Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2024, 02:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e5a4cd0fd688015dc91cbd7651c4c332446e48a3402fb9a55d784bf26cd8c86b.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
e5a4cd0fd688015dc91cbd7651c4c332446e48a3402fb9a55d784bf26cd8c86b.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
e5a4cd0fd688015dc91cbd7651c4c332446e48a3402fb9a55d784bf26cd8c86b.exe
-
Size
446KB
-
MD5
df3ce8aaf0ba10f22aa54cff7000df95
-
SHA1
c64411a064d8bfe4b3a15759a0d9173c0b71327a
-
SHA256
e5a4cd0fd688015dc91cbd7651c4c332446e48a3402fb9a55d784bf26cd8c86b
-
SHA512
05fdcbcc54447db38590672c1893a63540a002cdf175afc05ed76f04bb6ac0d5fb5849125c71a0dd8d258ddefbaa01ebeae091eb85d42502141e3a8436fa459c
-
SSDEEP
6144:TyXpFWLmPOwXYrMdlvkGr0f+uPOwXYrMdlsLS7De:TyZcdwIaJwIdSy
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odljjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lelajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlobmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecpomiok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlhih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mociol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaefne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpdcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmipdq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdaonmdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpnoigpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkhbbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnapgjdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlphmafm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmdoel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgbpdgap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohdlpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paaidf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pacfjfej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giokid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlcmgqdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edakimoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjcoqdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpkkgbmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmlmjq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaihonhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkgnalep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kafcadej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfakcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmhofbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kclnfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbcffk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lechkaga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oolnabal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcabhido.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfabok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecpomiok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihhmgaqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmeoqlpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfdnnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Logbigbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnpgdmjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpgnjebd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqpbboeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jolhjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okcccdkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kolabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amoknh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjlcjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Memalfcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkgaglpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcphpdil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifghmae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbpbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bobabg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjnnbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ialhdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kojdkhdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nolekd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkebee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdipag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ladpcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhenpk32.exe -
Executes dropped EXE 64 IoCs
pid Process 3516 Qdoacabq.exe 1240 Amqhbe32.exe 2440 Bobabg32.exe 3428 Bacjdbch.exe 3164 Cdimqm32.exe 4928 Conanfli.exe 1992 Cocjiehd.exe 2944 Cklhcfle.exe 436 Dkndie32.exe 2088 Dgjoif32.exe 2880 Ehlhih32.exe 3296 Edeeci32.exe 2412 Fnbcgn32.exe 4268 Fqbliicp.exe 4200 Fqeioiam.exe 4080 Fbgbnkfm.exe 748 Ggfglb32.exe 2920 Gbnhoj32.exe 3604 Gacepg32.exe 2424 Geanfelc.exe 3256 Hlmchoan.exe 3764 Hpkknmgd.exe 4596 Hnphoj32.exe 4308 Ipdndloi.exe 2388 Kolabf32.exe 2608 Khiofk32.exe 3672 Lepleocn.exe 4284 Lafmjp32.exe 2124 Ledepn32.exe 3168 Lomjicei.exe 2372 Lfiokmkc.exe 2276 Lpochfji.exe 2164 Mablfnne.exe 916 Mjnnbk32.exe 3092 Mqhfoebo.exe 3232 Mfenglqf.exe 4548 Nfihbk32.exe 2352 Nmcpoedn.exe 4036 Nfqnbjfi.exe 4180 Nmjfodne.exe 4432 Pbcncibp.exe 2936 Pjlcjf32.exe 872 Ppikbm32.exe 4876 Pmmlla32.exe 2912 Pciqnk32.exe 5128 Qamago32.exe 5168 Apggckbf.exe 5216 Abhqefpg.exe 5256 Apnndj32.exe 5300 Ajdbac32.exe 5340 Biklho32.exe 5384 Bpedeiff.exe 5424 Baepolni.exe 5464 Bmladm32.exe 5512 Bbhildae.exe 5556 Cmpjoloh.exe 5600 Cancekeo.exe 5636 Cpcpfg32.exe 5684 Ckidcpjl.exe 5728 Dphiaffa.exe 5768 Dajbaika.exe 5816 Ecbeip32.exe 5856 Enjfli32.exe 5904 Ecgodpgb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ogmiepcf.exe Nkghqo32.exe File created C:\Windows\SysWOW64\Eqnmad32.dll Kjqfmn32.exe File created C:\Windows\SysWOW64\Oecopk32.dll Qipjokik.exe File opened for modification C:\Windows\SysWOW64\Hmmakk32.exe Hfcinq32.exe File opened for modification C:\Windows\SysWOW64\Qfilkj32.exe Qkchna32.exe File created C:\Windows\SysWOW64\Jcknee32.exe Jhejgl32.exe File created C:\Windows\SysWOW64\Pignccea.exe Pbmffi32.exe File created C:\Windows\SysWOW64\Gbpnjdkg.exe Gkcigjel.exe File created C:\Windows\SysWOW64\Bnkfonke.dll Hakidd32.exe File created C:\Windows\SysWOW64\Begndj32.dll Fdkdibjp.exe File opened for modification C:\Windows\SysWOW64\Phlikg32.exe Pnfdnnbo.exe File opened for modification C:\Windows\SysWOW64\Hhaope32.exe Hhobjf32.exe File opened for modification C:\Windows\SysWOW64\Ipdndloi.exe Hnphoj32.exe File created C:\Windows\SysWOW64\Mgccelpk.dll Mjnnbk32.exe File created C:\Windows\SysWOW64\Oegbgf32.dll Nlknbb32.exe File created C:\Windows\SysWOW64\Aahgec32.dll Beoimjce.exe File created C:\Windows\SysWOW64\Iabodcnj.exe Ileflmpb.exe File created C:\Windows\SysWOW64\Aofemaog.exe Amdiei32.exe File opened for modification C:\Windows\SysWOW64\Nkapelka.exe Medglemj.exe File created C:\Windows\SysWOW64\Jlldoike.dll Eennefib.exe File opened for modification C:\Windows\SysWOW64\Gdhjpjjd.exe Gfgjbb32.exe File created C:\Windows\SysWOW64\Eeeolh32.dll Meadlo32.exe File created C:\Windows\SysWOW64\Pfdbpjmi.exe Pdeffgff.exe File created C:\Windows\SysWOW64\Nacmahgc.dll Oacdmo32.exe File created C:\Windows\SysWOW64\Aljldk32.dll Ppamjcpj.exe File opened for modification C:\Windows\SysWOW64\Mmdekf32.exe Mclpbqal.exe File created C:\Windows\SysWOW64\Jolhjj32.exe Jdfcla32.exe File opened for modification C:\Windows\SysWOW64\Fjocbhbo.exe Fcbnpnme.exe File opened for modification C:\Windows\SysWOW64\Nheqnpjk.exe Nkapelka.exe File opened for modification C:\Windows\SysWOW64\Jeolckne.exe Jnedgq32.exe File created C:\Windows\SysWOW64\Jaefne32.exe Jjknakhq.exe File created C:\Windows\SysWOW64\Hgbfhc32.exe Hmmakk32.exe File created C:\Windows\SysWOW64\Cnlpgibd.exe Becknc32.exe File created C:\Windows\SysWOW64\Hkfdijnh.dll Kjlcmdbb.exe File created C:\Windows\SysWOW64\Pmipdq32.exe Pgphggpe.exe File created C:\Windows\SysWOW64\Bleebc32.exe Boaeioej.exe File opened for modification C:\Windows\SysWOW64\Abhqefpg.exe Apggckbf.exe File created C:\Windows\SysWOW64\Dejhkj32.dll Dghadidj.exe File created C:\Windows\SysWOW64\Pnhacn32.exe Phlikg32.exe File created C:\Windows\SysWOW64\Pikqcl32.exe Pifghmae.exe File created C:\Windows\SysWOW64\Gnggfhnm.dll Nfiagd32.exe File created C:\Windows\SysWOW64\Mmhofbma.exe Mgngih32.exe File created C:\Windows\SysWOW64\Pkedbmab.exe Pdklebje.exe File created C:\Windows\SysWOW64\Abflfc32.exe Agqhik32.exe File opened for modification C:\Windows\SysWOW64\Ppikbm32.exe Pjlcjf32.exe File created C:\Windows\SysWOW64\Akihcfid.exe Aeopfl32.exe File created C:\Windows\SysWOW64\Bbefln32.exe Bliajd32.exe File created C:\Windows\SysWOW64\Cfcoblfb.exe Bmkjig32.exe File created C:\Windows\SysWOW64\Acmomgoa.exe Anqfepaj.exe File opened for modification C:\Windows\SysWOW64\Gjndpg32.exe Geqlhp32.exe File opened for modification C:\Windows\SysWOW64\Edeeci32.exe Ehlhih32.exe File opened for modification C:\Windows\SysWOW64\Ledepn32.exe Lafmjp32.exe File created C:\Windows\SysWOW64\Bkcjjhgp.exe Bgeadjai.exe File opened for modification C:\Windows\SysWOW64\Dnhgidka.exe Dgnolj32.exe File created C:\Windows\SysWOW64\Jbjabqbh.dll Mccokj32.exe File opened for modification C:\Windows\SysWOW64\Minipm32.exe Mjiloqjb.exe File created C:\Windows\SysWOW64\Bfpolopd.dll Minipm32.exe File created C:\Windows\SysWOW64\Lhbmedlk.dll Hhpheo32.exe File opened for modification C:\Windows\SysWOW64\Gjqinamq.exe Gddqejni.exe File created C:\Windows\SysWOW64\Beaohcmf.exe Bndjfjhl.exe File created C:\Windows\SysWOW64\Cpfoehnm.dll Iefnjm32.exe File created C:\Windows\SysWOW64\Gaibhj32.exe Gpjfng32.exe File created C:\Windows\SysWOW64\Fnbcgn32.exe Edeeci32.exe File created C:\Windows\SysWOW64\Acpkbf32.exe Acmomgoa.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5828 2204 WerFault.exe 732 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejqmmlpm.dll" Mhefhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiiajl32.dll" Kcphpdil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olndnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cancekeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geceqfal.dll" Hmkeekag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpbokjho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khiofk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcpojk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Difici32.dll" Qpkppbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkpigmd.dll" Ahinbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjqfmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fanbll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bacjdbch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfddci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oojalb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfoamp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okceaikl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pacfjfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmqigke.dll" Kpanmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lonnfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lamlphoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbehhfik.dll" Kallod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkkcfa32.dll" Elkbhbeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emfgpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghien32.dll" Conanfli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cocjiehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflmkg32.dll" Pmeoqlpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoonpe32.dll" Almifk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkkbnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jopaejlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nheqnpjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkgepcpk.dll" Kcikfcab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qipjokik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begndj32.dll" Fdkdibjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkhbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abflfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gablgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ielfgmnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egnhcgeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfenglqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eilfldoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoadhp32.dll" Flmonbbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfabok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aochga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fallih32.dll" Hlmchoan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pacfjfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acbhhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdaonmdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdkdbgpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmjninol.dll" Mejnlpai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiaee32.dll" Ehpmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaejhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnijbocc.dll" Dlcmgqdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bndjfjhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caompged.dll" Fmejlcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfqedp32.dll" Lafmjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cffkhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmheph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikjmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehcfdc32.dll" Eckfaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbqceofn.dll" Amqhbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnibpanm.dll" Paaidf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oegbgf32.dll" Nlknbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icelfhmg.dll" Jhfihp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1724 wrote to memory of 3516 1724 e5a4cd0fd688015dc91cbd7651c4c332446e48a3402fb9a55d784bf26cd8c86b.exe 97 PID 1724 wrote to memory of 3516 1724 e5a4cd0fd688015dc91cbd7651c4c332446e48a3402fb9a55d784bf26cd8c86b.exe 97 PID 1724 wrote to memory of 3516 1724 e5a4cd0fd688015dc91cbd7651c4c332446e48a3402fb9a55d784bf26cd8c86b.exe 97 PID 3516 wrote to memory of 1240 3516 Qdoacabq.exe 98 PID 3516 wrote to memory of 1240 3516 Qdoacabq.exe 98 PID 3516 wrote to memory of 1240 3516 Qdoacabq.exe 98 PID 1240 wrote to memory of 2440 1240 Amqhbe32.exe 99 PID 1240 wrote to memory of 2440 1240 Amqhbe32.exe 99 PID 1240 wrote to memory of 2440 1240 Amqhbe32.exe 99 PID 2440 wrote to memory of 3428 2440 Bobabg32.exe 101 PID 2440 wrote to memory of 3428 2440 Bobabg32.exe 101 PID 2440 wrote to memory of 3428 2440 Bobabg32.exe 101 PID 3428 wrote to memory of 3164 3428 Bacjdbch.exe 102 PID 3428 wrote to memory of 3164 3428 Bacjdbch.exe 102 PID 3428 wrote to memory of 3164 3428 Bacjdbch.exe 102 PID 3164 wrote to memory of 4928 3164 Cdimqm32.exe 103 PID 3164 wrote to memory of 4928 3164 Cdimqm32.exe 103 PID 3164 wrote to memory of 4928 3164 Cdimqm32.exe 103 PID 4928 wrote to memory of 1992 4928 Conanfli.exe 104 PID 4928 wrote to memory of 1992 4928 Conanfli.exe 104 PID 4928 wrote to memory of 1992 4928 Conanfli.exe 104 PID 1992 wrote to memory of 2944 1992 Cocjiehd.exe 105 PID 1992 wrote to memory of 2944 1992 Cocjiehd.exe 105 PID 1992 wrote to memory of 2944 1992 Cocjiehd.exe 105 PID 2944 wrote to memory of 436 2944 Cklhcfle.exe 106 PID 2944 wrote to memory of 436 2944 Cklhcfle.exe 106 PID 2944 wrote to memory of 436 2944 Cklhcfle.exe 106 PID 436 wrote to memory of 2088 436 Dkndie32.exe 107 PID 436 wrote to memory of 2088 436 Dkndie32.exe 107 PID 436 wrote to memory of 2088 436 Dkndie32.exe 107 PID 2088 wrote to memory of 2880 2088 Dgjoif32.exe 108 PID 2088 wrote to memory of 2880 2088 Dgjoif32.exe 108 PID 2088 wrote to memory of 2880 2088 Dgjoif32.exe 108 PID 2880 wrote to memory of 3296 2880 Ehlhih32.exe 109 PID 2880 wrote to memory of 3296 2880 Ehlhih32.exe 109 PID 2880 wrote to memory of 3296 2880 Ehlhih32.exe 109 PID 3296 wrote to memory of 2412 3296 Edeeci32.exe 110 PID 3296 wrote to memory of 2412 3296 Edeeci32.exe 110 PID 3296 wrote to memory of 2412 3296 Edeeci32.exe 110 PID 2412 wrote to memory of 4268 2412 Fnbcgn32.exe 111 PID 2412 wrote to memory of 4268 2412 Fnbcgn32.exe 111 PID 2412 wrote to memory of 4268 2412 Fnbcgn32.exe 111 PID 4268 wrote to memory of 4200 4268 Fqbliicp.exe 112 PID 4268 wrote to memory of 4200 4268 Fqbliicp.exe 112 PID 4268 wrote to memory of 4200 4268 Fqbliicp.exe 112 PID 4200 wrote to memory of 4080 4200 Fqeioiam.exe 114 PID 4200 wrote to memory of 4080 4200 Fqeioiam.exe 114 PID 4200 wrote to memory of 4080 4200 Fqeioiam.exe 114 PID 4080 wrote to memory of 748 4080 Fbgbnkfm.exe 115 PID 4080 wrote to memory of 748 4080 Fbgbnkfm.exe 115 PID 4080 wrote to memory of 748 4080 Fbgbnkfm.exe 115 PID 748 wrote to memory of 2920 748 Ggfglb32.exe 116 PID 748 wrote to memory of 2920 748 Ggfglb32.exe 116 PID 748 wrote to memory of 2920 748 Ggfglb32.exe 116 PID 2920 wrote to memory of 3604 2920 Gbnhoj32.exe 117 PID 2920 wrote to memory of 3604 2920 Gbnhoj32.exe 117 PID 2920 wrote to memory of 3604 2920 Gbnhoj32.exe 117 PID 3604 wrote to memory of 2424 3604 Gacepg32.exe 118 PID 3604 wrote to memory of 2424 3604 Gacepg32.exe 118 PID 3604 wrote to memory of 2424 3604 Gacepg32.exe 118 PID 2424 wrote to memory of 3256 2424 Geanfelc.exe 119 PID 2424 wrote to memory of 3256 2424 Geanfelc.exe 119 PID 2424 wrote to memory of 3256 2424 Geanfelc.exe 119 PID 3256 wrote to memory of 3764 3256 Hlmchoan.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5a4cd0fd688015dc91cbd7651c4c332446e48a3402fb9a55d784bf26cd8c86b.exe"C:\Users\Admin\AppData\Local\Temp\e5a4cd0fd688015dc91cbd7651c4c332446e48a3402fb9a55d784bf26cd8c86b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Qdoacabq.exeC:\Windows\system32\Qdoacabq.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\Amqhbe32.exeC:\Windows\system32\Amqhbe32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Bobabg32.exeC:\Windows\system32\Bobabg32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Bacjdbch.exeC:\Windows\system32\Bacjdbch.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\Cdimqm32.exeC:\Windows\system32\Cdimqm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\Conanfli.exeC:\Windows\system32\Conanfli.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\Cocjiehd.exeC:\Windows\system32\Cocjiehd.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Cklhcfle.exeC:\Windows\system32\Cklhcfle.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Dkndie32.exeC:\Windows\system32\Dkndie32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Dgjoif32.exeC:\Windows\system32\Dgjoif32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Ehlhih32.exeC:\Windows\system32\Ehlhih32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Edeeci32.exeC:\Windows\system32\Edeeci32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\SysWOW64\Fnbcgn32.exeC:\Windows\system32\Fnbcgn32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Fqbliicp.exeC:\Windows\system32\Fqbliicp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Fqeioiam.exeC:\Windows\system32\Fqeioiam.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\Fbgbnkfm.exeC:\Windows\system32\Fbgbnkfm.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\Ggfglb32.exeC:\Windows\system32\Ggfglb32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Gbnhoj32.exeC:\Windows\system32\Gbnhoj32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Gacepg32.exeC:\Windows\system32\Gacepg32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Geanfelc.exeC:\Windows\system32\Geanfelc.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Hlmchoan.exeC:\Windows\system32\Hlmchoan.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\Hpkknmgd.exeC:\Windows\system32\Hpkknmgd.exe23⤵
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Hnphoj32.exeC:\Windows\system32\Hnphoj32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4596 -
C:\Windows\SysWOW64\Ipdndloi.exeC:\Windows\system32\Ipdndloi.exe25⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Kolabf32.exeC:\Windows\system32\Kolabf32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Khiofk32.exeC:\Windows\system32\Khiofk32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Lepleocn.exeC:\Windows\system32\Lepleocn.exe28⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Lafmjp32.exeC:\Windows\system32\Lafmjp32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4284 -
C:\Windows\SysWOW64\Ledepn32.exeC:\Windows\system32\Ledepn32.exe30⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Lomjicei.exeC:\Windows\system32\Lomjicei.exe31⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Lfiokmkc.exeC:\Windows\system32\Lfiokmkc.exe32⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Lpochfji.exeC:\Windows\system32\Lpochfji.exe33⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Mablfnne.exeC:\Windows\system32\Mablfnne.exe34⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Mjnnbk32.exeC:\Windows\system32\Mjnnbk32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:916 -
C:\Windows\SysWOW64\Mqhfoebo.exeC:\Windows\system32\Mqhfoebo.exe36⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Mfenglqf.exeC:\Windows\system32\Mfenglqf.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:3232 -
C:\Windows\SysWOW64\Nfihbk32.exeC:\Windows\system32\Nfihbk32.exe38⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Nmcpoedn.exeC:\Windows\system32\Nmcpoedn.exe39⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Nfqnbjfi.exeC:\Windows\system32\Nfqnbjfi.exe40⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Nmjfodne.exeC:\Windows\system32\Nmjfodne.exe41⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Pbcncibp.exeC:\Windows\system32\Pbcncibp.exe42⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Pjlcjf32.exeC:\Windows\system32\Pjlcjf32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Ppikbm32.exeC:\Windows\system32\Ppikbm32.exe44⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Pmmlla32.exeC:\Windows\system32\Pmmlla32.exe45⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Pciqnk32.exeC:\Windows\system32\Pciqnk32.exe46⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Qamago32.exeC:\Windows\system32\Qamago32.exe47⤵
- Executes dropped EXE
PID:5128 -
C:\Windows\SysWOW64\Apggckbf.exeC:\Windows\system32\Apggckbf.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5168 -
C:\Windows\SysWOW64\Abhqefpg.exeC:\Windows\system32\Abhqefpg.exe49⤵
- Executes dropped EXE
PID:5216 -
C:\Windows\SysWOW64\Apnndj32.exeC:\Windows\system32\Apnndj32.exe50⤵
- Executes dropped EXE
PID:5256 -
C:\Windows\SysWOW64\Ajdbac32.exeC:\Windows\system32\Ajdbac32.exe51⤵
- Executes dropped EXE
PID:5300 -
C:\Windows\SysWOW64\Biklho32.exeC:\Windows\system32\Biklho32.exe52⤵
- Executes dropped EXE
PID:5340 -
C:\Windows\SysWOW64\Bpedeiff.exeC:\Windows\system32\Bpedeiff.exe53⤵
- Executes dropped EXE
PID:5384 -
C:\Windows\SysWOW64\Baepolni.exeC:\Windows\system32\Baepolni.exe54⤵
- Executes dropped EXE
PID:5424 -
C:\Windows\SysWOW64\Bmladm32.exeC:\Windows\system32\Bmladm32.exe55⤵
- Executes dropped EXE
PID:5464 -
C:\Windows\SysWOW64\Bbhildae.exeC:\Windows\system32\Bbhildae.exe56⤵
- Executes dropped EXE
PID:5512 -
C:\Windows\SysWOW64\Cmpjoloh.exeC:\Windows\system32\Cmpjoloh.exe57⤵
- Executes dropped EXE
PID:5556 -
C:\Windows\SysWOW64\Cancekeo.exeC:\Windows\system32\Cancekeo.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:5600 -
C:\Windows\SysWOW64\Cpcpfg32.exeC:\Windows\system32\Cpcpfg32.exe59⤵
- Executes dropped EXE
PID:5636 -
C:\Windows\SysWOW64\Ckidcpjl.exeC:\Windows\system32\Ckidcpjl.exe60⤵
- Executes dropped EXE
PID:5684 -
C:\Windows\SysWOW64\Dphiaffa.exeC:\Windows\system32\Dphiaffa.exe61⤵
- Executes dropped EXE
PID:5728 -
C:\Windows\SysWOW64\Dajbaika.exeC:\Windows\system32\Dajbaika.exe62⤵
- Executes dropped EXE
PID:5768 -
C:\Windows\SysWOW64\Ecbeip32.exeC:\Windows\system32\Ecbeip32.exe63⤵
- Executes dropped EXE
PID:5816 -
C:\Windows\SysWOW64\Enjfli32.exeC:\Windows\system32\Enjfli32.exe64⤵
- Executes dropped EXE
PID:5856 -
C:\Windows\SysWOW64\Ecgodpgb.exeC:\Windows\system32\Ecgodpgb.exe65⤵
- Executes dropped EXE
PID:5904 -
C:\Windows\SysWOW64\Egegjn32.exeC:\Windows\system32\Egegjn32.exe66⤵PID:5948
-
C:\Windows\SysWOW64\Fggdpnkf.exeC:\Windows\system32\Fggdpnkf.exe67⤵PID:5984
-
C:\Windows\SysWOW64\Fdkdibjp.exeC:\Windows\system32\Fdkdibjp.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:6028 -
C:\Windows\SysWOW64\Fncibg32.exeC:\Windows\system32\Fncibg32.exe69⤵PID:6072
-
C:\Windows\SysWOW64\Fcpakn32.exeC:\Windows\system32\Fcpakn32.exe70⤵PID:6116
-
C:\Windows\SysWOW64\Fcbnpnme.exeC:\Windows\system32\Fcbnpnme.exe71⤵
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Fjocbhbo.exeC:\Windows\system32\Fjocbhbo.exe72⤵PID:3100
-
C:\Windows\SysWOW64\Gjaphgpl.exeC:\Windows\system32\Gjaphgpl.exe73⤵PID:5224
-
C:\Windows\SysWOW64\Gjcmngnj.exeC:\Windows\system32\Gjcmngnj.exe74⤵PID:5284
-
C:\Windows\SysWOW64\Gkcigjel.exeC:\Windows\system32\Gkcigjel.exe75⤵
- Drops file in System32 directory
PID:5360 -
C:\Windows\SysWOW64\Gbpnjdkg.exeC:\Windows\system32\Gbpnjdkg.exe76⤵PID:5432
-
C:\Windows\SysWOW64\Gkhbbi32.exeC:\Windows\system32\Gkhbbi32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5492 -
C:\Windows\SysWOW64\Gbbkocid.exeC:\Windows\system32\Gbbkocid.exe78⤵PID:5588
-
C:\Windows\SysWOW64\Hebcao32.exeC:\Windows\system32\Hebcao32.exe79⤵PID:5668
-
C:\Windows\SysWOW64\Hnmeodjc.exeC:\Windows\system32\Hnmeodjc.exe80⤵PID:5712
-
C:\Windows\SysWOW64\Hcjmhk32.exeC:\Windows\system32\Hcjmhk32.exe81⤵PID:5804
-
C:\Windows\SysWOW64\Ielfgmnj.exeC:\Windows\system32\Ielfgmnj.exe82⤵
- Modifies registry class
PID:5868 -
C:\Windows\SysWOW64\Inidkb32.exeC:\Windows\system32\Inidkb32.exe83⤵PID:5924
-
C:\Windows\SysWOW64\Icfmci32.exeC:\Windows\system32\Icfmci32.exe84⤵PID:6012
-
C:\Windows\SysWOW64\Jjdokb32.exeC:\Windows\system32\Jjdokb32.exe85⤵PID:6084
-
C:\Windows\SysWOW64\Jnedgq32.exeC:\Windows\system32\Jnedgq32.exe86⤵
- Drops file in System32 directory
PID:3536 -
C:\Windows\SysWOW64\Jeolckne.exeC:\Windows\system32\Jeolckne.exe87⤵PID:3052
-
C:\Windows\SysWOW64\Jlkafdco.exeC:\Windows\system32\Jlkafdco.exe88⤵PID:5264
-
C:\Windows\SysWOW64\Kbgfhnhi.exeC:\Windows\system32\Kbgfhnhi.exe89⤵PID:5380
-
C:\Windows\SysWOW64\Klpjad32.exeC:\Windows\system32\Klpjad32.exe90⤵PID:5456
-
C:\Windows\SysWOW64\Kdmlkfjb.exeC:\Windows\system32\Kdmlkfjb.exe91⤵PID:5692
-
C:\Windows\SysWOW64\Llimgb32.exeC:\Windows\system32\Llimgb32.exe92⤵PID:5796
-
C:\Windows\SysWOW64\Lolcnman.exeC:\Windows\system32\Lolcnman.exe93⤵PID:5996
-
C:\Windows\SysWOW64\Lamlphoo.exeC:\Windows\system32\Lamlphoo.exe94⤵
- Modifies registry class
PID:5156 -
C:\Windows\SysWOW64\Mkepineo.exeC:\Windows\system32\Mkepineo.exe95⤵PID:5348
-
C:\Windows\SysWOW64\Mdnebc32.exeC:\Windows\system32\Mdnebc32.exe96⤵PID:5592
-
C:\Windows\SysWOW64\Mociol32.exeC:\Windows\system32\Mociol32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5752 -
C:\Windows\SysWOW64\Memalfcb.exeC:\Windows\system32\Memalfcb.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5364 -
C:\Windows\SysWOW64\Madbagif.exeC:\Windows\system32\Madbagif.exe99⤵PID:5204
-
C:\Windows\SysWOW64\Mhnjna32.exeC:\Windows\system32\Mhnjna32.exe100⤵PID:3032
-
C:\Windows\SysWOW64\Mccokj32.exeC:\Windows\system32\Mccokj32.exe101⤵
- Drops file in System32 directory
PID:6000 -
C:\Windows\SysWOW64\Mhpgca32.exeC:\Windows\system32\Mhpgca32.exe102⤵PID:5352
-
C:\Windows\SysWOW64\Medglemj.exeC:\Windows\system32\Medglemj.exe103⤵
- Drops file in System32 directory
PID:5208 -
C:\Windows\SysWOW64\Nkapelka.exeC:\Windows\system32\Nkapelka.exe104⤵
- Drops file in System32 directory
PID:6136 -
C:\Windows\SysWOW64\Nheqnpjk.exeC:\Windows\system32\Nheqnpjk.exe105⤵
- Modifies registry class
PID:6152 -
C:\Windows\SysWOW64\Nfiagd32.exeC:\Windows\system32\Nfiagd32.exe106⤵
- Drops file in System32 directory
PID:6196 -
C:\Windows\SysWOW64\Nkeipk32.exeC:\Windows\system32\Nkeipk32.exe107⤵PID:6236
-
C:\Windows\SysWOW64\Obkahddl.exeC:\Windows\system32\Obkahddl.exe108⤵PID:6276
-
C:\Windows\SysWOW64\Okceaikl.exeC:\Windows\system32\Okceaikl.exe109⤵
- Modifies registry class
PID:6316 -
C:\Windows\SysWOW64\Odljjo32.exeC:\Windows\system32\Odljjo32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6360 -
C:\Windows\SysWOW64\Ooangh32.exeC:\Windows\system32\Ooangh32.exe111⤵PID:6400
-
C:\Windows\SysWOW64\Pmeoqlpl.exeC:\Windows\system32\Pmeoqlpl.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6440 -
C:\Windows\SysWOW64\Pbbgicnd.exeC:\Windows\system32\Pbbgicnd.exe113⤵PID:6480
-
C:\Windows\SysWOW64\Pofhbgmn.exeC:\Windows\system32\Pofhbgmn.exe114⤵PID:6520
-
C:\Windows\SysWOW64\Pecpknke.exeC:\Windows\system32\Pecpknke.exe115⤵PID:6560
-
C:\Windows\SysWOW64\Pmmeak32.exeC:\Windows\system32\Pmmeak32.exe116⤵PID:6604
-
C:\Windows\SysWOW64\Qpbgnecp.exeC:\Windows\system32\Qpbgnecp.exe117⤵PID:6648
-
C:\Windows\SysWOW64\Aeopfl32.exeC:\Windows\system32\Aeopfl32.exe118⤵
- Drops file in System32 directory
PID:6688 -
C:\Windows\SysWOW64\Akihcfid.exeC:\Windows\system32\Akihcfid.exe119⤵PID:6740
-
C:\Windows\SysWOW64\Acdioc32.exeC:\Windows\system32\Acdioc32.exe120⤵PID:6788
-
C:\Windows\SysWOW64\Abjfqpji.exeC:\Windows\system32\Abjfqpji.exe121⤵PID:6836
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-