Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/03/2024, 14:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b2571f8dc1abdfc7fb8cf97441382093.exe
Resource
win7-20240215-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
b2571f8dc1abdfc7fb8cf97441382093.exe
Resource
win10v2004-20240226-en
6 signatures
150 seconds
General
-
Target
b2571f8dc1abdfc7fb8cf97441382093.exe
-
Size
55KB
-
MD5
b2571f8dc1abdfc7fb8cf97441382093
-
SHA1
08b877da8b0517ef95eb8f2b7b5b63343a7bed8d
-
SHA256
45433fb923f28ce0ee53685a31769a5b83ab4bb5b2406bb5d3a2ad52c653aea5
-
SHA512
de20a31a17d468beb15de72f98dc179488c0b24fd722ebc34bcd37f7a7300d1118fc0122f737eef3eee323874f61f58ae9944f4e907614a3f86aa8ce7fd1829a
-
SSDEEP
768:nwpyOH1w8c2n6oSAxvEZxJJc3qCkmt/Q5gBMBgtJeqpieimT1Id2p/1H5PJcXdnh:wpye1wgn7Wg6CVZ7BIdeC2L2
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfdfgiid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akcjkfij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhkdmlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opclldhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkekjdck.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fajbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nceonl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcojed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkapp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejflhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkqpjidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncldnkae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfodeohd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnihcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbhoqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lieccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdmdnadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hecmijim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggnlobej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boflmdkk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pldcjeia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckcgkldl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmemac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bagflcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icfekc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdnoplhh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhgonidg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jilfifme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jilfifme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amgapeea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amcmpodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kemhff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdnidn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqmjog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmhand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ponfka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fniihmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldmlpbbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgidml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkafmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geohklaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onkidm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oplfkeob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdbcano.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpcon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phaahggp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eejeiocj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddcenpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fecadghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plcdiabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knbbep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aagkhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppjgoaoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfiplog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knflpoqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npepkf32.exe -
Executes dropped EXE 64 IoCs
pid Process 2644 Lmccchkn.exe 1928 Ldmlpbbj.exe 4644 Lgkhlnbn.exe 4488 Laalifad.exe 3504 Ldohebqh.exe 1732 Lilanioo.exe 2456 Lnhmng32.exe 1540 Lpfijcfl.exe 1404 Lcdegnep.exe 4696 Lnjjdgee.exe 1216 Lphfpbdi.exe 4228 Lcgblncm.exe 3176 Lknjmkdo.exe 1576 Mahbje32.exe 1028 Mdfofakp.exe 1848 Mkpgck32.exe 4044 Majopeii.exe 1868 Mdiklqhm.exe 4948 Mgghhlhq.exe 448 Mnapdf32.exe 3136 Mdkhapfj.exe 3488 Mgidml32.exe 3556 Mncmjfmk.exe 3524 Maohkd32.exe 3928 Mdmegp32.exe 4768 Mglack32.exe 3652 Mjjmog32.exe 2440 Mpdelajl.exe 4528 Nkjjij32.exe 4828 Nacbfdao.exe 2012 Ndbnboqb.exe 2672 Nceonl32.exe 1924 Nklfoi32.exe 2088 Nqiogp32.exe 4816 Ngcgcjnc.exe 436 Njacpf32.exe 5056 Ncihikcg.exe 2728 Nkqpjidj.exe 1856 Nnolfdcn.exe 464 Nqmhbpba.exe 4248 Ncldnkae.exe 3992 Nbmelbid.exe 4884 Ndkahnhh.exe 2308 Ojhiqefo.exe 1532 Ocqnij32.exe 5000 Ojjffddl.exe 2288 Obangb32.exe 2788 Odpjcm32.exe 2988 Ogogoi32.exe 1372 Oqgkhnjf.exe 1620 Ocegdjij.exe 228 Ojopad32.exe 4412 Obfhba32.exe 2984 Ogcpjhoq.exe 5040 Ojalgcnd.exe 2072 Pcjapi32.exe 3148 Pnpemb32.exe 952 Peimil32.exe 1420 Pkceffcd.exe 680 Pnbbbabh.exe 3272 Pqpnombl.exe 1824 Pcojkhap.exe 3804 Pndohaqe.exe 3548 Pabkdmpi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Olckbd32.exe Nibbqicm.exe File created C:\Windows\SysWOW64\Glhonj32.exe Gfngap32.exe File opened for modification C:\Windows\SysWOW64\Ifefimom.exe Icgjmapi.exe File opened for modification C:\Windows\SysWOW64\Edjgfcec.exe Efffmo32.exe File created C:\Windows\SysWOW64\Kaehljpj.exe Knflpoqf.exe File created C:\Windows\SysWOW64\Nfnamjhk.exe Process not Found File created C:\Windows\SysWOW64\Nnolfdcn.exe Nkqpjidj.exe File created C:\Windows\SysWOW64\Gkhbdg32.exe Glebhjlg.exe File created C:\Windows\SysWOW64\Mgkjhe32.exe Mcpnhfhf.exe File created C:\Windows\SysWOW64\Eagaoh32.exe Daediilg.exe File opened for modification C:\Windows\SysWOW64\Ompfej32.exe Ojajin32.exe File created C:\Windows\SysWOW64\Bepjbf32.dll Process not Found File created C:\Windows\SysWOW64\Ceipnc32.dll Qkmhlekj.exe File created C:\Windows\SysWOW64\Melnob32.exe Mdjagjco.exe File created C:\Windows\SysWOW64\Padnaq32.exe Process not Found File created C:\Windows\SysWOW64\Hfningai.exe Hnfamjqg.exe File created C:\Windows\SysWOW64\Gejqna32.dll Process not Found File created C:\Windows\SysWOW64\Jklaah32.dll Iahlcaol.exe File opened for modification C:\Windows\SysWOW64\Mgddhf32.exe Mchhggno.exe File created C:\Windows\SysWOW64\Mkbogk32.dll Ahchda32.exe File opened for modification C:\Windows\SysWOW64\Kfckahdj.exe Kbhoqj32.exe File created C:\Windows\SysWOW64\Eemfmoce.dll Jhndljll.exe File created C:\Windows\SysWOW64\Npepkf32.exe Nmfcok32.exe File created C:\Windows\SysWOW64\Dllfqd32.dll Dkndie32.exe File created C:\Windows\SysWOW64\Ghehjh32.dll Edionhpn.exe File created C:\Windows\SysWOW64\Hlkolh32.dll Becifhfj.exe File opened for modification C:\Windows\SysWOW64\Hbbdholl.exe Hodgkc32.exe File created C:\Windows\SysWOW64\Cegjejoc.dll Daaicfgd.exe File created C:\Windows\SysWOW64\Fnipgg32.dll Mglfplgk.exe File created C:\Windows\SysWOW64\Pjkmomfn.exe Ohlqcagj.exe File created C:\Windows\SysWOW64\Gbiockdj.exe Gnnccl32.exe File created C:\Windows\SysWOW64\Ibhblqpo.dll Lknjmkdo.exe File created C:\Windows\SysWOW64\Iclnemml.dll Aegikj32.exe File created C:\Windows\SysWOW64\Pjehnm32.dll Pfdjinjo.exe File created C:\Windows\SysWOW64\Cgbiiion.dll Dclkee32.exe File created C:\Windows\SysWOW64\Fipkjb32.exe Fllkqn32.exe File created C:\Windows\SysWOW64\Lmbhgd32.exe Ljclki32.exe File created C:\Windows\SysWOW64\Baegibae.exe Bmjkic32.exe File opened for modification C:\Windows\SysWOW64\Licfngjd.exe Lbinam32.exe File opened for modification C:\Windows\SysWOW64\Olicnfco.exe Odmbaj32.exe File opened for modification C:\Windows\SysWOW64\Dijbno32.exe Ddnfmqng.exe File created C:\Windows\SysWOW64\Ffeifdjo.dll Feenjgfq.exe File created C:\Windows\SysWOW64\Ckcgkldl.exe Clpgpp32.exe File created C:\Windows\SysWOW64\Nnenbk32.dll Camphf32.exe File created C:\Windows\SysWOW64\Glebhjlg.exe Fdnjgmle.exe File created C:\Windows\SysWOW64\Oofaiokl.exe Olehhc32.exe File opened for modification C:\Windows\SysWOW64\Ffgqqaip.exe Fchddejl.exe File created C:\Windows\SysWOW64\Lgokmgjm.exe Lbdolh32.exe File created C:\Windows\SysWOW64\Impjjbmh.dll Aglnbhal.exe File created C:\Windows\SysWOW64\Lmccchkn.exe b2571f8dc1abdfc7fb8cf97441382093.exe File opened for modification C:\Windows\SysWOW64\Ahoimd32.exe Aaepqjpd.exe File created C:\Windows\SysWOW64\Ocbddc32.exe Oneklm32.exe File created C:\Windows\SysWOW64\Jofbdcmb.dll Pkadoiip.exe File created C:\Windows\SysWOW64\Ipgkjlmg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cknnpm32.exe Chpada32.exe File created C:\Windows\SysWOW64\Cipqnf32.dll Fnmepn32.exe File created C:\Windows\SysWOW64\Bejogg32.exe Bblckl32.exe File opened for modification C:\Windows\SysWOW64\Ljgpkonp.exe Lieccf32.exe File created C:\Windows\SysWOW64\Chqogq32.exe Cdecgbfa.exe File opened for modification C:\Windows\SysWOW64\Fecadghc.exe Fqgedh32.exe File opened for modification C:\Windows\SysWOW64\Qeemej32.exe Qbgqio32.exe File created C:\Windows\SysWOW64\Lgmdfppj.dll Famjkl32.exe File opened for modification C:\Windows\SysWOW64\Amgapeea.exe Andqdh32.exe File created C:\Windows\SysWOW64\Fhabbp32.exe Fgbfhmll.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13736 7360 Process not Found 1259 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mifnjj32.dll" Ekhjmiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmhgmmbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehedfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbklhm32.dll" Jnpfop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oifeab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgmdec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgcjfbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll" Maohkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bopgjmhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmhkg32.dll" Igjngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egcaod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekhjmiad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fajnfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkfcqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll" Anogiicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdbqla32.dll" Ejflhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkofdbkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjnafk32.dll" Miaboe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdimqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gicinj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jedeph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnmhpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhbih32.dll" Fohfbpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oofaiokl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oebflhaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjaqpbkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikcmbfcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnhmng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnqbanmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaifpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncdgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmbhgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekhjmiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jefbfgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjmehkqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll" Bgehcmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkjgegae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgkiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Angddopp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmfbg32.dll" Lbabgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodkhj32.dll" Eonehbjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkabjbih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdmmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgjpndjd.dll" Agffge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdkggg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lphfpbdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glebhjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khfclo32.dll" Clgbmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjaonjaj.dll" Enpfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlkolh32.dll" Becifhfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cegjejoc.dll" Daaicfgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjmmepfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfcjjj32.dll" Ddifgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adopjh32.dll" Ifjodl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpijle32.dll" Loeolc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jipegn32.dll" Enpmld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpopokm.dll" Fbbpmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckijjqka.dll" Mbfkbhpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnfamjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kndojobi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqjpajgi.dll" Caojpaij.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5008 wrote to memory of 2644 5008 b2571f8dc1abdfc7fb8cf97441382093.exe 86 PID 5008 wrote to memory of 2644 5008 b2571f8dc1abdfc7fb8cf97441382093.exe 86 PID 5008 wrote to memory of 2644 5008 b2571f8dc1abdfc7fb8cf97441382093.exe 86 PID 2644 wrote to memory of 1928 2644 Lmccchkn.exe 87 PID 2644 wrote to memory of 1928 2644 Lmccchkn.exe 87 PID 2644 wrote to memory of 1928 2644 Lmccchkn.exe 87 PID 1928 wrote to memory of 4644 1928 Ldmlpbbj.exe 88 PID 1928 wrote to memory of 4644 1928 Ldmlpbbj.exe 88 PID 1928 wrote to memory of 4644 1928 Ldmlpbbj.exe 88 PID 4644 wrote to memory of 4488 4644 Lgkhlnbn.exe 89 PID 4644 wrote to memory of 4488 4644 Lgkhlnbn.exe 89 PID 4644 wrote to memory of 4488 4644 Lgkhlnbn.exe 89 PID 4488 wrote to memory of 3504 4488 Laalifad.exe 90 PID 4488 wrote to memory of 3504 4488 Laalifad.exe 90 PID 4488 wrote to memory of 3504 4488 Laalifad.exe 90 PID 3504 wrote to memory of 1732 3504 Ldohebqh.exe 91 PID 3504 wrote to memory of 1732 3504 Ldohebqh.exe 91 PID 3504 wrote to memory of 1732 3504 Ldohebqh.exe 91 PID 1732 wrote to memory of 2456 1732 Lilanioo.exe 92 PID 1732 wrote to memory of 2456 1732 Lilanioo.exe 92 PID 1732 wrote to memory of 2456 1732 Lilanioo.exe 92 PID 2456 wrote to memory of 1540 2456 Lnhmng32.exe 93 PID 2456 wrote to memory of 1540 2456 Lnhmng32.exe 93 PID 2456 wrote to memory of 1540 2456 Lnhmng32.exe 93 PID 1540 wrote to memory of 1404 1540 Lpfijcfl.exe 94 PID 1540 wrote to memory of 1404 1540 Lpfijcfl.exe 94 PID 1540 wrote to memory of 1404 1540 Lpfijcfl.exe 94 PID 1404 wrote to memory of 4696 1404 Lcdegnep.exe 95 PID 1404 wrote to memory of 4696 1404 Lcdegnep.exe 95 PID 1404 wrote to memory of 4696 1404 Lcdegnep.exe 95 PID 4696 wrote to memory of 1216 4696 Lnjjdgee.exe 96 PID 4696 wrote to memory of 1216 4696 Lnjjdgee.exe 96 PID 4696 wrote to memory of 1216 4696 Lnjjdgee.exe 96 PID 1216 wrote to memory of 4228 1216 Lphfpbdi.exe 97 PID 1216 wrote to memory of 4228 1216 Lphfpbdi.exe 97 PID 1216 wrote to memory of 4228 1216 Lphfpbdi.exe 97 PID 4228 wrote to memory of 3176 4228 Lcgblncm.exe 98 PID 4228 wrote to memory of 3176 4228 Lcgblncm.exe 98 PID 4228 wrote to memory of 3176 4228 Lcgblncm.exe 98 PID 3176 wrote to memory of 1576 3176 Lknjmkdo.exe 99 PID 3176 wrote to memory of 1576 3176 Lknjmkdo.exe 99 PID 3176 wrote to memory of 1576 3176 Lknjmkdo.exe 99 PID 1576 wrote to memory of 1028 1576 Mahbje32.exe 100 PID 1576 wrote to memory of 1028 1576 Mahbje32.exe 100 PID 1576 wrote to memory of 1028 1576 Mahbje32.exe 100 PID 1028 wrote to memory of 1848 1028 Mdfofakp.exe 101 PID 1028 wrote to memory of 1848 1028 Mdfofakp.exe 101 PID 1028 wrote to memory of 1848 1028 Mdfofakp.exe 101 PID 1848 wrote to memory of 4044 1848 Mkpgck32.exe 102 PID 1848 wrote to memory of 4044 1848 Mkpgck32.exe 102 PID 1848 wrote to memory of 4044 1848 Mkpgck32.exe 102 PID 4044 wrote to memory of 1868 4044 Majopeii.exe 103 PID 4044 wrote to memory of 1868 4044 Majopeii.exe 103 PID 4044 wrote to memory of 1868 4044 Majopeii.exe 103 PID 1868 wrote to memory of 4948 1868 Mdiklqhm.exe 104 PID 1868 wrote to memory of 4948 1868 Mdiklqhm.exe 104 PID 1868 wrote to memory of 4948 1868 Mdiklqhm.exe 104 PID 4948 wrote to memory of 448 4948 Mgghhlhq.exe 105 PID 4948 wrote to memory of 448 4948 Mgghhlhq.exe 105 PID 4948 wrote to memory of 448 4948 Mgghhlhq.exe 105 PID 448 wrote to memory of 3136 448 Mnapdf32.exe 106 PID 448 wrote to memory of 3136 448 Mnapdf32.exe 106 PID 448 wrote to memory of 3136 448 Mnapdf32.exe 106 PID 3136 wrote to memory of 3488 3136 Mdkhapfj.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2571f8dc1abdfc7fb8cf97441382093.exe"C:\Users\Admin\AppData\Local\Temp\b2571f8dc1abdfc7fb8cf97441382093.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe24⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:3524 -
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe26⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe27⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe28⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe29⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe30⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe31⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe32⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe34⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe35⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe36⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe37⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe38⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe40⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe41⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe43⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe44⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe45⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe46⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe47⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe48⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe49⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe50⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe51⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe52⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe53⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe54⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe55⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe56⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe57⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe58⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe59⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe60⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe61⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe62⤵
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe63⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe64⤵
- Executes dropped EXE
PID:3804 -
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe65⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe66⤵PID:3540
-
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe67⤵PID:5076
-
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe68⤵PID:1760
-
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe69⤵PID:3924
-
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe70⤵PID:1104
-
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe71⤵PID:1204
-
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3628 -
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe73⤵PID:3428
-
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe74⤵
- Drops file in System32 directory
PID:4512 -
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe75⤵
- Drops file in System32 directory
PID:4940 -
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe76⤵PID:4112
-
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe77⤵PID:1180
-
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe78⤵PID:4440
-
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe79⤵PID:4892
-
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe80⤵
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe81⤵
- Modifies registry class
PID:1340 -
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1636 -
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe83⤵PID:1452
-
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe84⤵PID:3776
-
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe85⤵PID:1816
-
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe86⤵PID:3724
-
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe87⤵PID:456
-
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe88⤵PID:5152
-
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5196 -
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe90⤵PID:5244
-
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe91⤵PID:5288
-
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe92⤵PID:5336
-
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe93⤵
- Modifies registry class
PID:5376 -
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe94⤵
- Drops file in System32 directory
PID:5408 -
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe95⤵PID:5456
-
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe96⤵PID:5496
-
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe97⤵PID:5544
-
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:5588 -
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe99⤵PID:5632
-
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe100⤵PID:5676
-
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe101⤵PID:5724
-
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe102⤵PID:5764
-
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe103⤵PID:5812
-
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe104⤵PID:5848
-
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe105⤵PID:5916
-
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe106⤵PID:5972
-
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe107⤵PID:6020
-
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe108⤵PID:6060
-
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe109⤵
- Modifies registry class
PID:6112 -
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe110⤵
- Drops file in System32 directory
PID:752 -
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe111⤵PID:5180
-
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe112⤵PID:5256
-
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe113⤵PID:5304
-
C:\Windows\SysWOW64\Bobcpmfc.exeC:\Windows\system32\Bobcpmfc.exe114⤵PID:5364
-
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe115⤵PID:5440
-
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe116⤵PID:5512
-
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe117⤵PID:5568
-
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe118⤵PID:5648
-
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe119⤵PID:5716
-
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe120⤵PID:5808
-
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe121⤵PID:5888
-
C:\Windows\SysWOW64\Cddecc32.exeC:\Windows\system32\Cddecc32.exe122⤵PID:5948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-