Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
160s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/01/2024, 15:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f4b3467030ca6acfbec8f4f16ca0f60b.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
f4b3467030ca6acfbec8f4f16ca0f60b.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
f4b3467030ca6acfbec8f4f16ca0f60b.exe
-
Size
80KB
-
MD5
f4b3467030ca6acfbec8f4f16ca0f60b
-
SHA1
a9e4c1dda5bf8eb2fde5e54120f73885fcb9bb90
-
SHA256
505abbd4f204799788f57404439eed4d0aa548200effd887bd9280292acf4d70
-
SHA512
59a26cf8a13675e77021b1220c08af049395d6407e9feba09e7cc00b07cfbadce73aa718d5b9754de8243183e40e0d2449650c52b9e4d7596789e99120d500a1
-
SSDEEP
1536:RpfyOCK+SlL+P7TUuwbVOpuPS2LJWS5DUHRbPa9b6i+sIk:ThzXYPMuwbcpEfMS5DSCopsIk
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nljgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nljgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cofnba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nahdapae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmgkja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmajmaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohobebig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgmbmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmdpok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhppap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aappdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlpjikd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djelqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgglnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqofippg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihgnfnjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebgpkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgpceogl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nladpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdpjeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljcejhnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chibfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijngkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojgjhicl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajfobfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnhinq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oopjchnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfphn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfnojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckphamkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elnehifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjbhph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqipeboj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doojni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdpfbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkihgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhgcdjje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpdlajfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cknlln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihpcbdba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mminfech.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhgeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkaadebl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opiipkfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlanpfkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mahklf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emjgcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnendhol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmgof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgpaqbcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdiobd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmgjbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdfeandd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnaachha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iafgob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljlagndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inlibb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laglkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpijgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddpjjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dogdnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keekjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggfobofl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ednajepe.exe -
Executes dropped EXE 64 IoCs
pid Process 920 Apjdikqd.exe 4024 Bjhkmbho.exe 2392 Bbhildae.exe 4600 Daeifj32.exe 2656 Dcphdqmj.exe 1768 Edaaccbj.exe 1100 Eddnic32.exe 3528 Fgiaemic.exe 1400 Fjocbhbo.exe 2560 Gndbie32.exe 2584 Gcqjal32.exe 3000 Hcjmhk32.exe 4048 Iabglnco.exe 820 Ibbcfa32.exe 3920 Idhiii32.exe 3092 Jlanpfkj.exe 1256 Jlkafdco.exe 4160 Kkpnga32.exe 5104 Kkbkmqed.exe 3180 Ldbefe32.exe 4604 Lbhool32.exe 376 Mlgjhp32.exe 912 Mahklf32.exe 4988 Nhjjip32.exe 2176 Ohqpjo32.exe 2608 Obnnnc32.exe 3184 Pijcpmhc.exe 1484 Pmhkflnj.exe 1436 Pfeijqqe.exe 3824 Bpemkcck.exe 2892 Cmmgof32.exe 2556 Cbjogmlf.exe 460 Dfonnk32.exe 3200 Eilfldoi.exe 2736 Ecidpiad.exe 4112 Fjjcmbci.exe 3800 Gloejmld.exe 1660 Gqokekph.exe 996 Icnphd32.exe 4952 Iqdmghnp.exe 5108 Imnjbhaa.exe 2652 Jeneidji.exe 5028 Kccbjq32.exe 1160 Khakqo32.exe 2348 Keekjc32.exe 2492 Khhaanop.exe 3236 Laglkb32.exe 2236 Mmcfkc32.exe 5068 Meadlo32.exe 4196 Nahdapae.exe 3212 Nggjog32.exe 2104 Ndmgnkja.exe 3576 Oogdfc32.exe 2944 Ogcike32.exe 3792 Oeffnl32.exe 3876 Paocim32.exe 1396 Pnfdnnbo.exe 3500 Pfpidk32.exe 1488 Pbifol32.exe 692 Qffoejkg.exe 4316 Qoocnpag.exe 232 Abbiej32.exe 4700 Aofjoo32.exe 4292 Bpomem32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mnailf32.dll Ohobebig.exe File created C:\Windows\SysWOW64\Fqlimneb.dll Nboggf32.exe File created C:\Windows\SysWOW64\Fkihgb32.exe Ehlpjikd.exe File created C:\Windows\SysWOW64\Plhcglil.exe Oeloebcb.exe File opened for modification C:\Windows\SysWOW64\Hhojlfpd.exe Hbbacobm.exe File created C:\Windows\SysWOW64\Gcljpeah.dll Fjjcmbci.exe File opened for modification C:\Windows\SysWOW64\Fiaogfai.exe Fjpoio32.exe File created C:\Windows\SysWOW64\Bojhnjgf.exe Bhppap32.exe File created C:\Windows\SysWOW64\Jngbcj32.exe Jofaeb32.exe File opened for modification C:\Windows\SysWOW64\Khhaanop.exe Keekjc32.exe File created C:\Windows\SysWOW64\Mpbaipdn.dll Ejcaidlp.exe File created C:\Windows\SysWOW64\Moacbe32.exe Mdloelpc.exe File created C:\Windows\SysWOW64\Hiaqbf32.dll Jgjnpm32.exe File created C:\Windows\SysWOW64\Blghll32.dll Dmnkdfce.exe File created C:\Windows\SysWOW64\Kppphe32.exe Kifhkkci.exe File created C:\Windows\SysWOW64\Oihkjl32.dll Fbdeba32.exe File created C:\Windows\SysWOW64\Fpdekm32.dll Gbnhhp32.exe File created C:\Windows\SysWOW64\Qhdaik32.dll Bbjmih32.exe File created C:\Windows\SysWOW64\Pineca32.dll Lqcjqcnp.exe File opened for modification C:\Windows\SysWOW64\Onkphi32.exe Odfljp32.exe File created C:\Windows\SysWOW64\Nnohfi32.dll Bonhqnpi.exe File created C:\Windows\SysWOW64\Ahmjce32.exe Aabafkgh.exe File created C:\Windows\SysWOW64\Fopielld.dll Poelfc32.exe File created C:\Windows\SysWOW64\Kmklnk32.dll Hfajlp32.exe File created C:\Windows\SysWOW64\Cckaddao.dll Leihlj32.exe File created C:\Windows\SysWOW64\Oeobfc32.dll Jkdcffci.exe File created C:\Windows\SysWOW64\Pkihkf32.dll Hehdpjki.exe File created C:\Windows\SysWOW64\Bgkoqn32.dll Jeneidji.exe File created C:\Windows\SysWOW64\Lcgmnddm.dll Mmcfkc32.exe File created C:\Windows\SysWOW64\Pnjnnclb.dll Jbmfig32.exe File created C:\Windows\SysWOW64\Ekdpdkkf.dll Hjkigojc.exe File created C:\Windows\SysWOW64\Khjnmlap.dll Aeodapcl.exe File created C:\Windows\SysWOW64\Ojmmdmaj.dll Bdagidhi.exe File opened for modification C:\Windows\SysWOW64\Ndmgnkja.exe Nggjog32.exe File created C:\Windows\SysWOW64\Ggfobofl.exe Gipbck32.exe File created C:\Windows\SysWOW64\Ogdofo32.exe Ohobebig.exe File created C:\Windows\SysWOW64\Dfbcek32.exe Ddbfkh32.exe File created C:\Windows\SysWOW64\Ckgnbl32.exe Chibfa32.exe File created C:\Windows\SysWOW64\Imnjbhaa.exe Iqdmghnp.exe File opened for modification C:\Windows\SysWOW64\Falmabki.exe Enigjh32.exe File opened for modification C:\Windows\SysWOW64\Lgnleiid.exe Lgibjj32.exe File created C:\Windows\SysWOW64\Gmggpekm.exe Gkdaij32.exe File opened for modification C:\Windows\SysWOW64\Gbkkbp32.exe Gkacff32.exe File opened for modification C:\Windows\SysWOW64\Iihilhol.exe Ibnaonhp.exe File opened for modification C:\Windows\SysWOW64\Ecidpiad.exe Eilfldoi.exe File created C:\Windows\SysWOW64\Jbmfig32.exe Jaljaoii.exe File created C:\Windows\SysWOW64\Egijfjmp.exe Ekbiaigk.exe File created C:\Windows\SysWOW64\Mpofnj32.dll Djelqo32.exe File created C:\Windows\SysWOW64\Ghnjedlk.dll Banabi32.exe File opened for modification C:\Windows\SysWOW64\Ameipl32.exe Qanhkk32.exe File created C:\Windows\SysWOW64\Laglkb32.exe Khhaanop.exe File created C:\Windows\SysWOW64\Hfggoh32.dll Oeloebcb.exe File created C:\Windows\SysWOW64\Dcegdd32.dll Akccje32.exe File opened for modification C:\Windows\SysWOW64\Clbhkfdl.exe Cfipol32.exe File created C:\Windows\SysWOW64\Dbicjlji.exe Dkokma32.exe File created C:\Windows\SysWOW64\Fbcfan32.exe Fpbmpc32.exe File created C:\Windows\SysWOW64\Qanhkk32.exe Pagbklae.exe File created C:\Windows\SysWOW64\Ohbfgkan.dll Pchcdbck.exe File created C:\Windows\SysWOW64\Nhjbjp32.exe Nladpo32.exe File opened for modification C:\Windows\SysWOW64\Ebgpkj32.exe Emjgcc32.exe File opened for modification C:\Windows\SysWOW64\Pabhpm32.exe Pjhpccnn.exe File opened for modification C:\Windows\SysWOW64\Bpaikm32.exe Bpomem32.exe File created C:\Windows\SysWOW64\Dcopke32.exe Dhjknljl.exe File opened for modification C:\Windows\SysWOW64\Jialbf32.exe Jbgdelpe.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4292 8160 WerFault.exe 726 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdmgdjbb.dll" Kfcdaehf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgfomone.dll" Dfglpjqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gajibq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbjeei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfpbkj32.dll" Opiipkfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idfkednq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbebdpca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emcbcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpkddd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foocegea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obnnnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efjgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhefmjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdojdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqdlal32.dll" Ginnokej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfabok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlidkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oejbpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akiijq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbbacobm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmlihj32.dll" Ebpqjmpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmfjfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmpclnof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihpinq32.dll" Lhkghofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffeaqem.dll" Pfdbknda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgabmp32.dll" Igmgji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajfobfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmelek32.dll" Kmijliej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmijliej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmcabd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doojni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gndima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icnphd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmncgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oampdkbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokmd32.dll" Bbhildae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknqppmi.dll" Lqfgfclm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfhkhnb.dll" Aokkknbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfido32.dll" Jgoflpal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npmjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhppap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plijbblh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ednolp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqkigp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akipdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpohkn32.dll" Ljqhdhpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgpocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiong32.dll" Bpfcelml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbbpgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojjhopbg.dll" Hlpfak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhflhcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjjccl32.dll" Kbebdpca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiipca32.dll" Jdaajkfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akccje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boeelcmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggjqqg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohqpjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeneidji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpaikm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iihilhol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opqopj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkdmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeloebcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maocdibm.dll" Ljcejhnh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2084 wrote to memory of 920 2084 f4b3467030ca6acfbec8f4f16ca0f60b.exe 91 PID 2084 wrote to memory of 920 2084 f4b3467030ca6acfbec8f4f16ca0f60b.exe 91 PID 2084 wrote to memory of 920 2084 f4b3467030ca6acfbec8f4f16ca0f60b.exe 91 PID 920 wrote to memory of 4024 920 Apjdikqd.exe 92 PID 920 wrote to memory of 4024 920 Apjdikqd.exe 92 PID 920 wrote to memory of 4024 920 Apjdikqd.exe 92 PID 4024 wrote to memory of 2392 4024 Bjhkmbho.exe 93 PID 4024 wrote to memory of 2392 4024 Bjhkmbho.exe 93 PID 4024 wrote to memory of 2392 4024 Bjhkmbho.exe 93 PID 2392 wrote to memory of 4600 2392 Bbhildae.exe 94 PID 2392 wrote to memory of 4600 2392 Bbhildae.exe 94 PID 2392 wrote to memory of 4600 2392 Bbhildae.exe 94 PID 4600 wrote to memory of 2656 4600 Daeifj32.exe 95 PID 4600 wrote to memory of 2656 4600 Daeifj32.exe 95 PID 4600 wrote to memory of 2656 4600 Daeifj32.exe 95 PID 2656 wrote to memory of 1768 2656 Dcphdqmj.exe 96 PID 2656 wrote to memory of 1768 2656 Dcphdqmj.exe 96 PID 2656 wrote to memory of 1768 2656 Dcphdqmj.exe 96 PID 1768 wrote to memory of 1100 1768 Edaaccbj.exe 97 PID 1768 wrote to memory of 1100 1768 Edaaccbj.exe 97 PID 1768 wrote to memory of 1100 1768 Edaaccbj.exe 97 PID 1100 wrote to memory of 3528 1100 Eddnic32.exe 98 PID 1100 wrote to memory of 3528 1100 Eddnic32.exe 98 PID 1100 wrote to memory of 3528 1100 Eddnic32.exe 98 PID 3528 wrote to memory of 1400 3528 Fgiaemic.exe 99 PID 3528 wrote to memory of 1400 3528 Fgiaemic.exe 99 PID 3528 wrote to memory of 1400 3528 Fgiaemic.exe 99 PID 1400 wrote to memory of 2560 1400 Fjocbhbo.exe 100 PID 1400 wrote to memory of 2560 1400 Fjocbhbo.exe 100 PID 1400 wrote to memory of 2560 1400 Fjocbhbo.exe 100 PID 2560 wrote to memory of 2584 2560 Gndbie32.exe 101 PID 2560 wrote to memory of 2584 2560 Gndbie32.exe 101 PID 2560 wrote to memory of 2584 2560 Gndbie32.exe 101 PID 2584 wrote to memory of 3000 2584 Gcqjal32.exe 102 PID 2584 wrote to memory of 3000 2584 Gcqjal32.exe 102 PID 2584 wrote to memory of 3000 2584 Gcqjal32.exe 102 PID 3000 wrote to memory of 4048 3000 Hcjmhk32.exe 103 PID 3000 wrote to memory of 4048 3000 Hcjmhk32.exe 103 PID 3000 wrote to memory of 4048 3000 Hcjmhk32.exe 103 PID 4048 wrote to memory of 820 4048 Iabglnco.exe 104 PID 4048 wrote to memory of 820 4048 Iabglnco.exe 104 PID 4048 wrote to memory of 820 4048 Iabglnco.exe 104 PID 820 wrote to memory of 3920 820 Ibbcfa32.exe 105 PID 820 wrote to memory of 3920 820 Ibbcfa32.exe 105 PID 820 wrote to memory of 3920 820 Ibbcfa32.exe 105 PID 3920 wrote to memory of 3092 3920 Idhiii32.exe 106 PID 3920 wrote to memory of 3092 3920 Idhiii32.exe 106 PID 3920 wrote to memory of 3092 3920 Idhiii32.exe 106 PID 3092 wrote to memory of 1256 3092 Jlanpfkj.exe 107 PID 3092 wrote to memory of 1256 3092 Jlanpfkj.exe 107 PID 3092 wrote to memory of 1256 3092 Jlanpfkj.exe 107 PID 1256 wrote to memory of 4160 1256 Jlkafdco.exe 108 PID 1256 wrote to memory of 4160 1256 Jlkafdco.exe 108 PID 1256 wrote to memory of 4160 1256 Jlkafdco.exe 108 PID 4160 wrote to memory of 5104 4160 Kkpnga32.exe 109 PID 4160 wrote to memory of 5104 4160 Kkpnga32.exe 109 PID 4160 wrote to memory of 5104 4160 Kkpnga32.exe 109 PID 5104 wrote to memory of 3180 5104 Kkbkmqed.exe 110 PID 5104 wrote to memory of 3180 5104 Kkbkmqed.exe 110 PID 5104 wrote to memory of 3180 5104 Kkbkmqed.exe 110 PID 3180 wrote to memory of 4604 3180 Ldbefe32.exe 111 PID 3180 wrote to memory of 4604 3180 Ldbefe32.exe 111 PID 3180 wrote to memory of 4604 3180 Ldbefe32.exe 111 PID 4604 wrote to memory of 376 4604 Lbhool32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4b3467030ca6acfbec8f4f16ca0f60b.exe"C:\Users\Admin\AppData\Local\Temp\f4b3467030ca6acfbec8f4f16ca0f60b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Apjdikqd.exeC:\Windows\system32\Apjdikqd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\Bjhkmbho.exeC:\Windows\system32\Bjhkmbho.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\Bbhildae.exeC:\Windows\system32\Bbhildae.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Daeifj32.exeC:\Windows\system32\Daeifj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Dcphdqmj.exeC:\Windows\system32\Dcphdqmj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Edaaccbj.exeC:\Windows\system32\Edaaccbj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Eddnic32.exeC:\Windows\system32\Eddnic32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Fgiaemic.exeC:\Windows\system32\Fgiaemic.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Fjocbhbo.exeC:\Windows\system32\Fjocbhbo.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Gndbie32.exeC:\Windows\system32\Gndbie32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Gcqjal32.exeC:\Windows\system32\Gcqjal32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Hcjmhk32.exeC:\Windows\system32\Hcjmhk32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Iabglnco.exeC:\Windows\system32\Iabglnco.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\Ibbcfa32.exeC:\Windows\system32\Ibbcfa32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\Idhiii32.exeC:\Windows\system32\Idhiii32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\Jlanpfkj.exeC:\Windows\system32\Jlanpfkj.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Jlkafdco.exeC:\Windows\system32\Jlkafdco.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Kkpnga32.exeC:\Windows\system32\Kkpnga32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\Kkbkmqed.exeC:\Windows\system32\Kkbkmqed.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Ldbefe32.exeC:\Windows\system32\Ldbefe32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\Lbhool32.exeC:\Windows\system32\Lbhool32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\Mlgjhp32.exeC:\Windows\system32\Mlgjhp32.exe23⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Mahklf32.exeC:\Windows\system32\Mahklf32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Nhjjip32.exeC:\Windows\system32\Nhjjip32.exe25⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Ohqpjo32.exeC:\Windows\system32\Ohqpjo32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Obnnnc32.exeC:\Windows\system32\Obnnnc32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Pijcpmhc.exeC:\Windows\system32\Pijcpmhc.exe28⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Pmhkflnj.exeC:\Windows\system32\Pmhkflnj.exe29⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Pfeijqqe.exeC:\Windows\system32\Pfeijqqe.exe30⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Bpemkcck.exeC:\Windows\system32\Bpemkcck.exe31⤵
- Executes dropped EXE
PID:3824 -
C:\Windows\SysWOW64\Cmmgof32.exeC:\Windows\system32\Cmmgof32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Cbjogmlf.exeC:\Windows\system32\Cbjogmlf.exe33⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Dfonnk32.exeC:\Windows\system32\Dfonnk32.exe34⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\Ddhhbngi.exeC:\Windows\system32\Ddhhbngi.exe35⤵PID:5004
-
C:\Windows\SysWOW64\Eilfldoi.exeC:\Windows\system32\Eilfldoi.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3200 -
C:\Windows\SysWOW64\Ecidpiad.exeC:\Windows\system32\Ecidpiad.exe37⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Fjjcmbci.exeC:\Windows\system32\Fjjcmbci.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4112 -
C:\Windows\SysWOW64\Gloejmld.exeC:\Windows\system32\Gloejmld.exe39⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Gqokekph.exeC:\Windows\system32\Gqokekph.exe40⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Icnphd32.exeC:\Windows\system32\Icnphd32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:996 -
C:\Windows\SysWOW64\Iqdmghnp.exeC:\Windows\system32\Iqdmghnp.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4952 -
C:\Windows\SysWOW64\Imnjbhaa.exeC:\Windows\system32\Imnjbhaa.exe43⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Jeneidji.exeC:\Windows\system32\Jeneidji.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Kccbjq32.exeC:\Windows\system32\Kccbjq32.exe45⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Khakqo32.exeC:\Windows\system32\Khakqo32.exe46⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Keekjc32.exeC:\Windows\system32\Keekjc32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Khhaanop.exeC:\Windows\system32\Khhaanop.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Laglkb32.exeC:\Windows\system32\Laglkb32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Mmcfkc32.exeC:\Windows\system32\Mmcfkc32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Meadlo32.exeC:\Windows\system32\Meadlo32.exe51⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Nahdapae.exeC:\Windows\system32\Nahdapae.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\Nggjog32.exeC:\Windows\system32\Nggjog32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3212 -
C:\Windows\SysWOW64\Ndmgnkja.exeC:\Windows\system32\Ndmgnkja.exe54⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Oogdfc32.exeC:\Windows\system32\Oogdfc32.exe55⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Ogcike32.exeC:\Windows\system32\Ogcike32.exe56⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Oeffnl32.exeC:\Windows\system32\Oeffnl32.exe57⤵
- Executes dropped EXE
PID:3792 -
C:\Windows\SysWOW64\Paocim32.exeC:\Windows\system32\Paocim32.exe58⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Pnfdnnbo.exeC:\Windows\system32\Pnfdnnbo.exe59⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Pfpidk32.exeC:\Windows\system32\Pfpidk32.exe60⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Pbifol32.exeC:\Windows\system32\Pbifol32.exe61⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Qffoejkg.exeC:\Windows\system32\Qffoejkg.exe62⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Qoocnpag.exeC:\Windows\system32\Qoocnpag.exe63⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Abbiej32.exeC:\Windows\system32\Abbiej32.exe64⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Aofjoo32.exeC:\Windows\system32\Aofjoo32.exe65⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Bpomem32.exeC:\Windows\system32\Bpomem32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4292 -
C:\Windows\SysWOW64\Bpaikm32.exeC:\Windows\system32\Bpaikm32.exe67⤵
- Modifies registry class
PID:3756 -
C:\Windows\SysWOW64\Bfnnmg32.exeC:\Windows\system32\Bfnnmg32.exe68⤵PID:1420
-
C:\Windows\SysWOW64\Bpfcelml.exeC:\Windows\system32\Bpfcelml.exe69⤵
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Ciaddaaj.exeC:\Windows\system32\Ciaddaaj.exe70⤵PID:4792
-
C:\Windows\SysWOW64\Cehdib32.exeC:\Windows\system32\Cehdib32.exe71⤵PID:3188
-
C:\Windows\SysWOW64\Cnbfgh32.exeC:\Windows\system32\Cnbfgh32.exe72⤵PID:3488
-
C:\Windows\SysWOW64\Dolinf32.exeC:\Windows\system32\Dolinf32.exe73⤵PID:1792
-
C:\Windows\SysWOW64\Efjgpc32.exeC:\Windows\system32\Efjgpc32.exe74⤵
- Modifies registry class
PID:1088 -
C:\Windows\SysWOW64\Ebeapc32.exeC:\Windows\system32\Ebeapc32.exe75⤵PID:2280
-
C:\Windows\SysWOW64\Elnehifk.exeC:\Windows\system32\Elnehifk.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1616 -
C:\Windows\SysWOW64\Fhefmjlp.exeC:\Windows\system32\Fhefmjlp.exe77⤵
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Fhgccijm.exeC:\Windows\system32\Fhgccijm.exe78⤵PID:4236
-
C:\Windows\SysWOW64\Fifomlap.exeC:\Windows\system32\Fifomlap.exe79⤵PID:2676
-
C:\Windows\SysWOW64\Fpqgjf32.exeC:\Windows\system32\Fpqgjf32.exe80⤵PID:5128
-
C:\Windows\SysWOW64\Gipbck32.exeC:\Windows\system32\Gipbck32.exe81⤵
- Drops file in System32 directory
PID:5172 -
C:\Windows\SysWOW64\Ggfobofl.exeC:\Windows\system32\Ggfobofl.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5212 -
C:\Windows\SysWOW64\Glchjedc.exeC:\Windows\system32\Glchjedc.exe83⤵PID:5252
-
C:\Windows\SysWOW64\Geklckkd.exeC:\Windows\system32\Geklckkd.exe84⤵PID:5300
-
C:\Windows\SysWOW64\Hohjgpmo.exeC:\Windows\system32\Hohjgpmo.exe85⤵PID:5348
-
C:\Windows\SysWOW64\Hjbhph32.exeC:\Windows\system32\Hjbhph32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5388 -
C:\Windows\SysWOW64\Ioppho32.exeC:\Windows\system32\Ioppho32.exe87⤵PID:5428
-
C:\Windows\SysWOW64\Ihheqd32.exeC:\Windows\system32\Ihheqd32.exe88⤵PID:5484
-
C:\Windows\SysWOW64\Ihmnldib.exeC:\Windows\system32\Ihmnldib.exe89⤵PID:5524
-
C:\Windows\SysWOW64\Ignnjk32.exeC:\Windows\system32\Ignnjk32.exe90⤵PID:5568
-
C:\Windows\SysWOW64\Imjgbb32.exeC:\Windows\system32\Imjgbb32.exe91⤵PID:5616
-
C:\Windows\SysWOW64\Ijngkf32.exeC:\Windows\system32\Ijngkf32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5660 -
C:\Windows\SysWOW64\Jfehpg32.exeC:\Windows\system32\Jfehpg32.exe93⤵PID:5704
-
C:\Windows\SysWOW64\Jqofippg.exeC:\Windows\system32\Jqofippg.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5752 -
C:\Windows\SysWOW64\Kfcdaehf.exeC:\Windows\system32\Kfcdaehf.exe95⤵
- Modifies registry class
PID:5800 -
C:\Windows\SysWOW64\Lmdbooik.exeC:\Windows\system32\Lmdbooik.exe96⤵PID:5848
-
C:\Windows\SysWOW64\Lmfodn32.exeC:\Windows\system32\Lmfodn32.exe97⤵PID:5884
-
C:\Windows\SysWOW64\Lcqgahoe.exeC:\Windows\system32\Lcqgahoe.exe98⤵PID:5932
-
C:\Windows\SysWOW64\Lmiljn32.exeC:\Windows\system32\Lmiljn32.exe99⤵PID:5980
-
C:\Windows\SysWOW64\Lplaaiqd.exeC:\Windows\system32\Lplaaiqd.exe100⤵PID:6024
-
C:\Windows\SysWOW64\Miipencp.exeC:\Windows\system32\Miipencp.exe101⤵PID:6088
-
C:\Windows\SysWOW64\Nhafcd32.exeC:\Windows\system32\Nhafcd32.exe102⤵PID:6128
-
C:\Windows\SysWOW64\Nibbklke.exeC:\Windows\system32\Nibbklke.exe103⤵PID:5168
-
C:\Windows\SysWOW64\Ohmepbki.exeC:\Windows\system32\Ohmepbki.exe104⤵PID:2660
-
C:\Windows\SysWOW64\Ohobebig.exeC:\Windows\system32\Ohobebig.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5288 -
C:\Windows\SysWOW64\Ogdofo32.exeC:\Windows\system32\Ogdofo32.exe106⤵PID:5356
-
C:\Windows\SysWOW64\Oajccgmd.exeC:\Windows\system32\Oajccgmd.exe107⤵PID:5416
-
C:\Windows\SysWOW64\Opopdd32.exeC:\Windows\system32\Opopdd32.exe108⤵PID:5512
-
C:\Windows\SysWOW64\Pkedbmab.exeC:\Windows\system32\Pkedbmab.exe109⤵PID:5556
-
C:\Windows\SysWOW64\Pdbbfadn.exeC:\Windows\system32\Pdbbfadn.exe110⤵PID:5624
-
C:\Windows\SysWOW64\Ahgamo32.exeC:\Windows\system32\Ahgamo32.exe111⤵PID:5684
-
C:\Windows\SysWOW64\Bqkigp32.exeC:\Windows\system32\Bqkigp32.exe112⤵
- Modifies registry class
PID:5760 -
C:\Windows\SysWOW64\Bggnijof.exeC:\Windows\system32\Bggnijof.exe113⤵PID:5836
-
C:\Windows\SysWOW64\Bhgjcmfi.exeC:\Windows\system32\Bhgjcmfi.exe114⤵PID:5900
-
C:\Windows\SysWOW64\Dnghhqdk.exeC:\Windows\system32\Dnghhqdk.exe115⤵PID:5960
-
C:\Windows\SysWOW64\Elfhmc32.exeC:\Windows\system32\Elfhmc32.exe116⤵PID:6032
-
C:\Windows\SysWOW64\Ebpqjmpd.exeC:\Windows\system32\Ebpqjmpd.exe117⤵
- Modifies registry class
PID:4400 -
C:\Windows\SysWOW64\Fjpoio32.exeC:\Windows\system32\Fjpoio32.exe118⤵
- Drops file in System32 directory
PID:6112 -
C:\Windows\SysWOW64\Fiaogfai.exeC:\Windows\system32\Fiaogfai.exe119⤵PID:5040
-
C:\Windows\SysWOW64\Fbjcplhj.exeC:\Windows\system32\Fbjcplhj.exe120⤵PID:5240
-
C:\Windows\SysWOW64\Fhflhcfa.exeC:\Windows\system32\Fhflhcfa.exe121⤵
- Modifies registry class
PID:5344
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-