Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
79s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2023, 08:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bed0c1b1c8f98c519fb7179f4ddc644f.exe
Resource
win7-20231023-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
bed0c1b1c8f98c519fb7179f4ddc644f.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
bed0c1b1c8f98c519fb7179f4ddc644f.exe
-
Size
275KB
-
MD5
bed0c1b1c8f98c519fb7179f4ddc644f
-
SHA1
8601f5c8ab77415a671131d5cb5b8129b92a3281
-
SHA256
cf2e3de03ff038f17d9f6a8b1d8423f4ba49ee5d6e63da338e7187b4f1f52ac2
-
SHA512
e73ff37e16fb9749ad32cd368e3e76ca8d67ffc4131f4dee7908868c4bdb50661af6500aa5f59ff19081e4ad818b57ffe0f29eff36a062391a827245f036ac43
-
SSDEEP
6144:ami2nknJSqPgzL2V4cpC0L4AY7YWT63cpC0L4f:zknoL2/p9i7drp9S
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgapmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdklebje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdalkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eclmlpfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcaipa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmhccpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilmedf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfngcdhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdibplaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejlnfjbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfomda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Japmcfcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikpjmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edihdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocgkan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmopmalc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fegiba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glajeiml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehnboko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnplfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcddkggf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiagde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Incpdodg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfqnbjfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Logbigbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpbbak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqmplbpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpgihh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Digmqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfamia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfdnnbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjgog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnfoac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffnglc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcibca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmghklif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdflaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nboiekjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccendc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkhbko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mljmhflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmbopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiinoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igkmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbjmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Homcbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecafgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgeenfog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbfjjlgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbinlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jldkeeig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdmaoahm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gomkkagl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfqjhmhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgeenfog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deokja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dckoia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nboiekjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjpllgme.exe -
Executes dropped EXE 64 IoCs
pid Process 2852 Ojomcopk.exe 4948 Ofhknodl.exe 3128 Omgmeigd.exe 4860 Pjkmomfn.exe 2272 Phajna32.exe 2128 Pjbcplpe.exe 4672 Pnplfj32.exe 4192 Qfmmplad.exe 1332 Aaenbd32.exe 4396 Ahaceo32.exe 4920 Akdilipp.exe 2884 Baannc32.exe 3260 Bahdob32.exe 368 Boldhf32.exe 3524 Cponen32.exe 4652 Cdmfllhn.exe 2512 Chkobkod.exe 4924 Dojqjdbl.exe 2132 Dgeenfog.exe 892 Dhdbhifj.exe 2856 Dndgfpbo.exe 4988 Dglkoeio.exe 3532 Eoepebho.exe 1740 Ehpadhll.exe 1556 Eqlfhjig.exe 4416 Fbmohmoh.exe 4560 Fijdjfdb.exe 1652 Feqeog32.exe 1968 Feenjgfq.exe 4208 Gpmomo32.exe 64 Gnblnlhl.exe 392 Gpaihooo.exe 1000 Ggmmlamj.exe 1384 Hecjke32.exe 840 Heegad32.exe 4700 Hpkknmgd.exe 3184 Hlblcn32.exe 2368 Hldiinke.exe 2736 Hihibbjo.exe 5048 Iacngdgj.exe 3960 Ibcjqgnm.exe 2700 Iojkeh32.exe 3144 Ilnlom32.exe 1208 Iefphb32.exe 5104 Ilphdlqh.exe 3568 Jhgiim32.exe 4780 Jaonbc32.exe 2928 Jaajhb32.exe 4888 Jadgnb32.exe 1840 Jlikkkhn.exe 5052 Jbepme32.exe 3920 Klndfj32.exe 4364 Kibeoo32.exe 2032 Kcjjhdjb.exe 4232 Klbnajqc.exe 3912 Kpqggh32.exe 4368 Kadpdp32.exe 4680 Lpepbgbd.exe 968 Lebijnak.exe 4492 Lpgmhg32.exe 3564 Ljpaqmgb.exe 264 Lomjicei.exe 5084 Ljbnfleo.exe 4584 Loofnccf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fhfjkmma.dll Ggilgn32.exe File opened for modification C:\Windows\SysWOW64\Komoed32.exe Kbinlp32.exe File opened for modification C:\Windows\SysWOW64\Hmlicp32.exe Process not Found File created C:\Windows\SysWOW64\Ikgpmc32.exe Idmhqi32.exe File opened for modification C:\Windows\SysWOW64\Ilnlom32.exe Iojkeh32.exe File opened for modification C:\Windows\SysWOW64\Lpochfji.exe Lfiokmkc.exe File created C:\Windows\SysWOW64\Qckcba32.dll Ojhiogdd.exe File created C:\Windows\SysWOW64\Bdocph32.exe Bfkbfd32.exe File created C:\Windows\SysWOW64\Hokomfqg.dll Iacngdgj.exe File opened for modification C:\Windows\SysWOW64\Klndfj32.exe Jbepme32.exe File created C:\Windows\SysWOW64\Caccgepo.dll Deokja32.exe File opened for modification C:\Windows\SysWOW64\Jjnqap32.exe Iohlcg32.exe File created C:\Windows\SysWOW64\Ogmaneoa.exe Ondleo32.exe File created C:\Windows\SysWOW64\Gbambkif.dll Ahfmka32.exe File opened for modification C:\Windows\SysWOW64\Blkkaohc.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mcaipa32.exe Mhldbh32.exe File opened for modification C:\Windows\SysWOW64\Jbncbpqd.exe Jldkeeig.exe File opened for modification C:\Windows\SysWOW64\Flhoinbl.exe Ffnglc32.exe File created C:\Windows\SysWOW64\Fopdlj32.dll Moiheebb.exe File created C:\Windows\SysWOW64\Hjbhph32.exe Homcbo32.exe File created C:\Windows\SysWOW64\Hnkhdmeh.dll Ppdjpcng.exe File created C:\Windows\SysWOW64\Foenplji.exe Fhkecb32.exe File created C:\Windows\SysWOW64\Pdpaehlk.dll Ppccemjk.exe File opened for modification C:\Windows\SysWOW64\Ofhknodl.exe Ojomcopk.exe File created C:\Windows\SysWOW64\Dmifkecb.exe Ddqbbo32.exe File opened for modification C:\Windows\SysWOW64\Klnkoc32.exe Khpcid32.exe File created C:\Windows\SysWOW64\Ccfcpm32.exe Ccdgjm32.exe File created C:\Windows\SysWOW64\Dnqaheai.exe Process not Found File created C:\Windows\SysWOW64\Fbbnhl32.dll Iencmm32.exe File opened for modification C:\Windows\SysWOW64\Dnienqbi.exe Daeddlco.exe File created C:\Windows\SysWOW64\Pddokabk.exe Pnjgog32.exe File created C:\Windows\SysWOW64\Komoed32.exe Kbinlp32.exe File opened for modification C:\Windows\SysWOW64\Olkqnjhd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ffcedd32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kadpdp32.exe Kpqggh32.exe File created C:\Windows\SysWOW64\Oggllnkl.exe Opmcod32.exe File created C:\Windows\SysWOW64\Gbhhieao.exe Ggccllai.exe File created C:\Windows\SysWOW64\Mpaifo32.dll Hjaioe32.exe File created C:\Windows\SysWOW64\Dbmoak32.dll Indkpcdk.exe File created C:\Windows\SysWOW64\Ijjekn32.exe Icnphd32.exe File created C:\Windows\SysWOW64\Jknbhdmb.dll Nkdlkope.exe File created C:\Windows\SysWOW64\Mhoaqa32.dll Cjaiac32.exe File created C:\Windows\SysWOW64\Ciipkkdj.dll Bahdob32.exe File opened for modification C:\Windows\SysWOW64\Pbekii32.exe Pmhbqbae.exe File created C:\Windows\SysWOW64\Fgencf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jodlof32.exe Mcklac32.exe File created C:\Windows\SysWOW64\Bpcqee32.dll Fejegaao.exe File created C:\Windows\SysWOW64\Cofpmh32.dll Ehnpmkbg.exe File created C:\Windows\SysWOW64\Jojboa32.exe Process not Found File created C:\Windows\SysWOW64\Kkhidaeo.exe Jekpljgg.exe File opened for modification C:\Windows\SysWOW64\Cngnbfid.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oiojmgcb.exe Oilmhhfd.exe File opened for modification C:\Windows\SysWOW64\Cdmfllhn.exe Cponen32.exe File opened for modification C:\Windows\SysWOW64\Lbhool32.exe Lhbkac32.exe File created C:\Windows\SysWOW64\Fefjanml.exe Elnehifk.exe File created C:\Windows\SysWOW64\Onbmjegm.dll Bbjmih32.exe File created C:\Windows\SysWOW64\Bifblbad.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fckaeioa.exe Flaiho32.exe File created C:\Windows\SysWOW64\Lhjnfn32.exe Kjfmminc.exe File created C:\Windows\SysWOW64\Ghbkdald.exe Gahcgg32.exe File created C:\Windows\SysWOW64\Cggikk32.exe Process not Found File created C:\Windows\SysWOW64\Conhfaeh.dll Process not Found File created C:\Windows\SysWOW64\Ofjljj32.dll Enjfli32.exe File created C:\Windows\SysWOW64\Jifabb32.exe Jcihjl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4908 9528 Process not Found 1991 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domdocba.dll" Baannc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnqcfjae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdjhkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnkbbiqp.dll" Akogio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfmpob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enpknplq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmbegqjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odemep32.dll" Nchhfild.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldckan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oebdml32.dll" Gomkkagl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmpkakak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmnciegc.dll" Ohkijc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hceook32.dll" Daeddlco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdpagc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocadkb32.dll" Oafacn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkejc32.dll" Cnlpgibd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqfcbahb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jginej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddfbadcc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aagdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbmhkia.dll" Apnndj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qejfkmem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inagpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igehifaa.dll" Nkpbpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndinf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kibeoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pifkigic.dll" Pdpmkhjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfqgkgc.dll" Hljnkdnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oejhoq32.dll" Opmcod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enpjkjkh.dll" Jlafhkfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcjjhdjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcmkjeko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkpkdlk.dll" Ejjgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpikki32.dll" Ojemig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enjfli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppbjhj32.dll" Eennefib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqdkbakj.dll" Pgkegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmhgmd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcboj32.dll" Gccmaack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kljhfc32.dll" Hgmebnpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiplf32.dll" Begcjjql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cponen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmiikpek.dll" Cboibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgmebnpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hphfac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgpmj32.dll" Cpmifkgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jggapj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjcdih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbcabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeigilml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phmnfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lflpmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkhidaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fejegaao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfkkqmiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljkgblln.dll" Dcphdqmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpicmhfo.dll" Mdagbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kihnhc32.dll" Igghilhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imcqacfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojkkah32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1204 wrote to memory of 2852 1204 bed0c1b1c8f98c519fb7179f4ddc644f.exe 85 PID 1204 wrote to memory of 2852 1204 bed0c1b1c8f98c519fb7179f4ddc644f.exe 85 PID 1204 wrote to memory of 2852 1204 bed0c1b1c8f98c519fb7179f4ddc644f.exe 85 PID 2852 wrote to memory of 4948 2852 Ojomcopk.exe 87 PID 2852 wrote to memory of 4948 2852 Ojomcopk.exe 87 PID 2852 wrote to memory of 4948 2852 Ojomcopk.exe 87 PID 4948 wrote to memory of 3128 4948 Ofhknodl.exe 88 PID 4948 wrote to memory of 3128 4948 Ofhknodl.exe 88 PID 4948 wrote to memory of 3128 4948 Ofhknodl.exe 88 PID 3128 wrote to memory of 4860 3128 Omgmeigd.exe 89 PID 3128 wrote to memory of 4860 3128 Omgmeigd.exe 89 PID 3128 wrote to memory of 4860 3128 Omgmeigd.exe 89 PID 4860 wrote to memory of 2272 4860 Pjkmomfn.exe 90 PID 4860 wrote to memory of 2272 4860 Pjkmomfn.exe 90 PID 4860 wrote to memory of 2272 4860 Pjkmomfn.exe 90 PID 2272 wrote to memory of 2128 2272 Phajna32.exe 91 PID 2272 wrote to memory of 2128 2272 Phajna32.exe 91 PID 2272 wrote to memory of 2128 2272 Phajna32.exe 91 PID 2128 wrote to memory of 4672 2128 Pjbcplpe.exe 92 PID 2128 wrote to memory of 4672 2128 Pjbcplpe.exe 92 PID 2128 wrote to memory of 4672 2128 Pjbcplpe.exe 92 PID 4672 wrote to memory of 4192 4672 Pnplfj32.exe 93 PID 4672 wrote to memory of 4192 4672 Pnplfj32.exe 93 PID 4672 wrote to memory of 4192 4672 Pnplfj32.exe 93 PID 4192 wrote to memory of 1332 4192 Qfmmplad.exe 94 PID 4192 wrote to memory of 1332 4192 Qfmmplad.exe 94 PID 4192 wrote to memory of 1332 4192 Qfmmplad.exe 94 PID 1332 wrote to memory of 4396 1332 Aaenbd32.exe 95 PID 1332 wrote to memory of 4396 1332 Aaenbd32.exe 95 PID 1332 wrote to memory of 4396 1332 Aaenbd32.exe 95 PID 4396 wrote to memory of 4920 4396 Ahaceo32.exe 96 PID 4396 wrote to memory of 4920 4396 Ahaceo32.exe 96 PID 4396 wrote to memory of 4920 4396 Ahaceo32.exe 96 PID 4920 wrote to memory of 2884 4920 Akdilipp.exe 97 PID 4920 wrote to memory of 2884 4920 Akdilipp.exe 97 PID 4920 wrote to memory of 2884 4920 Akdilipp.exe 97 PID 2884 wrote to memory of 3260 2884 Baannc32.exe 98 PID 2884 wrote to memory of 3260 2884 Baannc32.exe 98 PID 2884 wrote to memory of 3260 2884 Baannc32.exe 98 PID 3260 wrote to memory of 368 3260 Bahdob32.exe 99 PID 3260 wrote to memory of 368 3260 Bahdob32.exe 99 PID 3260 wrote to memory of 368 3260 Bahdob32.exe 99 PID 368 wrote to memory of 3524 368 Boldhf32.exe 100 PID 368 wrote to memory of 3524 368 Boldhf32.exe 100 PID 368 wrote to memory of 3524 368 Boldhf32.exe 100 PID 3524 wrote to memory of 4652 3524 Cponen32.exe 101 PID 3524 wrote to memory of 4652 3524 Cponen32.exe 101 PID 3524 wrote to memory of 4652 3524 Cponen32.exe 101 PID 4652 wrote to memory of 2512 4652 Cdmfllhn.exe 102 PID 4652 wrote to memory of 2512 4652 Cdmfllhn.exe 102 PID 4652 wrote to memory of 2512 4652 Cdmfllhn.exe 102 PID 2512 wrote to memory of 4924 2512 Chkobkod.exe 103 PID 2512 wrote to memory of 4924 2512 Chkobkod.exe 103 PID 2512 wrote to memory of 4924 2512 Chkobkod.exe 103 PID 4924 wrote to memory of 2132 4924 Dojqjdbl.exe 104 PID 4924 wrote to memory of 2132 4924 Dojqjdbl.exe 104 PID 4924 wrote to memory of 2132 4924 Dojqjdbl.exe 104 PID 2132 wrote to memory of 892 2132 Dgeenfog.exe 105 PID 2132 wrote to memory of 892 2132 Dgeenfog.exe 105 PID 2132 wrote to memory of 892 2132 Dgeenfog.exe 105 PID 892 wrote to memory of 2856 892 Dhdbhifj.exe 106 PID 892 wrote to memory of 2856 892 Dhdbhifj.exe 106 PID 892 wrote to memory of 2856 892 Dhdbhifj.exe 106 PID 2856 wrote to memory of 4988 2856 Dndgfpbo.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\bed0c1b1c8f98c519fb7179f4ddc644f.exe"C:\Users\Admin\AppData\Local\Temp\bed0c1b1c8f98c519fb7179f4ddc644f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Ojomcopk.exeC:\Windows\system32\Ojomcopk.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Ofhknodl.exeC:\Windows\system32\Ofhknodl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Omgmeigd.exeC:\Windows\system32\Omgmeigd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Pjkmomfn.exeC:\Windows\system32\Pjkmomfn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Phajna32.exeC:\Windows\system32\Phajna32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Pjbcplpe.exeC:\Windows\system32\Pjbcplpe.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Pnplfj32.exeC:\Windows\system32\Pnplfj32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\Qfmmplad.exeC:\Windows\system32\Qfmmplad.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\Aaenbd32.exeC:\Windows\system32\Aaenbd32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Ahaceo32.exeC:\Windows\system32\Ahaceo32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\Akdilipp.exeC:\Windows\system32\Akdilipp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Baannc32.exeC:\Windows\system32\Baannc32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Bahdob32.exeC:\Windows\system32\Bahdob32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\Boldhf32.exeC:\Windows\system32\Boldhf32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\Cponen32.exeC:\Windows\system32\Cponen32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\Cdmfllhn.exeC:\Windows\system32\Cdmfllhn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\Chkobkod.exeC:\Windows\system32\Chkobkod.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Dojqjdbl.exeC:\Windows\system32\Dojqjdbl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\Dgeenfog.exeC:\Windows\system32\Dgeenfog.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Dhdbhifj.exeC:\Windows\system32\Dhdbhifj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Dndgfpbo.exeC:\Windows\system32\Dndgfpbo.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Dglkoeio.exeC:\Windows\system32\Dglkoeio.exe23⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Eoepebho.exeC:\Windows\system32\Eoepebho.exe24⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Ehpadhll.exeC:\Windows\system32\Ehpadhll.exe25⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Eqlfhjig.exeC:\Windows\system32\Eqlfhjig.exe26⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Fbmohmoh.exeC:\Windows\system32\Fbmohmoh.exe27⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Fijdjfdb.exeC:\Windows\system32\Fijdjfdb.exe28⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Feqeog32.exeC:\Windows\system32\Feqeog32.exe29⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Feenjgfq.exeC:\Windows\system32\Feenjgfq.exe30⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Gpmomo32.exeC:\Windows\system32\Gpmomo32.exe31⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Gnblnlhl.exeC:\Windows\system32\Gnblnlhl.exe32⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Gpaihooo.exeC:\Windows\system32\Gpaihooo.exe33⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Ggmmlamj.exeC:\Windows\system32\Ggmmlamj.exe34⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Hecjke32.exeC:\Windows\system32\Hecjke32.exe35⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Heegad32.exeC:\Windows\system32\Heegad32.exe36⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Hpkknmgd.exeC:\Windows\system32\Hpkknmgd.exe37⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Hlblcn32.exeC:\Windows\system32\Hlblcn32.exe38⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Hldiinke.exeC:\Windows\system32\Hldiinke.exe39⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Hihibbjo.exeC:\Windows\system32\Hihibbjo.exe40⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Iacngdgj.exeC:\Windows\system32\Iacngdgj.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5048 -
C:\Windows\SysWOW64\Ibcjqgnm.exeC:\Windows\system32\Ibcjqgnm.exe42⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Iojkeh32.exeC:\Windows\system32\Iojkeh32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Ilnlom32.exeC:\Windows\system32\Ilnlom32.exe44⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Iefphb32.exeC:\Windows\system32\Iefphb32.exe45⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Ilphdlqh.exeC:\Windows\system32\Ilphdlqh.exe46⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Jhgiim32.exeC:\Windows\system32\Jhgiim32.exe47⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Jaonbc32.exeC:\Windows\system32\Jaonbc32.exe48⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Jaajhb32.exeC:\Windows\system32\Jaajhb32.exe49⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Jadgnb32.exeC:\Windows\system32\Jadgnb32.exe50⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Jlikkkhn.exeC:\Windows\system32\Jlikkkhn.exe51⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Jbepme32.exeC:\Windows\system32\Jbepme32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5052 -
C:\Windows\SysWOW64\Klndfj32.exeC:\Windows\system32\Klndfj32.exe53⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Kibeoo32.exeC:\Windows\system32\Kibeoo32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:4364 -
C:\Windows\SysWOW64\Kcjjhdjb.exeC:\Windows\system32\Kcjjhdjb.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Klbnajqc.exeC:\Windows\system32\Klbnajqc.exe56⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Kpqggh32.exeC:\Windows\system32\Kpqggh32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3912 -
C:\Windows\SysWOW64\Kadpdp32.exeC:\Windows\system32\Kadpdp32.exe58⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Lpepbgbd.exeC:\Windows\system32\Lpepbgbd.exe59⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Lebijnak.exeC:\Windows\system32\Lebijnak.exe60⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Lpgmhg32.exeC:\Windows\system32\Lpgmhg32.exe61⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Ljpaqmgb.exeC:\Windows\system32\Ljpaqmgb.exe62⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Lomjicei.exeC:\Windows\system32\Lomjicei.exe63⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Ljbnfleo.exeC:\Windows\system32\Ljbnfleo.exe64⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Loofnccf.exeC:\Windows\system32\Loofnccf.exe65⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Lfiokmkc.exeC:\Windows\system32\Lfiokmkc.exe66⤵
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Lpochfji.exeC:\Windows\system32\Lpochfji.exe67⤵PID:1064
-
C:\Windows\SysWOW64\Mfkkqmiq.exeC:\Windows\system32\Mfkkqmiq.exe68⤵
- Modifies registry class
PID:4532 -
C:\Windows\SysWOW64\Mcoljagj.exeC:\Windows\system32\Mcoljagj.exe69⤵PID:4852
-
C:\Windows\SysWOW64\Mhldbh32.exeC:\Windows\system32\Mhldbh32.exe70⤵
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Mcaipa32.exeC:\Windows\system32\Mcaipa32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4228 -
C:\Windows\SysWOW64\Mljmhflh.exeC:\Windows\system32\Mljmhflh.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:956 -
C:\Windows\SysWOW64\Mokfja32.exeC:\Windows\system32\Mokfja32.exe73⤵PID:1860
-
C:\Windows\SysWOW64\Mbibfm32.exeC:\Windows\system32\Mbibfm32.exe74⤵PID:5024
-
C:\Windows\SysWOW64\Mhckcgpj.exeC:\Windows\system32\Mhckcgpj.exe75⤵PID:396
-
C:\Windows\SysWOW64\Nmaciefp.exeC:\Windows\system32\Nmaciefp.exe76⤵PID:2172
-
C:\Windows\SysWOW64\Njedbjej.exeC:\Windows\system32\Njedbjej.exe77⤵PID:3932
-
C:\Windows\SysWOW64\Nqoloc32.exeC:\Windows\system32\Nqoloc32.exe78⤵PID:3840
-
C:\Windows\SysWOW64\Nijqcf32.exeC:\Windows\system32\Nijqcf32.exe79⤵PID:3520
-
C:\Windows\SysWOW64\Nfnamjhk.exeC:\Windows\system32\Nfnamjhk.exe80⤵PID:1132
-
C:\Windows\SysWOW64\Nofefp32.exeC:\Windows\system32\Nofefp32.exe81⤵PID:1488
-
C:\Windows\SysWOW64\Nfqnbjfi.exeC:\Windows\system32\Nfqnbjfi.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2876 -
C:\Windows\SysWOW64\Ooibkpmi.exeC:\Windows\system32\Ooibkpmi.exe83⤵PID:3620
-
C:\Windows\SysWOW64\Oiagde32.exeC:\Windows\system32\Oiagde32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3344 -
C:\Windows\SysWOW64\Ocgkan32.exeC:\Windows\system32\Ocgkan32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:456 -
C:\Windows\SysWOW64\Oiccje32.exeC:\Windows\system32\Oiccje32.exe86⤵PID:1192
-
C:\Windows\SysWOW64\Ocihgnam.exeC:\Windows\system32\Ocihgnam.exe87⤵PID:1316
-
C:\Windows\SysWOW64\Omalpc32.exeC:\Windows\system32\Omalpc32.exe88⤵PID:4772
-
C:\Windows\SysWOW64\Ockdmmoj.exeC:\Windows\system32\Ockdmmoj.exe89⤵PID:5140
-
C:\Windows\SysWOW64\Ojemig32.exeC:\Windows\system32\Ojemig32.exe90⤵
- Modifies registry class
PID:5184 -
C:\Windows\SysWOW64\Ocnabm32.exeC:\Windows\system32\Ocnabm32.exe91⤵PID:5236
-
C:\Windows\SysWOW64\Ojhiogdd.exeC:\Windows\system32\Ojhiogdd.exe92⤵
- Drops file in System32 directory
PID:5276 -
C:\Windows\SysWOW64\Pcpnhl32.exeC:\Windows\system32\Pcpnhl32.exe93⤵PID:5324
-
C:\Windows\SysWOW64\Pmhbqbae.exeC:\Windows\system32\Pmhbqbae.exe94⤵
- Drops file in System32 directory
PID:5364 -
C:\Windows\SysWOW64\Pbekii32.exeC:\Windows\system32\Pbekii32.exe95⤵PID:5400
-
C:\Windows\SysWOW64\Piocecgj.exeC:\Windows\system32\Piocecgj.exe96⤵PID:5452
-
C:\Windows\SysWOW64\Pbhgoh32.exeC:\Windows\system32\Pbhgoh32.exe97⤵PID:5496
-
C:\Windows\SysWOW64\Pmmlla32.exeC:\Windows\system32\Pmmlla32.exe98⤵PID:5540
-
C:\Windows\SysWOW64\Pbjddh32.exeC:\Windows\system32\Pbjddh32.exe99⤵PID:5584
-
C:\Windows\SysWOW64\Pmphaaln.exeC:\Windows\system32\Pmphaaln.exe100⤵PID:5624
-
C:\Windows\SysWOW64\Pblajhje.exeC:\Windows\system32\Pblajhje.exe101⤵PID:5660
-
C:\Windows\SysWOW64\Pmbegqjk.exeC:\Windows\system32\Pmbegqjk.exe102⤵
- Modifies registry class
PID:5712 -
C:\Windows\SysWOW64\Qbonoghb.exeC:\Windows\system32\Qbonoghb.exe103⤵PID:5756
-
C:\Windows\SysWOW64\Qjhbfd32.exeC:\Windows\system32\Qjhbfd32.exe104⤵PID:5800
-
C:\Windows\SysWOW64\Abcgjg32.exeC:\Windows\system32\Abcgjg32.exe105⤵PID:5836
-
C:\Windows\SysWOW64\Aimogakj.exeC:\Windows\system32\Aimogakj.exe106⤵PID:5884
-
C:\Windows\SysWOW64\Ajmladbl.exeC:\Windows\system32\Ajmladbl.exe107⤵PID:5924
-
C:\Windows\SysWOW64\Aagdnn32.exeC:\Windows\system32\Aagdnn32.exe108⤵
- Modifies registry class
PID:5960 -
C:\Windows\SysWOW64\Abhqefpg.exeC:\Windows\system32\Abhqefpg.exe109⤵PID:6012
-
C:\Windows\SysWOW64\Abjmkf32.exeC:\Windows\system32\Abjmkf32.exe110⤵PID:6056
-
C:\Windows\SysWOW64\Aidehpea.exeC:\Windows\system32\Aidehpea.exe111⤵PID:6096
-
C:\Windows\SysWOW64\Apnndj32.exeC:\Windows\system32\Apnndj32.exe112⤵
- Modifies registry class
PID:6140 -
C:\Windows\SysWOW64\Ajdbac32.exeC:\Windows\system32\Ajdbac32.exe113⤵PID:5192
-
C:\Windows\SysWOW64\Bfkbfd32.exeC:\Windows\system32\Bfkbfd32.exe114⤵
- Drops file in System32 directory
PID:5268 -
C:\Windows\SysWOW64\Bdocph32.exeC:\Windows\system32\Bdocph32.exe115⤵PID:5336
-
C:\Windows\SysWOW64\Biklho32.exeC:\Windows\system32\Biklho32.exe116⤵PID:5424
-
C:\Windows\SysWOW64\Bdapehop.exeC:\Windows\system32\Bdapehop.exe117⤵PID:5508
-
C:\Windows\SysWOW64\Bphqji32.exeC:\Windows\system32\Bphqji32.exe118⤵PID:5572
-
C:\Windows\SysWOW64\Bipecnkd.exeC:\Windows\system32\Bipecnkd.exe119⤵PID:5656
-
C:\Windows\SysWOW64\Bgdemb32.exeC:\Windows\system32\Bgdemb32.exe120⤵PID:5720
-
C:\Windows\SysWOW64\Cdhffg32.exeC:\Windows\system32\Cdhffg32.exe121⤵PID:5784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-