Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2023, 10:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0aaf84187c78a0204a05a9cf5a31b1c5.exe
Resource
win7-20231215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0aaf84187c78a0204a05a9cf5a31b1c5.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
0aaf84187c78a0204a05a9cf5a31b1c5.exe
-
Size
448KB
-
MD5
0aaf84187c78a0204a05a9cf5a31b1c5
-
SHA1
b1707604fc2d85c72d0bf74dbceee2af728b14d7
-
SHA256
4b7116138770e1232d76b212e3fcf05d1fcd6e6c4b171156e1ac2820501eb5f3
-
SHA512
97799b6df9d4eb1c31f3313153ee261fa801833af1db56a22522c3df487aaf0d304d92a05cf25b2f93b6ffd12ce8db4e9f1a2d48a114bfccf0a2bf5c70758e1a
-
SSDEEP
6144:iRSwGYf3QVqFRY4PpU3QVqF4y4wLv8EYdKLI+q7RS3QVqFRY4PpU3QVqF:ZaQVcQQVhyzIEWUT9QVcQQV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcpjnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpagbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdffiinp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbfoeiei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adapqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojefjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aegbji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akjnnpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inejlibi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcboan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipqnknld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikhghi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kceoppmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmefiakh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohggm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aojljkkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgglnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebdlkdlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjnlha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fanbll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgmlde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gibhihko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adiknkco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnndhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iodaikfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjnjjlog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdcplkoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpjjkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkmdoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmojep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iohlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpagdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icoodj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhnidi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpcnceab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgpllm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koekpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgphje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahofidlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bafgdfim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjjjghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnhlgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnimia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niqnli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifjfhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjehflie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cclagm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eennefib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpqedfne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkkemble.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmlbij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecphbckp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddmhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dffmogji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkihgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmpdbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghmkol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Komhfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpfonnab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eipigqop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpagdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acheqi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjdae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhddgofo.exe -
Executes dropped EXE 64 IoCs
pid Process 4344 Pmjhlklg.exe 468 Acdioc32.exe 2520 Bcnleb32.exe 1012 Cmpcdfll.exe 3848 Clgmkbna.exe 1260 Eennefib.exe 3128 Eegqldqg.exe 1120 Fpoaom32.exe 3368 Ffnglc32.exe 2360 Gjnlha32.exe 1736 Gfemmb32.exe 3528 Gckjlf32.exe 4392 Hfamia32.exe 1828 Hnokjm32.exe 3456 Igneda32.exe 4636 Jcoioabf.exe 4916 Kceoppmo.exe 732 Ldanloba.exe 4200 Laeoec32.exe 2280 Mgbpdgap.exe 5068 Ohbfeh32.exe 4384 Poagma32.exe 1696 Pfmlok32.exe 3248 Akjnnpcf.exe 2760 Ceehcc32.exe 5012 Deagoa32.exe 852 Didjqoae.exe 4532 Elnehifk.exe 1524 Fgcjea32.exe 1832 Fikihlmj.exe 1804 Gegchl32.exe 2224 Glqkefff.exe 3548 Hpaqqdjj.exe 2964 Hfniikha.exe 4444 Hhehkepj.exe 2500 Ijjnpg32.exe 1744 Jcihjl32.exe 400 Jmamba32.exe 3608 Jcnbekok.exe 1060 Kimgba32.exe 3780 Kjopbd32.exe 5076 Ljffccjh.exe 3800 Lglcag32.exe 2812 Mfomda32.exe 4084 Naqqmieo.exe 3208 Okpkgm32.exe 4764 Paomog32.exe 3784 Qjcdih32.exe 4940 Qhddgofo.exe 1772 Ajjjjghg.exe 4192 Anjpeelk.exe 2372 Bkcjjhgp.exe 4900 Bndblcdq.exe 320 Cnhlgc32.exe 1660 Dabhomea.exe 2920 Dagajlal.exe 2184 Ehhpge32.exe 1620 Ehmibdol.exe 1652 Fiheheka.exe 4816 Ghpooanf.exe 2020 Gojgkl32.exe 496 Hembndee.exe 3320 Iameid32.exe 2148 Ihgnfnjl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ijjnpg32.exe Hhehkepj.exe File opened for modification C:\Windows\SysWOW64\Okpkgm32.exe Naqqmieo.exe File created C:\Windows\SysWOW64\Fpfmgq32.dll Gijmlh32.exe File created C:\Windows\SysWOW64\Qeaepc32.dll Ebdlkdlp.exe File created C:\Windows\SysWOW64\Pmdgahkj.dll Egjobl32.exe File created C:\Windows\SysWOW64\Bidefbcg.exe Bhblfpng.exe File created C:\Windows\SysWOW64\Bjaqih32.exe Bjodch32.exe File created C:\Windows\SysWOW64\Ofpfmaai.dll Lddgghfo.exe File opened for modification C:\Windows\SysWOW64\Fkihgb32.exe Fdopkhfk.exe File created C:\Windows\SysWOW64\Ljkldp32.dll Lnjnjn32.exe File created C:\Windows\SysWOW64\Imieblgl.exe Igomeb32.exe File created C:\Windows\SysWOW64\Iameid32.exe Hembndee.exe File created C:\Windows\SysWOW64\Olhlaoea.exe Ofncde32.exe File created C:\Windows\SysWOW64\Gabfqkan.dll Kimgad32.exe File created C:\Windows\SysWOW64\Lljked32.exe Ljloii32.exe File created C:\Windows\SysWOW64\Bpjkbcbe.exe Aohbbqme.exe File created C:\Windows\SysWOW64\Iponfm32.dll Bimkde32.exe File created C:\Windows\SysWOW64\Lnadkmhj.exe Lgglnb32.exe File created C:\Windows\SysWOW64\Mjnfnn32.dll Mgceqh32.exe File created C:\Windows\SysWOW64\Gikdep32.exe Gldgflba.exe File created C:\Windows\SysWOW64\Bhjgdplo.exe Akffjkme.exe File created C:\Windows\SysWOW64\Ijoahfmh.dll Knoonphp.exe File created C:\Windows\SysWOW64\Kgopbj32.exe Kglcmk32.exe File created C:\Windows\SysWOW64\Cakghn32.exe Cfdgcmqd.exe File opened for modification C:\Windows\SysWOW64\Domdcpib.exe Dnmhim32.exe File created C:\Windows\SysWOW64\Hnokjm32.exe Hfamia32.exe File created C:\Windows\SysWOW64\Nmeikqpi.dll Heohinog.exe File created C:\Windows\SysWOW64\Fdqcaihb.dll Lkgkqh32.exe File created C:\Windows\SysWOW64\Ckgmjh32.dll Jookdcie.exe File created C:\Windows\SysWOW64\Plgpjhnf.exe Pfjgbapo.exe File created C:\Windows\SysWOW64\Dccpdooi.dll Ckaffjbg.exe File opened for modification C:\Windows\SysWOW64\Elbhde32.exe Ejaklmpd.exe File created C:\Windows\SysWOW64\Ebgpkj32.exe Ekmhnpfl.exe File created C:\Windows\SysWOW64\Hbeece32.exe Hlkmfkli.exe File opened for modification C:\Windows\SysWOW64\Bobalm32.exe Bhhiocdg.exe File opened for modification C:\Windows\SysWOW64\Falmabki.exe Fchlhnlo.exe File opened for modification C:\Windows\SysWOW64\Iodaikfl.exe Ifipmo32.exe File opened for modification C:\Windows\SysWOW64\Ecgcpc32.exe Emmkci32.exe File created C:\Windows\SysWOW64\Amaegbgd.dll Jikojcaa.exe File created C:\Windows\SysWOW64\Inmmfl32.dll Ehbgjenf.exe File opened for modification C:\Windows\SysWOW64\Qjjhla32.exe Pdmpck32.exe File created C:\Windows\SysWOW64\Oopnio32.dll Lbnnphhk.exe File opened for modification C:\Windows\SysWOW64\Nbadmege.exe Nlglpkpi.exe File created C:\Windows\SysWOW64\Klnkoc32.exe Klgend32.exe File opened for modification C:\Windows\SysWOW64\Bpjkbcbe.exe Aohbbqme.exe File created C:\Windows\SysWOW64\Gbenjm32.exe Gmhfbf32.exe File opened for modification C:\Windows\SysWOW64\Kelkkpae.exe Knabne32.exe File created C:\Windows\SysWOW64\Oakbonkb.exe Ojommdfh.exe File created C:\Windows\SysWOW64\Lpipoahh.dll Eennefib.exe File opened for modification C:\Windows\SysWOW64\Kgphje32.exe Kabpan32.exe File opened for modification C:\Windows\SysWOW64\Ebgpkj32.exe Ekmhnpfl.exe File created C:\Windows\SysWOW64\Oddeop32.dll Dgqqnjea.exe File created C:\Windows\SysWOW64\Caadnc32.dll Mgoboake.exe File created C:\Windows\SysWOW64\Mfnojh32.exe Modgnn32.exe File created C:\Windows\SysWOW64\Hhbnqi32.exe Hmlicp32.exe File opened for modification C:\Windows\SysWOW64\Pkaijl32.exe Ojopki32.exe File opened for modification C:\Windows\SysWOW64\Cellfm32.exe Ckghid32.exe File created C:\Windows\SysWOW64\Fjnjjlog.exe Ecphbckp.exe File created C:\Windows\SysWOW64\Nnojad32.exe Ngeaej32.exe File opened for modification C:\Windows\SysWOW64\Phjdggoj.exe Omdpio32.exe File created C:\Windows\SysWOW64\Gibeidka.dll Afpjoaeo.exe File opened for modification C:\Windows\SysWOW64\Kceoppmo.exe Jcoioabf.exe File opened for modification C:\Windows\SysWOW64\Omdnbd32.exe Ndliin32.exe File created C:\Windows\SysWOW64\Lajmmc32.exe Kolaqh32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aggean32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfeahffl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcihjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phhjdncl.dll" Lcdjba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnealfkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqakln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnanpfdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nehekq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lajmmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccpdooi.dll" Ckaffjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklkea32.dll" Kqbdej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmbll32.dll" Boipfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iegheo32.dll" Fmikoggm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecfjhpp.dll" Hcmbnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oklegcdn.dll" Cahdhhep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnhlgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgljffm.dll" Icfnjcec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keadnlmk.dll" Kpdbhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aobieq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpeapilo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akpojpic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpolahdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnblfkcj.dll" Omhpcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipqnknld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpdbhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpaec32.dll" Kjhlipla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmgmonma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehmibdol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhoncm32.dll" Lgibjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjhfgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npabeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nekfnbbc.dll" Ceehcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkgqpaed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dffmogji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebgpkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkeehp32.dll" Dcjfpfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmcgllb.dll" Aklmjfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmlbdad.dll" Aohbbqme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iempingp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igomeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pomgcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aklmjfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mllabgnk.dll" Ekkkip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehmibdol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nndnocba.dll" Fjoadbbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnank32.dll" Ojopki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqbfnnhd.dll" Oggjni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdqkap32.dll" Hfodnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omdpio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqmhlego.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckcaap32.dll" Pebfen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjmkhkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhllpk32.dll" Adiknkco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiikkada.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdhemn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbeece32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngeaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poagma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbgibgpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcnbekok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfjgbapo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cikomogf.dll" Gaadpqmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapeapja.dll" Cpglgmfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljffccjh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1332 wrote to memory of 4344 1332 0aaf84187c78a0204a05a9cf5a31b1c5.exe 94 PID 1332 wrote to memory of 4344 1332 0aaf84187c78a0204a05a9cf5a31b1c5.exe 94 PID 1332 wrote to memory of 4344 1332 0aaf84187c78a0204a05a9cf5a31b1c5.exe 94 PID 4344 wrote to memory of 468 4344 Pmjhlklg.exe 95 PID 4344 wrote to memory of 468 4344 Pmjhlklg.exe 95 PID 4344 wrote to memory of 468 4344 Pmjhlklg.exe 95 PID 468 wrote to memory of 2520 468 Acdioc32.exe 96 PID 468 wrote to memory of 2520 468 Acdioc32.exe 96 PID 468 wrote to memory of 2520 468 Acdioc32.exe 96 PID 2520 wrote to memory of 1012 2520 Bcnleb32.exe 97 PID 2520 wrote to memory of 1012 2520 Bcnleb32.exe 97 PID 2520 wrote to memory of 1012 2520 Bcnleb32.exe 97 PID 1012 wrote to memory of 3848 1012 Cmpcdfll.exe 98 PID 1012 wrote to memory of 3848 1012 Cmpcdfll.exe 98 PID 1012 wrote to memory of 3848 1012 Cmpcdfll.exe 98 PID 3848 wrote to memory of 1260 3848 Clgmkbna.exe 99 PID 3848 wrote to memory of 1260 3848 Clgmkbna.exe 99 PID 3848 wrote to memory of 1260 3848 Clgmkbna.exe 99 PID 1260 wrote to memory of 3128 1260 Eennefib.exe 100 PID 1260 wrote to memory of 3128 1260 Eennefib.exe 100 PID 1260 wrote to memory of 3128 1260 Eennefib.exe 100 PID 3128 wrote to memory of 1120 3128 Eegqldqg.exe 101 PID 3128 wrote to memory of 1120 3128 Eegqldqg.exe 101 PID 3128 wrote to memory of 1120 3128 Eegqldqg.exe 101 PID 1120 wrote to memory of 3368 1120 Fpoaom32.exe 102 PID 1120 wrote to memory of 3368 1120 Fpoaom32.exe 102 PID 1120 wrote to memory of 3368 1120 Fpoaom32.exe 102 PID 3368 wrote to memory of 2360 3368 Ffnglc32.exe 103 PID 3368 wrote to memory of 2360 3368 Ffnglc32.exe 103 PID 3368 wrote to memory of 2360 3368 Ffnglc32.exe 103 PID 2360 wrote to memory of 1736 2360 Gjnlha32.exe 104 PID 2360 wrote to memory of 1736 2360 Gjnlha32.exe 104 PID 2360 wrote to memory of 1736 2360 Gjnlha32.exe 104 PID 1736 wrote to memory of 3528 1736 Gfemmb32.exe 105 PID 1736 wrote to memory of 3528 1736 Gfemmb32.exe 105 PID 1736 wrote to memory of 3528 1736 Gfemmb32.exe 105 PID 3528 wrote to memory of 4392 3528 Gckjlf32.exe 106 PID 3528 wrote to memory of 4392 3528 Gckjlf32.exe 106 PID 3528 wrote to memory of 4392 3528 Gckjlf32.exe 106 PID 4392 wrote to memory of 1828 4392 Hfamia32.exe 107 PID 4392 wrote to memory of 1828 4392 Hfamia32.exe 107 PID 4392 wrote to memory of 1828 4392 Hfamia32.exe 107 PID 1828 wrote to memory of 3456 1828 Hnokjm32.exe 108 PID 1828 wrote to memory of 3456 1828 Hnokjm32.exe 108 PID 1828 wrote to memory of 3456 1828 Hnokjm32.exe 108 PID 3456 wrote to memory of 4636 3456 Igneda32.exe 109 PID 3456 wrote to memory of 4636 3456 Igneda32.exe 109 PID 3456 wrote to memory of 4636 3456 Igneda32.exe 109 PID 4636 wrote to memory of 4916 4636 Jcoioabf.exe 110 PID 4636 wrote to memory of 4916 4636 Jcoioabf.exe 110 PID 4636 wrote to memory of 4916 4636 Jcoioabf.exe 110 PID 4916 wrote to memory of 732 4916 Kceoppmo.exe 111 PID 4916 wrote to memory of 732 4916 Kceoppmo.exe 111 PID 4916 wrote to memory of 732 4916 Kceoppmo.exe 111 PID 732 wrote to memory of 4200 732 Ldanloba.exe 112 PID 732 wrote to memory of 4200 732 Ldanloba.exe 112 PID 732 wrote to memory of 4200 732 Ldanloba.exe 112 PID 4200 wrote to memory of 2280 4200 Laeoec32.exe 113 PID 4200 wrote to memory of 2280 4200 Laeoec32.exe 113 PID 4200 wrote to memory of 2280 4200 Laeoec32.exe 113 PID 2280 wrote to memory of 5068 2280 Mgbpdgap.exe 114 PID 2280 wrote to memory of 5068 2280 Mgbpdgap.exe 114 PID 2280 wrote to memory of 5068 2280 Mgbpdgap.exe 114 PID 5068 wrote to memory of 4384 5068 Ohbfeh32.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\0aaf84187c78a0204a05a9cf5a31b1c5.exe"C:\Users\Admin\AppData\Local\Temp\0aaf84187c78a0204a05a9cf5a31b1c5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Pmjhlklg.exeC:\Windows\system32\Pmjhlklg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\Acdioc32.exeC:\Windows\system32\Acdioc32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Bcnleb32.exeC:\Windows\system32\Bcnleb32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Cmpcdfll.exeC:\Windows\system32\Cmpcdfll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Clgmkbna.exeC:\Windows\system32\Clgmkbna.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\Eennefib.exeC:\Windows\system32\Eennefib.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Eegqldqg.exeC:\Windows\system32\Eegqldqg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Fpoaom32.exeC:\Windows\system32\Fpoaom32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Ffnglc32.exeC:\Windows\system32\Ffnglc32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\Gjnlha32.exeC:\Windows\system32\Gjnlha32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Gfemmb32.exeC:\Windows\system32\Gfemmb32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Gckjlf32.exeC:\Windows\system32\Gckjlf32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Hfamia32.exeC:\Windows\system32\Hfamia32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\SysWOW64\Hnokjm32.exeC:\Windows\system32\Hnokjm32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Igneda32.exeC:\Windows\system32\Igneda32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\Jcoioabf.exeC:\Windows\system32\Jcoioabf.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\Kceoppmo.exeC:\Windows\system32\Kceoppmo.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Ldanloba.exeC:\Windows\system32\Ldanloba.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\Laeoec32.exeC:\Windows\system32\Laeoec32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\Mgbpdgap.exeC:\Windows\system32\Mgbpdgap.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Ohbfeh32.exeC:\Windows\system32\Ohbfeh32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Poagma32.exeC:\Windows\system32\Poagma32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:4384 -
C:\Windows\SysWOW64\Pfmlok32.exeC:\Windows\system32\Pfmlok32.exe24⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Akjnnpcf.exeC:\Windows\system32\Akjnnpcf.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Ceehcc32.exeC:\Windows\system32\Ceehcc32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Deagoa32.exeC:\Windows\system32\Deagoa32.exe27⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Didjqoae.exeC:\Windows\system32\Didjqoae.exe28⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Elnehifk.exeC:\Windows\system32\Elnehifk.exe29⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Fgcjea32.exeC:\Windows\system32\Fgcjea32.exe30⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Fikihlmj.exeC:\Windows\system32\Fikihlmj.exe31⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Gegchl32.exeC:\Windows\system32\Gegchl32.exe32⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Glqkefff.exeC:\Windows\system32\Glqkefff.exe33⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Hpaqqdjj.exeC:\Windows\system32\Hpaqqdjj.exe34⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Hfniikha.exeC:\Windows\system32\Hfniikha.exe35⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Hhehkepj.exeC:\Windows\system32\Hhehkepj.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4444 -
C:\Windows\SysWOW64\Ijjnpg32.exeC:\Windows\system32\Ijjnpg32.exe37⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Jcihjl32.exeC:\Windows\system32\Jcihjl32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Jmamba32.exeC:\Windows\system32\Jmamba32.exe39⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Jcnbekok.exeC:\Windows\system32\Jcnbekok.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3608 -
C:\Windows\SysWOW64\Kimgba32.exeC:\Windows\system32\Kimgba32.exe41⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Kjopbd32.exeC:\Windows\system32\Kjopbd32.exe42⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Ljffccjh.exeC:\Windows\system32\Ljffccjh.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:5076 -
C:\Windows\SysWOW64\Lglcag32.exeC:\Windows\system32\Lglcag32.exe44⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Mfomda32.exeC:\Windows\system32\Mfomda32.exe45⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Naqqmieo.exeC:\Windows\system32\Naqqmieo.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4084 -
C:\Windows\SysWOW64\Okpkgm32.exeC:\Windows\system32\Okpkgm32.exe47⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Paomog32.exeC:\Windows\system32\Paomog32.exe48⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Qjcdih32.exeC:\Windows\system32\Qjcdih32.exe49⤵
- Executes dropped EXE
PID:3784 -
C:\Windows\SysWOW64\Qhddgofo.exeC:\Windows\system32\Qhddgofo.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Ajjjjghg.exeC:\Windows\system32\Ajjjjghg.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Anjpeelk.exeC:\Windows\system32\Anjpeelk.exe52⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Bkcjjhgp.exeC:\Windows\system32\Bkcjjhgp.exe53⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Bndblcdq.exeC:\Windows\system32\Bndblcdq.exe54⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Cnhlgc32.exeC:\Windows\system32\Cnhlgc32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\Dabhomea.exeC:\Windows\system32\Dabhomea.exe56⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Dagajlal.exeC:\Windows\system32\Dagajlal.exe57⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Ehhpge32.exeC:\Windows\system32\Ehhpge32.exe58⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Ehmibdol.exeC:\Windows\system32\Ehmibdol.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Fiheheka.exeC:\Windows\system32\Fiheheka.exe60⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Ghpooanf.exeC:\Windows\system32\Ghpooanf.exe61⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Gojgkl32.exeC:\Windows\system32\Gojgkl32.exe62⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Hembndee.exeC:\Windows\system32\Hembndee.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:496 -
C:\Windows\SysWOW64\Iameid32.exeC:\Windows\system32\Iameid32.exe64⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Ihgnfnjl.exeC:\Windows\system32\Ihgnfnjl.exe65⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Ikejbjip.exeC:\Windows\system32\Ikejbjip.exe66⤵PID:4668
-
C:\Windows\SysWOW64\Ieknpb32.exeC:\Windows\system32\Ieknpb32.exe67⤵PID:1800
-
C:\Windows\SysWOW64\Ikhghi32.exeC:\Windows\system32\Ikhghi32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1240 -
C:\Windows\SysWOW64\Iohlcg32.exeC:\Windows\system32\Iohlcg32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4560 -
C:\Windows\SysWOW64\Jbghpc32.exeC:\Windows\system32\Jbghpc32.exe70⤵PID:1448
-
C:\Windows\SysWOW64\Jhqqlmba.exeC:\Windows\system32\Jhqqlmba.exe71⤵PID:868
-
C:\Windows\SysWOW64\Kcikfcab.exeC:\Windows\system32\Kcikfcab.exe72⤵PID:3056
-
C:\Windows\SysWOW64\Lcdjba32.exeC:\Windows\system32\Lcdjba32.exe73⤵
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Ljoboloa.exeC:\Windows\system32\Ljoboloa.exe74⤵PID:700
-
C:\Windows\SysWOW64\Miflehaf.exeC:\Windows\system32\Miflehaf.exe75⤵PID:4188
-
C:\Windows\SysWOW64\Mikepg32.exeC:\Windows\system32\Mikepg32.exe76⤵PID:1192
-
C:\Windows\SysWOW64\Mcpjnp32.exeC:\Windows\system32\Mcpjnp32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1180 -
C:\Windows\SysWOW64\Ncecioib.exeC:\Windows\system32\Ncecioib.exe78⤵PID:5088
-
C:\Windows\SysWOW64\Njceqili.exeC:\Windows\system32\Njceqili.exe79⤵PID:4972
-
C:\Windows\SysWOW64\Ndliin32.exeC:\Windows\system32\Ndliin32.exe80⤵
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Omdnbd32.exeC:\Windows\system32\Omdnbd32.exe81⤵PID:656
-
C:\Windows\SysWOW64\Ofmbkipk.exeC:\Windows\system32\Ofmbkipk.exe82⤵PID:472
-
C:\Windows\SysWOW64\Oljkcpnb.exeC:\Windows\system32\Oljkcpnb.exe83⤵PID:4856
-
C:\Windows\SysWOW64\Opgciodi.exeC:\Windows\system32\Opgciodi.exe84⤵PID:3504
-
C:\Windows\SysWOW64\Ojmgggdo.exeC:\Windows\system32\Ojmgggdo.exe85⤵PID:2928
-
C:\Windows\SysWOW64\Olndnp32.exeC:\Windows\system32\Olndnp32.exe86⤵PID:352
-
C:\Windows\SysWOW64\Oibdhd32.exeC:\Windows\system32\Oibdhd32.exe87⤵PID:1532
-
C:\Windows\SysWOW64\Pmpmnb32.exeC:\Windows\system32\Pmpmnb32.exe88⤵PID:4368
-
C:\Windows\SysWOW64\Pmefiakh.exeC:\Windows\system32\Pmefiakh.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2472 -
C:\Windows\SysWOW64\Qlajkm32.exeC:\Windows\system32\Qlajkm32.exe90⤵PID:644
-
C:\Windows\SysWOW64\Akbjidbf.exeC:\Windows\system32\Akbjidbf.exe91⤵PID:4048
-
C:\Windows\SysWOW64\Akkmocjl.exeC:\Windows\system32\Akkmocjl.exe92⤵PID:5020
-
C:\Windows\SysWOW64\Bkepeaaa.exeC:\Windows\system32\Bkepeaaa.exe93⤵PID:5140
-
C:\Windows\SysWOW64\Ccbaoc32.exeC:\Windows\system32\Ccbaoc32.exe94⤵PID:5192
-
C:\Windows\SysWOW64\Cmmbmiag.exeC:\Windows\system32\Cmmbmiag.exe95⤵PID:5236
-
C:\Windows\SysWOW64\Cjabgm32.exeC:\Windows\system32\Cjabgm32.exe96⤵PID:5288
-
C:\Windows\SysWOW64\Dmfecgim.exeC:\Windows\system32\Dmfecgim.exe97⤵PID:5344
-
C:\Windows\SysWOW64\Djalnkbo.exeC:\Windows\system32\Djalnkbo.exe98⤵PID:5408
-
C:\Windows\SysWOW64\Fchlhnlo.exeC:\Windows\system32\Fchlhnlo.exe99⤵
- Drops file in System32 directory
PID:5448 -
C:\Windows\SysWOW64\Falmabki.exeC:\Windows\system32\Falmabki.exe100⤵PID:5528
-
C:\Windows\SysWOW64\Fhjoilop.exeC:\Windows\system32\Fhjoilop.exe101⤵PID:5568
-
C:\Windows\SysWOW64\Gmggac32.exeC:\Windows\system32\Gmggac32.exe102⤵PID:5616
-
C:\Windows\SysWOW64\Ghmkol32.exeC:\Windows\system32\Ghmkol32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5668 -
C:\Windows\SysWOW64\Galfhpmf.exeC:\Windows\system32\Galfhpmf.exe104⤵PID:5716
-
C:\Windows\SysWOW64\Glajeiml.exeC:\Windows\system32\Glajeiml.exe105⤵PID:5756
-
C:\Windows\SysWOW64\Hopfadlp.exeC:\Windows\system32\Hopfadlp.exe106⤵PID:5796
-
C:\Windows\SysWOW64\Hldgkiki.exeC:\Windows\system32\Hldgkiki.exe107⤵PID:5848
-
C:\Windows\SysWOW64\Helkdnaj.exeC:\Windows\system32\Helkdnaj.exe108⤵PID:5896
-
C:\Windows\SysWOW64\Heohinog.exeC:\Windows\system32\Heohinog.exe109⤵
- Drops file in System32 directory
PID:5964 -
C:\Windows\SysWOW64\Hlkmlhea.exeC:\Windows\system32\Hlkmlhea.exe110⤵PID:6008
-
C:\Windows\SysWOW64\Hmlicp32.exeC:\Windows\system32\Hmlicp32.exe111⤵
- Drops file in System32 directory
PID:6052 -
C:\Windows\SysWOW64\Hhbnqi32.exeC:\Windows\system32\Hhbnqi32.exe112⤵PID:6092
-
C:\Windows\SysWOW64\Imofip32.exeC:\Windows\system32\Imofip32.exe113⤵PID:4912
-
C:\Windows\SysWOW64\Jolodqcp.exeC:\Windows\system32\Jolodqcp.exe114⤵PID:5204
-
C:\Windows\SysWOW64\Jekpljgg.exeC:\Windows\system32\Jekpljgg.exe115⤵PID:5284
-
C:\Windows\SysWOW64\Klgend32.exeC:\Windows\system32\Klgend32.exe116⤵
- Drops file in System32 directory
PID:4452 -
C:\Windows\SysWOW64\Klnkoc32.exeC:\Windows\system32\Klnkoc32.exe117⤵PID:5384
-
C:\Windows\SysWOW64\Kffphhmj.exeC:\Windows\system32\Kffphhmj.exe118⤵PID:1268
-
C:\Windows\SysWOW64\Lhgiic32.exeC:\Windows\system32\Lhgiic32.exe119⤵PID:5456
-
C:\Windows\SysWOW64\Lilbdcfe.exeC:\Windows\system32\Lilbdcfe.exe120⤵PID:5524
-
C:\Windows\SysWOW64\Lohggm32.exeC:\Windows\system32\Lohggm32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-