Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
166s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
02/01/2024, 14:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e69f49fe5a56918207f4a3894a45ed07.exe
Resource
win7-20231215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
e69f49fe5a56918207f4a3894a45ed07.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
e69f49fe5a56918207f4a3894a45ed07.exe
-
Size
314KB
-
MD5
e69f49fe5a56918207f4a3894a45ed07
-
SHA1
277a061a971d779ddc588756d6be00e7bc60a47c
-
SHA256
3e744f57f9434dc63d51394510b9c3150c7eb7f8bb5117b1d9fcddc661b79965
-
SHA512
5cb35fa47e8f03f2dae75d352fd15f8e8174dbca60f91e9bff414123376c8a4e89dcdc50a43126e5dc3d2fba25c6b7d99b06ab215ea75ba395313485d5ffe14d
-
SSDEEP
6144:d9Mp1/Psj6MB8MhjwszeXmr8SeNpgdyuH1lFDjC:dup1O6Najb87gP3C
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpmmhpgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcalae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emllbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggnlhgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbgqdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbkmngfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahacndjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcnnllcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgaelcgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejdhcjpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fchdnkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keifdpif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fplimi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Impldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Booaii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chfepa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khiopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfddci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akbjidbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aljmal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afcffb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fobomglo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laiiie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkjfakng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jloibkhh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edmjpoli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Madjbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epaemojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjjcmbci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefmgogl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cegnol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epoplk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkoinlbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad e69f49fe5a56918207f4a3894a45ed07.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhehkepj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnnfghd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaehepeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bogkgmho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfgboc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofdqcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbgndoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocmchdmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplhab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjgncihp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bonhqnpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mofmhhcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obikgppg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgnlmdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmbjcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbceoped.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cflkihbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjcdih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpmqoqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhemfbnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bccfleqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mledgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdmoafdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfonnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfddci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkaljpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oboicmhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhnhkpgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofdqcc32.exe -
Executes dropped EXE 64 IoCs
pid Process 4804 Iajdgcab.exe 3376 Keifdpif.exe 768 Lpgmhg32.exe 1756 Mcaipa32.exe 216 Mpeiie32.exe 1064 Nmcpoedn.exe 4060 Nmjfodne.exe 2272 Pplhhm32.exe 760 Abmjqe32.exe 1984 Bmladm32.exe 1116 Cdmoafdb.exe 4732 Ddcebe32.exe 2152 Dcphdqmj.exe 3120 Edoencdm.exe 1656 Eqmlccdi.exe 3560 Fkjfakng.exe 3356 Gcnnllcg.exe 4416 Gndbie32.exe 2496 Gdnjfojj.exe 2236 Hgeihiac.exe 1884 Ielfgmnj.exe 4180 Jejbhk32.exe 3368 Jjnaaa32.exe 2872 Khabke32.exe 3840 Kaaldjil.exe 2884 Ofdqcc32.exe 1244 Pbgqdb32.exe 4328 Qppkhfec.exe 4736 Bpbpecen.exe 1716 Dfonnk32.exe 1356 Dpjompqc.exe 4668 Epaemojk.exe 3108 Eippgckc.exe 4460 Fjjcmbci.exe 1692 Gphddlfp.exe 4808 Gfemmb32.exe 2952 Gdfmkjlg.exe 1848 Gglpgd32.exe 3556 Hgnlmdcp.exe 4300 Hjabdo32.exe 4024 Iqbpahpc.exe 1888 Igneda32.exe 1836 Jegohe32.exe 404 Jmdqbg32.exe 3584 Jndmlj32.exe 3336 Kfanflne.exe 1280 Kagbdenk.exe 4908 Kfdklllb.exe 220 Kffhakjp.exe 772 Ldoafodd.exe 4812 Lacbpccn.exe 4820 Lmjcdd32.exe 4932 Lfddci32.exe 436 Ldhdlnli.exe 2856 Loniiflo.exe 4844 Mejnlpai.exe 4224 Mmebpbod.exe 4312 Mhkgnkoj.exe 3156 Nahdapae.exe 3400 Nefmgogl.exe 2044 Ndkjik32.exe 3524 Naokbokn.exe 2484 Philfgdh.exe 3816 Pnhacn32.exe -
Loads dropped DLL 1 IoCs
pid Process 5064 Bchogd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jabglkpp.dll Mjggka32.exe File created C:\Windows\SysWOW64\Dfonnk32.exe Bpbpecen.exe File opened for modification C:\Windows\SysWOW64\Nefmgogl.exe Nahdapae.exe File opened for modification C:\Windows\SysWOW64\Lpmmhpgp.exe Ikifhm32.exe File created C:\Windows\SysWOW64\Pgpobmca.exe Pjlnhi32.exe File created C:\Windows\SysWOW64\Jcdafg32.exe Jkgpleaf.exe File created C:\Windows\SysWOW64\Kaadhg32.dll Pmoijcje.exe File created C:\Windows\SysWOW64\Ijkloi32.exe Indkih32.exe File created C:\Windows\SysWOW64\Dhdaao32.exe Dkqahk32.exe File opened for modification C:\Windows\SysWOW64\Ankdbf32.exe Pbkagfba.exe File created C:\Windows\SysWOW64\Cbmjen32.dll Gdeqaa32.exe File opened for modification C:\Windows\SysWOW64\Okjnhpee.exe Oboicmhj.exe File opened for modification C:\Windows\SysWOW64\Noaoagca.exe Midfiq32.exe File created C:\Windows\SysWOW64\Knlfkb32.dll Doeghk32.exe File opened for modification C:\Windows\SysWOW64\Doojni32.exe Dhdaao32.exe File created C:\Windows\SysWOW64\Clddbd32.dll Bkkhlhlj.exe File opened for modification C:\Windows\SysWOW64\Edoencdm.exe Dcphdqmj.exe File created C:\Windows\SysWOW64\Kncfkjpc.dll Mibpng32.exe File created C:\Windows\SysWOW64\Elahnadm.dll Nlljglpc.exe File created C:\Windows\SysWOW64\Qomghp32.exe Pgaelcgm.exe File opened for modification C:\Windows\SysWOW64\Jijhom32.exe Iciflfcd.exe File opened for modification C:\Windows\SysWOW64\Npabeq32.exe Mgimmkgp.exe File created C:\Windows\SysWOW64\Jjjfeo32.dll Ddcebe32.exe File created C:\Windows\SysWOW64\Odooqo32.exe Ojdnbj32.exe File created C:\Windows\SysWOW64\Deokhc32.exe Dfmjjl32.exe File opened for modification C:\Windows\SysWOW64\Kjhlipla.exe Kjepcqnd.exe File created C:\Windows\SysWOW64\Pmoijcje.exe Odooqo32.exe File opened for modification C:\Windows\SysWOW64\Lgmbmn32.exe Llhnpe32.exe File created C:\Windows\SysWOW64\Oimlagii.dll Pdhklgnf.exe File created C:\Windows\SysWOW64\Mmnklgqn.dll Emdaee32.exe File created C:\Windows\SysWOW64\Ojcidelf.exe Nphhfp32.exe File created C:\Windows\SysWOW64\Glgoje32.dll Aedfdjdl.exe File created C:\Windows\SysWOW64\Njbgfp32.exe Nciojeem.exe File opened for modification C:\Windows\SysWOW64\Hjabdo32.exe Hgnlmdcp.exe File created C:\Windows\SysWOW64\Jkgmmjgh.dll Iaahjmkn.exe File opened for modification C:\Windows\SysWOW64\Ckdkbfco.exe Cdjbel32.exe File opened for modification C:\Windows\SysWOW64\Pehghhgc.exe Pbiklmhp.exe File opened for modification C:\Windows\SysWOW64\Bkcjjhgp.exe Bhbahm32.exe File opened for modification C:\Windows\SysWOW64\Aihfjd32.exe Appaangd.exe File created C:\Windows\SysWOW64\Eekanh32.exe Cbgbpp32.exe File created C:\Windows\SysWOW64\Ldcofihm.dll Cmnncb32.exe File opened for modification C:\Windows\SysWOW64\Mcaipa32.exe Lpgmhg32.exe File opened for modification C:\Windows\SysWOW64\Pcaoahio.exe Pdlbpldg.exe File opened for modification C:\Windows\SysWOW64\Ikifhm32.exe Impldi32.exe File created C:\Windows\SysWOW64\Bagphg32.dll Mnojcb32.exe File created C:\Windows\SysWOW64\Ininloda.exe Ihlechfj.exe File opened for modification C:\Windows\SysWOW64\Kibmqond.exe Jhndepbi.exe File created C:\Windows\SysWOW64\Fmklob32.dll Aapnfe32.exe File created C:\Windows\SysWOW64\Ejdhcjpl.exe Bkbcpb32.exe File created C:\Windows\SysWOW64\Gmdknbko.dll Dlegokbe.exe File created C:\Windows\SysWOW64\Lejngd32.exe Kbneij32.exe File created C:\Windows\SysWOW64\Kjpaec32.dll Kjhlipla.exe File created C:\Windows\SysWOW64\Eiidnkam.dll Iajdgcab.exe File created C:\Windows\SysWOW64\Odnjbcmc.dll Iqbpahpc.exe File created C:\Windows\SysWOW64\Okeifa32.dll Opcqgh32.exe File created C:\Windows\SysWOW64\Kbjkbj32.dll Iggakn32.exe File created C:\Windows\SysWOW64\Kedlbf32.exe Kojdflkl.exe File opened for modification C:\Windows\SysWOW64\Cmnncb32.exe Ckpagg32.exe File created C:\Windows\SysWOW64\Cpacjm32.exe Ckdkbfco.exe File opened for modification C:\Windows\SysWOW64\Keifdpif.exe Iajdgcab.exe File opened for modification C:\Windows\SysWOW64\Lckglc32.exe Kkkldg32.exe File created C:\Windows\SysWOW64\Coegih32.exe Ciioaa32.exe File opened for modification C:\Windows\SysWOW64\Ckphamkp.exe Cdfpdc32.exe File created C:\Windows\SysWOW64\Gdgiknio.dll Pgihppgo.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocdnedkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iicboncn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edflfp32.dll" Nohdaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcgjjgkh.dll" Hddejjdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqpoja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doeghk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkempa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okkidceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldnoemd.dll" Hnddqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Difici32.dll" Qdflaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjhlipla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgimjd32.dll" Fkjfakng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apdicjnk.dll" Mjaodkmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmikfcb.dll" Qipqibmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dobnpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnbmaehm.dll" Aappdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihnbih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oilmckml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggajho32.dll" Pgaelcgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejaecdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjnlgckh.dll" Lgmnqmam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liikiccg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmcpoedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Naokbokn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkgn32.dll" Icooig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkllgnco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppopcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbqiak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akbjidbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajnkmjqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qocfjlan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimlagii.dll" Pdhklgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djklgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcggga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjcmognb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaehepeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoifoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jefbcdik.dll" Ahnghafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abmjqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opnglhnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlelbe32.dll" Dmmblkpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenldl32.dll" Ajfhhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lejngd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nciojeem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmjcdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjlnhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfbjkc32.dll" Lhbafo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgmhmggq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Headnoed.dll" Qomghp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlajkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cajcffka.dll" Njdlfbgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbgqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eodclj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jofaqlji.dll" Bchogd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nllekk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opcqgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbgejcpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aljmal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekeacmel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfacai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bccfleqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhbafo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbgqdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oblhlpne.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2452 wrote to memory of 4804 2452 e69f49fe5a56918207f4a3894a45ed07.exe 91 PID 2452 wrote to memory of 4804 2452 e69f49fe5a56918207f4a3894a45ed07.exe 91 PID 2452 wrote to memory of 4804 2452 e69f49fe5a56918207f4a3894a45ed07.exe 91 PID 4804 wrote to memory of 3376 4804 Iajdgcab.exe 92 PID 4804 wrote to memory of 3376 4804 Iajdgcab.exe 92 PID 4804 wrote to memory of 3376 4804 Iajdgcab.exe 92 PID 3376 wrote to memory of 768 3376 Keifdpif.exe 93 PID 3376 wrote to memory of 768 3376 Keifdpif.exe 93 PID 3376 wrote to memory of 768 3376 Keifdpif.exe 93 PID 768 wrote to memory of 1756 768 Lpgmhg32.exe 94 PID 768 wrote to memory of 1756 768 Lpgmhg32.exe 94 PID 768 wrote to memory of 1756 768 Lpgmhg32.exe 94 PID 1756 wrote to memory of 216 1756 Mcaipa32.exe 95 PID 1756 wrote to memory of 216 1756 Mcaipa32.exe 95 PID 1756 wrote to memory of 216 1756 Mcaipa32.exe 95 PID 216 wrote to memory of 1064 216 Mpeiie32.exe 96 PID 216 wrote to memory of 1064 216 Mpeiie32.exe 96 PID 216 wrote to memory of 1064 216 Mpeiie32.exe 96 PID 1064 wrote to memory of 4060 1064 Nmcpoedn.exe 97 PID 1064 wrote to memory of 4060 1064 Nmcpoedn.exe 97 PID 1064 wrote to memory of 4060 1064 Nmcpoedn.exe 97 PID 4060 wrote to memory of 2272 4060 Nmjfodne.exe 98 PID 4060 wrote to memory of 2272 4060 Nmjfodne.exe 98 PID 4060 wrote to memory of 2272 4060 Nmjfodne.exe 98 PID 2272 wrote to memory of 760 2272 Pplhhm32.exe 99 PID 2272 wrote to memory of 760 2272 Pplhhm32.exe 99 PID 2272 wrote to memory of 760 2272 Pplhhm32.exe 99 PID 760 wrote to memory of 1984 760 Abmjqe32.exe 100 PID 760 wrote to memory of 1984 760 Abmjqe32.exe 100 PID 760 wrote to memory of 1984 760 Abmjqe32.exe 100 PID 1984 wrote to memory of 1116 1984 Bmladm32.exe 101 PID 1984 wrote to memory of 1116 1984 Bmladm32.exe 101 PID 1984 wrote to memory of 1116 1984 Bmladm32.exe 101 PID 1116 wrote to memory of 4732 1116 Cdmoafdb.exe 102 PID 1116 wrote to memory of 4732 1116 Cdmoafdb.exe 102 PID 1116 wrote to memory of 4732 1116 Cdmoafdb.exe 102 PID 4732 wrote to memory of 2152 4732 Ddcebe32.exe 103 PID 4732 wrote to memory of 2152 4732 Ddcebe32.exe 103 PID 4732 wrote to memory of 2152 4732 Ddcebe32.exe 103 PID 2152 wrote to memory of 3120 2152 Dcphdqmj.exe 104 PID 2152 wrote to memory of 3120 2152 Dcphdqmj.exe 104 PID 2152 wrote to memory of 3120 2152 Dcphdqmj.exe 104 PID 3120 wrote to memory of 1656 3120 Edoencdm.exe 105 PID 3120 wrote to memory of 1656 3120 Edoencdm.exe 105 PID 3120 wrote to memory of 1656 3120 Edoencdm.exe 105 PID 1656 wrote to memory of 3560 1656 Eqmlccdi.exe 106 PID 1656 wrote to memory of 3560 1656 Eqmlccdi.exe 106 PID 1656 wrote to memory of 3560 1656 Eqmlccdi.exe 106 PID 3560 wrote to memory of 3356 3560 Fkjfakng.exe 107 PID 3560 wrote to memory of 3356 3560 Fkjfakng.exe 107 PID 3560 wrote to memory of 3356 3560 Fkjfakng.exe 107 PID 3356 wrote to memory of 4416 3356 Gcnnllcg.exe 108 PID 3356 wrote to memory of 4416 3356 Gcnnllcg.exe 108 PID 3356 wrote to memory of 4416 3356 Gcnnllcg.exe 108 PID 4416 wrote to memory of 2496 4416 Gndbie32.exe 110 PID 4416 wrote to memory of 2496 4416 Gndbie32.exe 110 PID 4416 wrote to memory of 2496 4416 Gndbie32.exe 110 PID 2496 wrote to memory of 2236 2496 Gdnjfojj.exe 111 PID 2496 wrote to memory of 2236 2496 Gdnjfojj.exe 111 PID 2496 wrote to memory of 2236 2496 Gdnjfojj.exe 111 PID 2236 wrote to memory of 1884 2236 Hgeihiac.exe 112 PID 2236 wrote to memory of 1884 2236 Hgeihiac.exe 112 PID 2236 wrote to memory of 1884 2236 Hgeihiac.exe 112 PID 1884 wrote to memory of 4180 1884 Ielfgmnj.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\e69f49fe5a56918207f4a3894a45ed07.exe"C:\Users\Admin\AppData\Local\Temp\e69f49fe5a56918207f4a3894a45ed07.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Iajdgcab.exeC:\Windows\system32\Iajdgcab.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Keifdpif.exeC:\Windows\system32\Keifdpif.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\Lpgmhg32.exeC:\Windows\system32\Lpgmhg32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Mcaipa32.exeC:\Windows\system32\Mcaipa32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Mpeiie32.exeC:\Windows\system32\Mpeiie32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Nmcpoedn.exeC:\Windows\system32\Nmcpoedn.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Nmjfodne.exeC:\Windows\system32\Nmjfodne.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\Pplhhm32.exeC:\Windows\system32\Pplhhm32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Abmjqe32.exeC:\Windows\system32\Abmjqe32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Bmladm32.exeC:\Windows\system32\Bmladm32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Cdmoafdb.exeC:\Windows\system32\Cdmoafdb.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\Ddcebe32.exeC:\Windows\system32\Ddcebe32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Dcphdqmj.exeC:\Windows\system32\Dcphdqmj.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Edoencdm.exeC:\Windows\system32\Edoencdm.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\Eqmlccdi.exeC:\Windows\system32\Eqmlccdi.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Fkjfakng.exeC:\Windows\system32\Fkjfakng.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\Gcnnllcg.exeC:\Windows\system32\Gcnnllcg.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Gndbie32.exeC:\Windows\system32\Gndbie32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Gdnjfojj.exeC:\Windows\system32\Gdnjfojj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Hgeihiac.exeC:\Windows\system32\Hgeihiac.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Ielfgmnj.exeC:\Windows\system32\Ielfgmnj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Jejbhk32.exeC:\Windows\system32\Jejbhk32.exe23⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Jjnaaa32.exeC:\Windows\system32\Jjnaaa32.exe24⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\Khabke32.exeC:\Windows\system32\Khabke32.exe25⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Kaaldjil.exeC:\Windows\system32\Kaaldjil.exe26⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Ofdqcc32.exeC:\Windows\system32\Ofdqcc32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Pbgqdb32.exeC:\Windows\system32\Pbgqdb32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Qppkhfec.exeC:\Windows\system32\Qppkhfec.exe29⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Bpbpecen.exeC:\Windows\system32\Bpbpecen.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4736 -
C:\Windows\SysWOW64\Dfonnk32.exeC:\Windows\system32\Dfonnk32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Dpjompqc.exeC:\Windows\system32\Dpjompqc.exe32⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Epaemojk.exeC:\Windows\system32\Epaemojk.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Eippgckc.exeC:\Windows\system32\Eippgckc.exe34⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Fjjcmbci.exeC:\Windows\system32\Fjjcmbci.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Gphddlfp.exeC:\Windows\system32\Gphddlfp.exe36⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Gfemmb32.exeC:\Windows\system32\Gfemmb32.exe37⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Gdfmkjlg.exeC:\Windows\system32\Gdfmkjlg.exe38⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Gglpgd32.exeC:\Windows\system32\Gglpgd32.exe39⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Hgnlmdcp.exeC:\Windows\system32\Hgnlmdcp.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3556 -
C:\Windows\SysWOW64\Hjabdo32.exeC:\Windows\system32\Hjabdo32.exe41⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Iqbpahpc.exeC:\Windows\system32\Iqbpahpc.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4024 -
C:\Windows\SysWOW64\Igneda32.exeC:\Windows\system32\Igneda32.exe43⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Jegohe32.exeC:\Windows\system32\Jegohe32.exe44⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Jmdqbg32.exeC:\Windows\system32\Jmdqbg32.exe45⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Jndmlj32.exeC:\Windows\system32\Jndmlj32.exe46⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Kfanflne.exeC:\Windows\system32\Kfanflne.exe47⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Kagbdenk.exeC:\Windows\system32\Kagbdenk.exe48⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Kfdklllb.exeC:\Windows\system32\Kfdklllb.exe49⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Kffhakjp.exeC:\Windows\system32\Kffhakjp.exe50⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Ldoafodd.exeC:\Windows\system32\Ldoafodd.exe51⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Lacbpccn.exeC:\Windows\system32\Lacbpccn.exe52⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Lmjcdd32.exeC:\Windows\system32\Lmjcdd32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:4820 -
C:\Windows\SysWOW64\Lfddci32.exeC:\Windows\system32\Lfddci32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Ldhdlnli.exeC:\Windows\system32\Ldhdlnli.exe55⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Loniiflo.exeC:\Windows\system32\Loniiflo.exe56⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Mejnlpai.exeC:\Windows\system32\Mejnlpai.exe57⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Mmebpbod.exeC:\Windows\system32\Mmebpbod.exe58⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Mhkgnkoj.exeC:\Windows\system32\Mhkgnkoj.exe59⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Nahdapae.exeC:\Windows\system32\Nahdapae.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3156 -
C:\Windows\SysWOW64\Nefmgogl.exeC:\Windows\system32\Nefmgogl.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Ndkjik32.exeC:\Windows\system32\Ndkjik32.exe62⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Naokbokn.exeC:\Windows\system32\Naokbokn.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:3524 -
C:\Windows\SysWOW64\Philfgdh.exeC:\Windows\system32\Philfgdh.exe64⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Pnhacn32.exeC:\Windows\system32\Pnhacn32.exe65⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Pgaelcgm.exeC:\Windows\system32\Pgaelcgm.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4928 -
C:\Windows\SysWOW64\Qomghp32.exeC:\Windows\system32\Qomghp32.exe67⤵
- Modifies registry class
PID:3564 -
C:\Windows\SysWOW64\Bijncb32.exeC:\Windows\system32\Bijncb32.exe68⤵PID:4648
-
C:\Windows\SysWOW64\Cbnbhfde.exeC:\Windows\system32\Cbnbhfde.exe69⤵PID:4548
-
C:\Windows\SysWOW64\Hhehkepj.exeC:\Windows\system32\Hhehkepj.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5080 -
C:\Windows\SysWOW64\Icklhnop.exeC:\Windows\system32\Icklhnop.exe71⤵PID:3976
-
C:\Windows\SysWOW64\Iqombb32.exeC:\Windows\system32\Iqombb32.exe72⤵PID:1604
-
C:\Windows\SysWOW64\Iodjcnca.exeC:\Windows\system32\Iodjcnca.exe73⤵PID:4584
-
C:\Windows\SysWOW64\Igkadlcd.exeC:\Windows\system32\Igkadlcd.exe74⤵PID:1056
-
C:\Windows\SysWOW64\Icbbimih.exeC:\Windows\system32\Icbbimih.exe75⤵PID:3364
-
C:\Windows\SysWOW64\Jgedjjki.exeC:\Windows\system32\Jgedjjki.exe76⤵PID:1712
-
C:\Windows\SysWOW64\Jmamba32.exeC:\Windows\system32\Jmamba32.exe77⤵PID:1208
-
C:\Windows\SysWOW64\Kgcqlh32.exeC:\Windows\system32\Kgcqlh32.exe78⤵PID:1720
-
C:\Windows\SysWOW64\Laiafl32.exeC:\Windows\system32\Laiafl32.exe79⤵PID:1044
-
C:\Windows\SysWOW64\Mfhgcbfo.exeC:\Windows\system32\Mfhgcbfo.exe80⤵PID:3684
-
C:\Windows\SysWOW64\Mmghklif.exeC:\Windows\system32\Mmghklif.exe81⤵PID:5200
-
C:\Windows\SysWOW64\Nmpkakak.exeC:\Windows\system32\Nmpkakak.exe82⤵PID:5240
-
C:\Windows\SysWOW64\Ngipjp32.exeC:\Windows\system32\Ngipjp32.exe83⤵PID:5288
-
C:\Windows\SysWOW64\Pjlnhi32.exeC:\Windows\system32\Pjlnhi32.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:5356 -
C:\Windows\SysWOW64\Pgpobmca.exeC:\Windows\system32\Pgpobmca.exe85⤵PID:5404
-
C:\Windows\SysWOW64\Pafcofcg.exeC:\Windows\system32\Pafcofcg.exe86⤵PID:5444
-
C:\Windows\SysWOW64\Qdflaa32.exeC:\Windows\system32\Qdflaa32.exe87⤵
- Modifies registry class
PID:5488 -
C:\Windows\SysWOW64\Qjcdih32.exeC:\Windows\system32\Qjcdih32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5544 -
C:\Windows\SysWOW64\Adnbapjp.exeC:\Windows\system32\Adnbapjp.exe89⤵PID:5596
-
C:\Windows\SysWOW64\Bhbahm32.exeC:\Windows\system32\Bhbahm32.exe90⤵
- Drops file in System32 directory
PID:5640 -
C:\Windows\SysWOW64\Bkcjjhgp.exeC:\Windows\system32\Bkcjjhgp.exe91⤵PID:5684
-
C:\Windows\SysWOW64\Bqpbboeg.exeC:\Windows\system32\Bqpbboeg.exe92⤵PID:5720
-
C:\Windows\SysWOW64\Bqbohocd.exeC:\Windows\system32\Bqbohocd.exe93⤵PID:5776
-
C:\Windows\SysWOW64\Cegnol32.exeC:\Windows\system32\Cegnol32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5820 -
C:\Windows\SysWOW64\Djklgb32.exeC:\Windows\system32\Djklgb32.exe95⤵
- Modifies registry class
PID:5860 -
C:\Windows\SysWOW64\Dilmeida.exeC:\Windows\system32\Dilmeida.exe96⤵PID:5908
-
C:\Windows\SysWOW64\Dbgndoho.exeC:\Windows\system32\Dbgndoho.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5960 -
C:\Windows\SysWOW64\Fhkecb32.exeC:\Windows\system32\Fhkecb32.exe98⤵PID:5996
-
C:\Windows\SysWOW64\Fbqiak32.exeC:\Windows\system32\Fbqiak32.exe99⤵
- Modifies registry class
PID:6048 -
C:\Windows\SysWOW64\Gkcdfl32.exeC:\Windows\system32\Gkcdfl32.exe100⤵PID:6092
-
C:\Windows\SysWOW64\Icmbcg32.exeC:\Windows\system32\Icmbcg32.exe101⤵PID:6136
-
C:\Windows\SysWOW64\Icooig32.exeC:\Windows\system32\Icooig32.exe102⤵
- Modifies registry class
PID:5144 -
C:\Windows\SysWOW64\Jbghpc32.exeC:\Windows\system32\Jbghpc32.exe103⤵PID:3572
-
C:\Windows\SysWOW64\Jloibkhh.exeC:\Windows\system32\Jloibkhh.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:768 -
C:\Windows\SysWOW64\Jfgnka32.exeC:\Windows\system32\Jfgnka32.exe105⤵PID:1196
-
C:\Windows\SysWOW64\Kfndlphp.exeC:\Windows\system32\Kfndlphp.exe106⤵PID:5280
-
C:\Windows\SysWOW64\Kkkldg32.exeC:\Windows\system32\Kkkldg32.exe107⤵
- Drops file in System32 directory
PID:216 -
C:\Windows\SysWOW64\Lckglc32.exeC:\Windows\system32\Lckglc32.exe108⤵PID:5380
-
C:\Windows\SysWOW64\Lihpdj32.exeC:\Windows\system32\Lihpdj32.exe109⤵PID:5424
-
C:\Windows\SysWOW64\Lobhqdec.exeC:\Windows\system32\Lobhqdec.exe110⤵PID:5524
-
C:\Windows\SysWOW64\Lcpqgbkj.exeC:\Windows\system32\Lcpqgbkj.exe111⤵PID:4976
-
C:\Windows\SysWOW64\Lmheph32.exeC:\Windows\system32\Lmheph32.exe112⤵PID:5648
-
C:\Windows\SysWOW64\Lfqjhmhk.exeC:\Windows\system32\Lfqjhmhk.exe113⤵PID:5692
-
C:\Windows\SysWOW64\Lcdjba32.exeC:\Windows\system32\Lcdjba32.exe114⤵PID:3192
-
C:\Windows\SysWOW64\Lmmokgne.exeC:\Windows\system32\Lmmokgne.exe115⤵PID:5812
-
C:\Windows\SysWOW64\Mcggga32.exeC:\Windows\system32\Mcggga32.exe116⤵
- Modifies registry class
PID:5748 -
C:\Windows\SysWOW64\Mjaodkmo.exeC:\Windows\system32\Mjaodkmo.exe117⤵
- Modifies registry class
PID:5896 -
C:\Windows\SysWOW64\Mmdekf32.exeC:\Windows\system32\Mmdekf32.exe118⤵PID:4732
-
C:\Windows\SysWOW64\Mflidl32.exeC:\Windows\system32\Mflidl32.exe119⤵PID:2152
-
C:\Windows\SysWOW64\Ncbfcp32.exeC:\Windows\system32\Ncbfcp32.exe120⤵PID:5988
-
C:\Windows\SysWOW64\Nmkkle32.exeC:\Windows\system32\Nmkkle32.exe121⤵PID:3120
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-