Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
69s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2022, 09:11
Static task
static1
Behavioral task
behavioral1
Sample
8cef743a92a922b3b45b6a02660a0fbbb13328a0d6a9e1ffebad51cb88910908.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
8cef743a92a922b3b45b6a02660a0fbbb13328a0d6a9e1ffebad51cb88910908.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
8cef743a92a922b3b45b6a02660a0fbbb13328a0d6a9e1ffebad51cb88910908.exe
-
Size
248KB
-
MD5
87e1905afd5be25c4dd1e16b28811ec6
-
SHA1
74d0da5f96c92e203ff95c0d3252858defe28fc2
-
SHA256
8cef743a92a922b3b45b6a02660a0fbbb13328a0d6a9e1ffebad51cb88910908
-
SHA512
c54c8d6de324b2ab6c23488e5d940df325582c654fa4a2d02a88b3a69fe7ecdb1682cf80997f1990ecbc572cffb7a5c26e5e525ef95e35a61ccd5ecefc6044da
-
SSDEEP
6144:HZpbwFmvXT83nL0qzdwOSzhrQD2s68RXT83nL0qzdwOSL:DbAew3P+hrYw3P0
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efamflbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojkkhbqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faqfclaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnnoojhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gammiakd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfjeldlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofohmmeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neokbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpomn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaglck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hafieion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olidodei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inflpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaibod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpliae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahbaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aljmgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjlnocoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjdfmmlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhcmhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplddj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldfhmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbaohbda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdinld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogglbifo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jflgmkee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljjijf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lidofb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Begcad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aofjei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqpfojjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcjpmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gplbjamj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfikgkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmpoadha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amdilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlnknlcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djjecf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Immcnlhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eimecapa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilgchg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnahie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emlglo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcfcdinh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkdamgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gffkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpfgnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkdgen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oplfqbgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqkdao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oioanh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjmmlk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbgjdiha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghdafe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iicdcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijaic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppepag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkdfbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gopfhofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pijaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkgeqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkmkmhmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbmhikfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnbmgdda.exe -
Executes dropped EXE 64 IoCs
pid Process 4788 Kcjhaj32.exe 2080 Kejekm32.exe 4792 Knbidbqo.exe 1476 Khknmh32.exe 916 Kacbfnnp.exe 2500 Lmjckocd.exe 5016 Lmlpqnaa.exe 1716 Ldfhmh32.exe 964 Lmnlfn32.exe 4320 Lhdqcg32.exe 2332 Ldkahhei.exe 3896 Lopeeq32.exe 4804 Mkgfkajc.exe 936 Mkicpahq.exe 1756 Mackmkpn.exe 3676 Mdagigoa.exe 2504 Mmjlbl32.exe 2220 Mojhlold.exe 1072 Mgempa32.exe 4688 Nonbgo32.exe 5036 Nehjci32.exe 2008 Nncohk32.exe 1868 Nnfknk32.exe 3740 Ngnpfp32.exe 4268 Neopdhjd.exe 1808 Neamjgha.exe 4324 Oahnohme.exe 1940 Oolnhmlo.exe 1884 Oooknl32.exe 1852 Oeicjfai.exe 4144 Ogjpbo32.exe 3264 Odnplc32.exe 4348 Onfddh32.exe 3636 Pdpmabdo.exe 3488 Pofankdd.exe 3284 Phnega32.exe 3504 Pnknphil.exe 1076 Pdeflb32.exe 1520 Pojjik32.exe 1580 Pfdbfegl.exe 3528 Phcobpfp.exe 4844 Pnpgkg32.exe 4048 Pdipgald.exe 2004 Pnbdpg32.exe 652 Qbpmfe32.exe 3916 Abbile32.exe 3908 Aofjei32.exe 4248 Aiakcn32.exe 4860 Abipmcap.exe 720 Aompfh32.exe 2140 Aejhno32.exe 1228 Bnbmgdda.exe 408 Beledo32.exe 1512 Cnbfnbfo.exe 4484 Cihjkkfe.exe 396 Cnebcadl.exe 1660 Chmglg32.exe 2260 Cngoiabj.exe 4940 Ceagfkjf.exe 4908 Dnjloa32.exe 1836 Deddkkgd.exe 2024 Dlnlhe32.exe 4480 Dbhdeofn.exe 116 Defaak32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eohjlked.dll Hhhego32.exe File created C:\Windows\SysWOW64\Cdghjo32.dll Jflnga32.exe File created C:\Windows\SysWOW64\Fadapnad.dll Kfhnco32.exe File created C:\Windows\SysWOW64\Alkoacpm.dll Klceqlmg.exe File created C:\Windows\SysWOW64\Qgapgjlp.dll Pfoackfl.exe File created C:\Windows\SysWOW64\Eljbcn32.dll Ccfcfg32.exe File opened for modification C:\Windows\SysWOW64\Cjeenqcc.exe Cggibe32.exe File created C:\Windows\SysWOW64\Fnaclk32.exe Fggkpqgj.exe File opened for modification C:\Windows\SysWOW64\Ganljdbj.exe Gnponhcg.exe File created C:\Windows\SysWOW64\Anebbpnk.dll Qqbfgk32.exe File created C:\Windows\SysWOW64\Ialihaog.dll Ghdafe32.exe File created C:\Windows\SysWOW64\Hddeaeoa.exe Hafieion.exe File created C:\Windows\SysWOW64\Ejmdemoh.exe Egnhibpd.exe File opened for modification C:\Windows\SysWOW64\Gccepqii.exe Gmimcg32.exe File opened for modification C:\Windows\SysWOW64\Figocflb.exe Fbmggl32.exe File created C:\Windows\SysWOW64\Pgbkng32.exe Ppicam32.exe File created C:\Windows\SysWOW64\Kkpfjend.dll Nleaok32.exe File created C:\Windows\SysWOW64\Cjhinfdl.exe Cgjmbkeh.exe File created C:\Windows\SysWOW64\Ialaljom.dll Ganljdbj.exe File created C:\Windows\SysWOW64\Edicbnjn.dll Hhmmameb.exe File created C:\Windows\SysWOW64\Icfqop32.dll Qbpmfe32.exe File created C:\Windows\SysWOW64\Lmamioao.dll Cgcmlb32.exe File created C:\Windows\SysWOW64\Clfmcfaj.dll Nfjeldlp.exe File created C:\Windows\SysWOW64\Fmgghm32.exe Fndglqqp.exe File created C:\Windows\SysWOW64\Hefpmo32.dll Hdfafdlo.exe File opened for modification C:\Windows\SysWOW64\Mfnofo32.exe Modgieke.exe File created C:\Windows\SysWOW64\Aigpfe32.exe Aekdefel.exe File created C:\Windows\SysWOW64\Jhpocmpp.dll Lhiokg32.exe File created C:\Windows\SysWOW64\Adnafp32.dll Bhendgbo.exe File opened for modification C:\Windows\SysWOW64\Ebbmfgid.exe Elieim32.exe File created C:\Windows\SysWOW64\Fiheopfd.exe Fkgeqh32.exe File opened for modification C:\Windows\SysWOW64\Mpfcoeib.exe Mkkgnf32.exe File created C:\Windows\SysWOW64\Donmbfgm.exe Dmoafjhi.exe File created C:\Windows\SysWOW64\Nlpmde32.dll Ehbind32.exe File created C:\Windows\SysWOW64\Lpkmgnip.dll Hebkpn32.exe File created C:\Windows\SysWOW64\Bgpjllnc.exe Bqfaob32.exe File created C:\Windows\SysWOW64\Abipmcap.exe Aiakcn32.exe File opened for modification C:\Windows\SysWOW64\Obccfd32.exe Odabkhig.exe File created C:\Windows\SysWOW64\Clbnma32.dll Cnahie32.exe File opened for modification C:\Windows\SysWOW64\Aokook32.exe Amibgbpg.exe File created C:\Windows\SysWOW64\Gmimcg32.exe Ffodfmjo.exe File opened for modification C:\Windows\SysWOW64\Fhnijbng.exe Fgmlbj32.exe File created C:\Windows\SysWOW64\Kongmenq.dll Gjghjd32.exe File created C:\Windows\SysWOW64\Lolfih32.dll Cnbocl32.exe File opened for modification C:\Windows\SysWOW64\Hheagifa.exe Hchiobhj.exe File created C:\Windows\SysWOW64\Akpfqm32.exe Adfndbil.exe File created C:\Windows\SysWOW64\Hkbfinbi.exe Hhdjmcce.exe File created C:\Windows\SysWOW64\Ghppif32.dll Abaadj32.exe File opened for modification C:\Windows\SysWOW64\Mackmkpn.exe Mkicpahq.exe File opened for modification C:\Windows\SysWOW64\Ijlkla32.exe Ifqolbco.exe File opened for modification C:\Windows\SysWOW64\Bhendgbo.exe Ajdmfpkp.exe File created C:\Windows\SysWOW64\Gmliaace.dll Lfecjg32.exe File opened for modification C:\Windows\SysWOW64\Aohbik32.exe Aepmpe32.exe File opened for modification C:\Windows\SysWOW64\Hjmfch32.exe Hhojgm32.exe File created C:\Windows\SysWOW64\Dodffg32.dll Pnbdpg32.exe File created C:\Windows\SysWOW64\Gbhabm32.dll Chmglg32.exe File created C:\Windows\SysWOW64\Opmceo32.exe Oickidge.exe File created C:\Windows\SysWOW64\Cjdfmmlm.exe Cqlbdhfl.exe File created C:\Windows\SysWOW64\Hkbklb32.dll Hoefnd32.exe File created C:\Windows\SysWOW64\Plepgble.dll Gkggmplf.exe File created C:\Windows\SysWOW64\Jocekj32.exe Jhimopqn.exe File created C:\Windows\SysWOW64\Kbkdnd32.exe Komhah32.exe File opened for modification C:\Windows\SysWOW64\Oekknh32.exe Ooqcanlb.exe File opened for modification C:\Windows\SysWOW64\Chmglg32.exe Cnebcadl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5436 5816 WerFault.exe 970 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmfhqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpngcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbmim32.dll" Inflpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pedqog32.dll" Pocpgnjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jookpjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lialfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npqgbogf.dll" Pedndg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qoalhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klcniphb.dll" Epgejb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofnfa32.dll" Nkboljlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pijaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbhckf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdhphkin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blpckaod.dll" Idpdmcdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lialfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plgpqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccfcfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Demgajpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llpomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndliph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hemkjill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqkdbo32.dll" Cgdlle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldlidm32.dll" Gieled32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfkiib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgpcafjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgbhncjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcggnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cddjeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diigchld.dll" Ikecnnpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghhdfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onfddh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epehdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiehndeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cackgmil.dll" Flinpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pilgdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlkmbbod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bchgei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhdqcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aejhno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqnojg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcabnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glakkpqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omlkdcaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnecfpfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddgbpkcj.dll" Hjkinide.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iohljb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npgakcjl.dll" Egoodhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdejgmgi.dll" Djohdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhkqeqm.dll" Dmoafjhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgmlbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmnifjnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjkikk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgbfoada.dll" Phddniaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbpfpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npmkoamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plnfaaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpjokp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oihlal32.dll" Anhcfoiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnnoojhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fojnll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mimbla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfbnjn32.dll" Iojbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpgnekom.dll" Mihbgkfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okeqmq32.dll" Ahbaog32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4816 wrote to memory of 4788 4816 8cef743a92a922b3b45b6a02660a0fbbb13328a0d6a9e1ffebad51cb88910908.exe 85 PID 4816 wrote to memory of 4788 4816 8cef743a92a922b3b45b6a02660a0fbbb13328a0d6a9e1ffebad51cb88910908.exe 85 PID 4816 wrote to memory of 4788 4816 8cef743a92a922b3b45b6a02660a0fbbb13328a0d6a9e1ffebad51cb88910908.exe 85 PID 4788 wrote to memory of 2080 4788 Kcjhaj32.exe 86 PID 4788 wrote to memory of 2080 4788 Kcjhaj32.exe 86 PID 4788 wrote to memory of 2080 4788 Kcjhaj32.exe 86 PID 2080 wrote to memory of 4792 2080 Kejekm32.exe 87 PID 2080 wrote to memory of 4792 2080 Kejekm32.exe 87 PID 2080 wrote to memory of 4792 2080 Kejekm32.exe 87 PID 4792 wrote to memory of 1476 4792 Knbidbqo.exe 88 PID 4792 wrote to memory of 1476 4792 Knbidbqo.exe 88 PID 4792 wrote to memory of 1476 4792 Knbidbqo.exe 88 PID 1476 wrote to memory of 916 1476 Khknmh32.exe 89 PID 1476 wrote to memory of 916 1476 Khknmh32.exe 89 PID 1476 wrote to memory of 916 1476 Khknmh32.exe 89 PID 916 wrote to memory of 2500 916 Kacbfnnp.exe 90 PID 916 wrote to memory of 2500 916 Kacbfnnp.exe 90 PID 916 wrote to memory of 2500 916 Kacbfnnp.exe 90 PID 2500 wrote to memory of 5016 2500 Lmjckocd.exe 91 PID 2500 wrote to memory of 5016 2500 Lmjckocd.exe 91 PID 2500 wrote to memory of 5016 2500 Lmjckocd.exe 91 PID 5016 wrote to memory of 1716 5016 Lmlpqnaa.exe 92 PID 5016 wrote to memory of 1716 5016 Lmlpqnaa.exe 92 PID 5016 wrote to memory of 1716 5016 Lmlpqnaa.exe 92 PID 1716 wrote to memory of 964 1716 Ldfhmh32.exe 93 PID 1716 wrote to memory of 964 1716 Ldfhmh32.exe 93 PID 1716 wrote to memory of 964 1716 Ldfhmh32.exe 93 PID 964 wrote to memory of 4320 964 Lmnlfn32.exe 94 PID 964 wrote to memory of 4320 964 Lmnlfn32.exe 94 PID 964 wrote to memory of 4320 964 Lmnlfn32.exe 94 PID 4320 wrote to memory of 2332 4320 Lhdqcg32.exe 95 PID 4320 wrote to memory of 2332 4320 Lhdqcg32.exe 95 PID 4320 wrote to memory of 2332 4320 Lhdqcg32.exe 95 PID 2332 wrote to memory of 3896 2332 Ldkahhei.exe 96 PID 2332 wrote to memory of 3896 2332 Ldkahhei.exe 96 PID 2332 wrote to memory of 3896 2332 Ldkahhei.exe 96 PID 3896 wrote to memory of 4804 3896 Lopeeq32.exe 97 PID 3896 wrote to memory of 4804 3896 Lopeeq32.exe 97 PID 3896 wrote to memory of 4804 3896 Lopeeq32.exe 97 PID 4804 wrote to memory of 936 4804 Mkgfkajc.exe 98 PID 4804 wrote to memory of 936 4804 Mkgfkajc.exe 98 PID 4804 wrote to memory of 936 4804 Mkgfkajc.exe 98 PID 936 wrote to memory of 1756 936 Mkicpahq.exe 99 PID 936 wrote to memory of 1756 936 Mkicpahq.exe 99 PID 936 wrote to memory of 1756 936 Mkicpahq.exe 99 PID 1756 wrote to memory of 3676 1756 Mackmkpn.exe 100 PID 1756 wrote to memory of 3676 1756 Mackmkpn.exe 100 PID 1756 wrote to memory of 3676 1756 Mackmkpn.exe 100 PID 3676 wrote to memory of 2504 3676 Mdagigoa.exe 101 PID 3676 wrote to memory of 2504 3676 Mdagigoa.exe 101 PID 3676 wrote to memory of 2504 3676 Mdagigoa.exe 101 PID 2504 wrote to memory of 2220 2504 Mmjlbl32.exe 102 PID 2504 wrote to memory of 2220 2504 Mmjlbl32.exe 102 PID 2504 wrote to memory of 2220 2504 Mmjlbl32.exe 102 PID 2220 wrote to memory of 1072 2220 Mojhlold.exe 103 PID 2220 wrote to memory of 1072 2220 Mojhlold.exe 103 PID 2220 wrote to memory of 1072 2220 Mojhlold.exe 103 PID 1072 wrote to memory of 4688 1072 Mgempa32.exe 104 PID 1072 wrote to memory of 4688 1072 Mgempa32.exe 104 PID 1072 wrote to memory of 4688 1072 Mgempa32.exe 104 PID 4688 wrote to memory of 5036 4688 Nonbgo32.exe 105 PID 4688 wrote to memory of 5036 4688 Nonbgo32.exe 105 PID 4688 wrote to memory of 5036 4688 Nonbgo32.exe 105 PID 5036 wrote to memory of 2008 5036 Nehjci32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cef743a92a922b3b45b6a02660a0fbbb13328a0d6a9e1ffebad51cb88910908.exe"C:\Users\Admin\AppData\Local\Temp\8cef743a92a922b3b45b6a02660a0fbbb13328a0d6a9e1ffebad51cb88910908.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\Kcjhaj32.exeC:\Windows\system32\Kcjhaj32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\Kejekm32.exeC:\Windows\system32\Kejekm32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Knbidbqo.exeC:\Windows\system32\Knbidbqo.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Khknmh32.exeC:\Windows\system32\Khknmh32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Kacbfnnp.exeC:\Windows\system32\Kacbfnnp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Lmjckocd.exeC:\Windows\system32\Lmjckocd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Lmlpqnaa.exeC:\Windows\system32\Lmlpqnaa.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Ldfhmh32.exeC:\Windows\system32\Ldfhmh32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Lmnlfn32.exeC:\Windows\system32\Lmnlfn32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Lhdqcg32.exeC:\Windows\system32\Lhdqcg32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\Ldkahhei.exeC:\Windows\system32\Ldkahhei.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Lopeeq32.exeC:\Windows\system32\Lopeeq32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\Mkgfkajc.exeC:\Windows\system32\Mkgfkajc.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Mkicpahq.exeC:\Windows\system32\Mkicpahq.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\Mackmkpn.exeC:\Windows\system32\Mackmkpn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Mdagigoa.exeC:\Windows\system32\Mdagigoa.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Mmjlbl32.exeC:\Windows\system32\Mmjlbl32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Mojhlold.exeC:\Windows\system32\Mojhlold.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Mgempa32.exeC:\Windows\system32\Mgempa32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Nonbgo32.exeC:\Windows\system32\Nonbgo32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Nehjci32.exeC:\Windows\system32\Nehjci32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Nncohk32.exeC:\Windows\system32\Nncohk32.exe23⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Nnfknk32.exeC:\Windows\system32\Nnfknk32.exe24⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Ngnpfp32.exeC:\Windows\system32\Ngnpfp32.exe25⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Neopdhjd.exeC:\Windows\system32\Neopdhjd.exe26⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Neamjgha.exeC:\Windows\system32\Neamjgha.exe27⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Oahnohme.exeC:\Windows\system32\Oahnohme.exe28⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Oolnhmlo.exeC:\Windows\system32\Oolnhmlo.exe29⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Oooknl32.exeC:\Windows\system32\Oooknl32.exe30⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Oeicjfai.exeC:\Windows\system32\Oeicjfai.exe31⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Ogjpbo32.exeC:\Windows\system32\Ogjpbo32.exe32⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Odnplc32.exeC:\Windows\system32\Odnplc32.exe33⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Onfddh32.exeC:\Windows\system32\Onfddh32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:4348 -
C:\Windows\SysWOW64\Pdpmabdo.exeC:\Windows\system32\Pdpmabdo.exe35⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Pofankdd.exeC:\Windows\system32\Pofankdd.exe36⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Phnega32.exeC:\Windows\system32\Phnega32.exe37⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Pnknphil.exeC:\Windows\system32\Pnknphil.exe38⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Pdeflb32.exeC:\Windows\system32\Pdeflb32.exe39⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Pojjik32.exeC:\Windows\system32\Pojjik32.exe40⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Pfdbfegl.exeC:\Windows\system32\Pfdbfegl.exe41⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Phcobpfp.exeC:\Windows\system32\Phcobpfp.exe42⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Pnpgkg32.exeC:\Windows\system32\Pnpgkg32.exe43⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Pdipgald.exeC:\Windows\system32\Pdipgald.exe44⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Pnbdpg32.exeC:\Windows\system32\Pnbdpg32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Qbpmfe32.exeC:\Windows\system32\Qbpmfe32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:652 -
C:\Windows\SysWOW64\Abbile32.exeC:\Windows\system32\Abbile32.exe47⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Aofjei32.exeC:\Windows\system32\Aofjei32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Aiakcn32.exeC:\Windows\system32\Aiakcn32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4248 -
C:\Windows\SysWOW64\Abipmcap.exeC:\Windows\system32\Abipmcap.exe50⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Aompfh32.exeC:\Windows\system32\Aompfh32.exe51⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\Aejhno32.exeC:\Windows\system32\Aejhno32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Bnbmgdda.exeC:\Windows\system32\Bnbmgdda.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Beledo32.exeC:\Windows\system32\Beledo32.exe54⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Cnbfnbfo.exeC:\Windows\system32\Cnbfnbfo.exe55⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Cihjkkfe.exeC:\Windows\system32\Cihjkkfe.exe56⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Cnebcadl.exeC:\Windows\system32\Cnebcadl.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:396 -
C:\Windows\SysWOW64\Chmglg32.exeC:\Windows\system32\Chmglg32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\Cngoiabj.exeC:\Windows\system32\Cngoiabj.exe59⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Ceagfkjf.exeC:\Windows\system32\Ceagfkjf.exe60⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Dnjloa32.exeC:\Windows\system32\Dnjloa32.exe61⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Deddkkgd.exeC:\Windows\system32\Deddkkgd.exe62⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Dlnlhe32.exeC:\Windows\system32\Dlnlhe32.exe63⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Dbhdeofn.exeC:\Windows\system32\Dbhdeofn.exe64⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Defaak32.exeC:\Windows\system32\Defaak32.exe65⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Dehnfj32.exeC:\Windows\system32\Dehnfj32.exe66⤵PID:2392
-
C:\Windows\SysWOW64\Dpnbcc32.exeC:\Windows\system32\Dpnbcc32.exe67⤵PID:2232
-
C:\Windows\SysWOW64\Dlebid32.exeC:\Windows\system32\Dlebid32.exe68⤵PID:2640
-
C:\Windows\SysWOW64\Demgajpi.exeC:\Windows\system32\Demgajpi.exe69⤵
- Modifies registry class
PID:4464 -
C:\Windows\SysWOW64\Ehkcneom.exeC:\Windows\system32\Ehkcneom.exe70⤵PID:2360
-
C:\Windows\SysWOW64\Eoekjo32.exeC:\Windows\system32\Eoekjo32.exe71⤵PID:1872
-
C:\Windows\SysWOW64\Eeodgimf.exeC:\Windows\system32\Eeodgimf.exe72⤵PID:3708
-
C:\Windows\SysWOW64\Epehdb32.exeC:\Windows\system32\Epehdb32.exe73⤵
- Modifies registry class
PID:4820 -
C:\Windows\SysWOW64\Ebcdqn32.exeC:\Windows\system32\Ebcdqn32.exe74⤵PID:1572
-
C:\Windows\SysWOW64\Epgejb32.exeC:\Windows\system32\Epgejb32.exe75⤵
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Efamflbg.exeC:\Windows\system32\Efamflbg.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4032 -
C:\Windows\SysWOW64\Ehbind32.exeC:\Windows\system32\Ehbind32.exe77⤵
- Drops file in System32 directory
PID:1896 -
C:\Windows\SysWOW64\Ebhnlmhk.exeC:\Windows\system32\Ebhnlmhk.exe78⤵PID:3100
-
C:\Windows\SysWOW64\Eibfhg32.exeC:\Windows\system32\Eibfhg32.exe79⤵PID:3932
-
C:\Windows\SysWOW64\Eplneagd.exeC:\Windows\system32\Eplneagd.exe80⤵PID:2956
-
C:\Windows\SysWOW64\Ebjjamfh.exeC:\Windows\system32\Ebjjamfh.exe81⤵PID:1440
-
C:\Windows\SysWOW64\Eeifmhel.exeC:\Windows\system32\Eeifmhel.exe82⤵PID:4732
-
C:\Windows\SysWOW64\Flcojb32.exeC:\Windows\system32\Flcojb32.exe83⤵PID:1560
-
C:\Windows\SysWOW64\Fbmggl32.exeC:\Windows\system32\Fbmggl32.exe84⤵
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Figocflb.exeC:\Windows\system32\Figocflb.exe85⤵PID:5092
-
C:\Windows\SysWOW64\Flelpbkf.exeC:\Windows\system32\Flelpbkf.exe86⤵PID:3816
-
C:\Windows\SysWOW64\Fbodll32.exeC:\Windows\system32\Fbodll32.exe87⤵PID:4160
-
C:\Windows\SysWOW64\Fhlldc32.exeC:\Windows\system32\Fhlldc32.exe88⤵PID:3532
-
C:\Windows\SysWOW64\Fofdam32.exeC:\Windows\system32\Fofdam32.exe89⤵PID:4220
-
C:\Windows\SysWOW64\Fgmlbj32.exeC:\Windows\system32\Fgmlbj32.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\Fhnijbng.exeC:\Windows\system32\Fhnijbng.exe91⤵PID:4612
-
C:\Windows\SysWOW64\Fcdmgknn.exeC:\Windows\system32\Fcdmgknn.exe92⤵PID:544
-
C:\Windows\SysWOW64\Finede32.exeC:\Windows\system32\Finede32.exe93⤵PID:4680
-
C:\Windows\SysWOW64\Fojnll32.exeC:\Windows\system32\Fojnll32.exe94⤵
- Modifies registry class
PID:3776 -
C:\Windows\SysWOW64\Glakkpqi.exeC:\Windows\system32\Glakkpqi.exe95⤵
- Modifies registry class
PID:3912 -
C:\Windows\SysWOW64\Googglpl.exeC:\Windows\system32\Googglpl.exe96⤵PID:4796
-
C:\Windows\SysWOW64\Ggfohi32.exeC:\Windows\system32\Ggfohi32.exe97⤵PID:1260
-
C:\Windows\SysWOW64\Gieled32.exeC:\Windows\system32\Gieled32.exe98⤵
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Gpodaogo.exeC:\Windows\system32\Gpodaogo.exe99⤵PID:2464
-
C:\Windows\SysWOW64\Gcmpnjfc.exeC:\Windows\system32\Gcmpnjfc.exe100⤵PID:2924
-
C:\Windows\SysWOW64\Gjghjd32.exeC:\Windows\system32\Gjghjd32.exe101⤵
- Drops file in System32 directory
PID:4316 -
C:\Windows\SysWOW64\Ghjhfadj.exeC:\Windows\system32\Ghjhfadj.exe102⤵PID:4596
-
C:\Windows\SysWOW64\Godqbk32.exeC:\Windows\system32\Godqbk32.exe103⤵PID:2420
-
C:\Windows\SysWOW64\Genioecd.exeC:\Windows\system32\Genioecd.exe104⤵PID:4332
-
C:\Windows\SysWOW64\Ghlekq32.exeC:\Windows\system32\Ghlekq32.exe105⤵PID:2644
-
C:\Windows\SysWOW64\Gofmhkjd.exeC:\Windows\system32\Gofmhkjd.exe106⤵PID:624
-
C:\Windows\SysWOW64\Ggmeihjg.exeC:\Windows\system32\Ggmeihjg.exe107⤵PID:5048
-
C:\Windows\SysWOW64\Hhobap32.exeC:\Windows\system32\Hhobap32.exe108⤵PID:4912
-
C:\Windows\SysWOW64\Hpfjbn32.exeC:\Windows\system32\Hpfjbn32.exe109⤵PID:3192
-
C:\Windows\SysWOW64\Hfbbjd32.exeC:\Windows\system32\Hfbbjd32.exe110⤵PID:5128
-
C:\Windows\SysWOW64\Hlmkgo32.exeC:\Windows\system32\Hlmkgo32.exe111⤵PID:5144
-
C:\Windows\SysWOW64\Hcfcdinh.exeC:\Windows\system32\Hcfcdinh.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5160 -
C:\Windows\SysWOW64\Hjqkqc32.exeC:\Windows\system32\Hjqkqc32.exe113⤵PID:5176
-
C:\Windows\SysWOW64\Hpjcmmmb.exeC:\Windows\system32\Hpjcmmmb.exe114⤵PID:5192
-
C:\Windows\SysWOW64\Hcipihle.exeC:\Windows\system32\Hcipihle.exe115⤵PID:5208
-
C:\Windows\SysWOW64\Hhehaojm.exeC:\Windows\system32\Hhehaojm.exe116⤵PID:5224
-
C:\Windows\SysWOW64\Hpmpbm32.exeC:\Windows\system32\Hpmpbm32.exe117⤵PID:5240
-
C:\Windows\SysWOW64\Hckloh32.exeC:\Windows\system32\Hckloh32.exe118⤵PID:5256
-
C:\Windows\SysWOW64\Hhhego32.exeC:\Windows\system32\Hhhego32.exe119⤵
- Drops file in System32 directory
PID:5272 -
C:\Windows\SysWOW64\Hobmdipg.exeC:\Windows\system32\Hobmdipg.exe120⤵PID:5288
-
C:\Windows\SysWOW64\Ijgaabom.exeC:\Windows\system32\Ijgaabom.exe121⤵PID:5304
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-