to memory of 2944 4680 Gojnko32.exe 90 PID 2944 wrote to memory of 824 2944 Gahjgj32.exe 91 PID 2944 wrote to memory of 824 2944 Gahjgj32.exe 91 PID 2944 wrote to memory of 824 2944 Gahjgj32.exe 91 PID 824 wrote to memory of 4884 824 Ggeboaob.exe 92 PID 824 wrote to memory of 4884 824 Ggeboaob.exe 92 PID 824 wrote to memory of 4884 824 Ggeboaob.exe 92 PID 4884 wrote to memory of 628 4884 Goljqnpd.exe 93 PID 4884 wrote to memory of 628 4884 Goljqnpd.exe 93 PID 4884 wrote to memory of 628 4884 Goljqnpd.exe 93 PID 628 wrote to memory of 1556 628 Hakgmjoh.exe 94 PID 628 wrote to memory of 1556 628 Hakgmjoh.exe 94 PID 628 wrote to memory of 1556 628 Hakgmjoh.exe 94 PID 1556 wrote to memory of 1400 1556 Hdicienl.exe 95 PID 1556 wrote to memory of 1400 1556 Hdicienl.exe 95 PID 1556 wrote to memory of 1400 1556 Hdicienl.exe 95 PID 1400 wrote to memory of 5036 1400 Hghoeqmp.exe 96 PID 1400 wrote to memory of 5036 1400 Hghoeqmp.exe 96 PID 1400 wrote to memory of 5036 1400 Hghoeqmp.exe 96 PID 5036 wrote to memory of 1360 5036 Hoogfnnb.exe 97 PID 5036 wrote to memory of 1360 5036 Hoogfnnb.exe 97 PID 5036 wrote to memory of 1360 5036 Hoogfnnb.exe 97 PID 1360 wrote to memory of 1164 1360 Hbmcbime.exe 98 PID 1360 wrote to memory of 1164 1360 Hbmcbime.exe 98 PID 1360 wrote to memory of 1164 1360 Hbmcbime.exe 98 PID 1164 wrote to memory of 4472 1164 Hdlpneli.exe 99 PID 1164 wrote to memory of 4472 1164 Hdlpneli.exe 99 PID 1164 wrote to memory of 4472 1164 Hdlpneli.exe 99 PID 4472 wrote to memory of 856 4472 Hgjljpkm.exe 100 PID 4472 wrote to memory of 856 4472 Hgjljpkm.exe 100 PID 4472 wrote to memory of 856 4472 Hgjljpkm.exe 100 PID 856 wrote to memory of 2132 856 Hoadkn32.exe 101 PID 856 wrote to memory of 2132 856 Hoadkn32.exe 101 PID 856 wrote to memory of 2132 856 Hoadkn32.exe 101 PID 2132 wrote to memory of 3188 2132 Hfklhhcl.exe 102 PID 2132 wrote to memory of 3188 2132 Hfklhhcl.exe 102 PID 2132 wrote to memory of 3188 2132 Hfklhhcl.exe 102 PID 3188 wrote to memory of 3984 3188 Hhihdcbp.exe 104 PID 3188 wrote to memory of 3984 3188 Hhihdcbp.exe 104 PID 3188 wrote to memory of 3984 3188 Hhihdcbp.exe 104 PID 3984 wrote to memory of 1116 3984 Hkhdqoac.exe 105 PID 3984 wrote to memory of 1116 3984 Hkhdqoac.exe 105 PID 3984 wrote to memory of 1116 3984 Hkhdqoac.exe 105 PID 1116 wrote to memory of 1900 1116 Hnfamjqg.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\50de3bd5f9616c760d134189bc5fd390N.exe"C:\Users\Admin\AppData\Local\Temp\50de3bd5f9616c760d134189bc5fd390N.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Ggqida32.exeC:\Windows\system32\Ggqida32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\Gfbibikg.exeC:\Windows\system32\Gfbibikg.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Gddinf32.exeC:\Windows\system32\Gddinf32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Gkobjpin.exeC:\Windows\system32\Gkobjpin.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\Gojnko32.exeC:\Windows\system32\Gojnko32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\Goljqnpd.exeC:\Windows\system32\Goljqnpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Hakgmjoh.exeC:\Windows\system32\Hakgmjoh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\Hdicienl.exeC:\Windows\system32\Hdicienl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Hoogfnnb.exeC:\Windows\system32\Hoogfnnb.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Hgjljpkm.exeC:\Windows\system32\Hgjljpkm.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Hfklhhcl.exeC:\Windows\system32\Hfklhhcl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Hhihdcbp.exeC:\Windows\system32\Hhihdcbp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Hkhdqoac.exeC:\Windows\system32\Hkhdqoac.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\Hnfamjqg.exeC:\Windows\system32\Hnfamjqg.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\Hfningai.exeC:\Windows\system32\Hfningai.exe23⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Hdpiid32.exeC:\Windows\system32\Hdpiid32.exe24⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe25⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Hofmfmhj.exeC:\Windows\system32\Hofmfmhj.exe26⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe27⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Hhnbpb32.exeC:\Windows\system32\Hhnbpb32.exe28⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:320 -
C:\Windows\SysWOW64\Inkjhi32.exeC:\Windows\system32\Inkjhi32.exe30⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe31⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe32⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe33⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe34⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Ikaggmii.exeC:\Windows\system32\Ikaggmii.exe35⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Inpccihl.exeC:\Windows\system32\Inpccihl.exe36⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe37⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe38⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe39⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Ioopml32.exeC:\Windows\system32\Ioopml32.exe40⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe41⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Ieliebnf.exeC:\Windows\system32\Ieliebnf.exe42⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Igjeanmj.exeC:\Windows\system32\Igjeanmj.exe43⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe44⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe45⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe46⤵
- Executes dropped EXE
PID:3884 -
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe47⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe48⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Jbbfdfkn.exeC:\Windows\system32\Jbbfdfkn.exe49⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Jeqbpb32.exeC:\Windows\system32\Jeqbpb32.exe50⤵
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe51⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe52⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Jbdbjf32.exeC:\Windows\system32\Jbdbjf32.exe53⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe54⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe55⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe56⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe57⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Jeekkafl.exeC:\Windows\system32\Jeekkafl.exe58⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe60⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Jbileede.exeC:\Windows\system32\Jbileede.exe61⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:5008 -
C:\Windows\SysWOW64\Jnpmjf32.exeC:\Windows\system32\Jnpmjf32.exe63⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe64⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4212 -
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe66⤵PID:4512
-
C:\Windows\SysWOW64\Kldmckic.exeC:\Windows\system32\Kldmckic.exe67⤵PID:4436
-
C:\Windows\SysWOW64\Knbiofhg.exeC:\Windows\system32\Knbiofhg.exe68⤵PID:4292
-
C:\Windows\SysWOW64\Kfjapcii.exeC:\Windows\system32\Kfjapcii.exe69⤵PID:4152
-
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe70⤵PID:3660
-
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe71⤵PID:4460
-
C:\Windows\SysWOW64\Keonap32.exeC:\Windows\system32\Keonap32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4540 -
C:\Windows\SysWOW64\Khmknk32.exeC:\Windows\system32\Khmknk32.exe73⤵PID:3872
-
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe74⤵PID:1736
-
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe75⤵PID:4876
-
C:\Windows\SysWOW64\Keakgpko.exeC:\Windows\system32\Keakgpko.exe76⤵PID:1708
-
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe77⤵
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe78⤵PID:2836
-
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe79⤵
- Modifies registry class
PID:740 -
C:\Windows\SysWOW64\Kechmoil.exeC:\Windows\system32\Kechmoil.exe80⤵PID:1680
-
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe81⤵PID:1108
-
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe82⤵PID:220
-
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe83⤵PID:4176
-
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe84⤵PID:1628
-
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe85⤵PID:3868
-
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2808 -
C:\Windows\SysWOW64\Lfealaol.exeC:\Windows\system32\Lfealaol.exe87⤵PID:5164
-
C:\Windows\SysWOW64\Lidmhmnp.exeC:\Windows\system32\Lidmhmnp.exe88⤵PID:5216
-
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe89⤵PID:5256
-
C:\Windows\SysWOW64\Lnqeqd32.exeC:\Windows\system32\Lnqeqd32.exe90⤵PID:5300
-
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe91⤵PID:5348
-
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe92⤵PID:5388
-
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe93⤵
- Modifies registry class
PID:5444 -
C:\Windows\SysWOW64\Locbfd32.exeC:\Windows\system32\Locbfd32.exe94⤵PID:5492
-
C:\Windows\SysWOW64\Lfjjga32.exeC:\Windows\system32\Lfjjga32.exe95⤵
- Drops file in System32 directory
PID:5532 -
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe96⤵PID:5580
-
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe97⤵PID:5624
-
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe98⤵PID:5668
-
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe99⤵PID:5716
-
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe100⤵PID:5776
-
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe101⤵PID:5812
-
C:\Windows\SysWOW64\Llipehgk.exeC:\Windows\system32\Llipehgk.exe102⤵PID:5876
-
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe103⤵PID:5944
-
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe104⤵PID:6000
-
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6048 -
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe106⤵PID:6108
-
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe107⤵PID:5132
-
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe108⤵PID:5236
-
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe109⤵PID:5324
-
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe110⤵PID:5396
-
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe111⤵PID:5452
-
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe112⤵PID:5528
-
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe113⤵PID:5620
-
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe114⤵PID:5676
-
C:\Windows\SysWOW64\Mffjcopi.exeC:\Windows\system32\Mffjcopi.exe115⤵PID:5768
-
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe116⤵PID:5824
-
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe117⤵PID:5916
-
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe118⤵PID:6012
-
C:\Windows\SysWOW64\Mifcejnj.exeC:\Windows\system32\Mifcejnj.exe119⤵PID:6128
-
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe120⤵PID:5244
-
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe121⤵PID:5356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-