Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/03/2024, 21:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37.exe
-
Size
128KB
-
MD5
bf162d4b59bb700c2d19cd7b66ef13de
-
SHA1
25ff5d222940ceee4d9d7d018d24b3a66386542a
-
SHA256
9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37
-
SHA512
4b9b13cfd7e32551242c6655eed207006b92b1ead87efecf53bdd614c23b081c53854e98e74fb0caf922f8c2706dfb9fef415c8cce7047694df167ac83b04312
-
SSDEEP
3072:vzGy2jJd4T8myVqP4HRMQH2qC7ZQOlzSLUK6MwGsGnDc9nhViX:b6jP4Tfy44HRMQWfdQOhwJ6MwGsy
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfckahdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dekhneap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bblckl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmijq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qajadlja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdegandp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ampkof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibicnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kihnmohm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lehaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehedfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfhbppbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diicml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lalcng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhhamgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eocenh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnakhkol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chcddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leoghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liggbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnhdkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkfoeega.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmnkkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbdgfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdbfodfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opcqnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibljoco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjmehkqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Locbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pagdol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odpjcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcbmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecmlcmhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlpokp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdlnbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 3172 Cpgqpe32.exe 2600 Cedihl32.exe 2988 Chbedh32.exe 4076 Cpjmee32.exe 3888 Cchiaqjm.exe 5020 Cibank32.exe 3116 Cpljkdig.exe 456 Camfbm32.exe 3160 Cpofpdgd.exe 3860 Ccmclp32.exe 1740 Dlegeemh.exe 5108 Doccaall.exe 1524 Dabpnlkp.exe 1048 Diihojkb.exe 1704 Dlgdkeje.exe 1848 Dofpgqji.exe 2584 Dadlclim.exe 3180 Djlddi32.exe 1576 Dohmlp32.exe 1832 Dagiil32.exe 3076 Djnaji32.exe 4040 Dokjbp32.exe 1400 Dfdbojmq.exe 3924 Dhcnke32.exe 3652 Dpjflb32.exe 4368 Ejbkehcg.exe 4080 Eckonn32.exe 4016 Ejegjh32.exe 4224 Epopgbia.exe 1216 Ecmlcmhe.exe 2232 Ejgdpg32.exe 5076 Eleplc32.exe 208 Ecphimfb.exe 4456 Efneehef.exe 1616 Elhmablc.exe 4536 Ecbenm32.exe 3200 Ejlmkgkl.exe 2544 Eqfeha32.exe 2568 Ecdbdl32.exe 3500 Fjnjqfij.exe 4784 Fqhbmqqg.exe 4452 Fbioei32.exe 1140 Fjqgff32.exe 4876 Fqkocpod.exe 4852 Fbllkh32.exe 2616 Fjcclf32.exe 4556 Fopldmcl.exe 3028 Fbnhphbp.exe 1204 Fjepaecb.exe 3156 Fmclmabe.exe 2844 Fqohnp32.exe 4308 Fcnejk32.exe 3360 Fflaff32.exe 2976 Fijmbb32.exe 3004 Fqaeco32.exe 4220 Gcpapkgp.exe 4248 Gfnnlffc.exe 3068 Gogbdl32.exe 1060 Gbenqg32.exe 4584 Gjlfbd32.exe 5044 Gmkbnp32.exe 3480 Goiojk32.exe 2208 Gbgkfg32.exe 604 Gjocgdkg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hofdacke.exe Hmhhehlb.exe File created C:\Windows\SysWOW64\Gdliee32.dll Process not Found File created C:\Windows\SysWOW64\Flafeh32.dll Process not Found File created C:\Windows\SysWOW64\Bheplb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hoobdp32.exe Process not Found File created C:\Windows\SysWOW64\Coffgmig.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jeocna32.exe Process not Found File created C:\Windows\SysWOW64\Pqfkck32.dll Fpodlbng.exe File created C:\Windows\SysWOW64\Lnpofnhk.exe Lkabjbih.exe File created C:\Windows\SysWOW64\Ckgofgjn.dll Process not Found File created C:\Windows\SysWOW64\Ibaeen32.exe Process not Found File created C:\Windows\SysWOW64\Kdmpmdpj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Adcjop32.exe Process not Found File created C:\Windows\SysWOW64\Qacameaj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Iefioj32.exe Hbgmcnhf.exe File created C:\Windows\SysWOW64\Cnbkfjcb.dll Ngaionfl.exe File opened for modification C:\Windows\SysWOW64\Hdkidohn.exe Hammhcij.exe File opened for modification C:\Windows\SysWOW64\Gehbjm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mnjqmpgg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pfdjinjo.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dagiil32.exe Dohmlp32.exe File opened for modification C:\Windows\SysWOW64\Ehfcfb32.exe Empoiimf.exe File created C:\Windows\SysWOW64\Ocjggbdl.dll Process not Found File created C:\Windows\SysWOW64\Jpenfp32.exe Process not Found File created C:\Windows\SysWOW64\Fgcjfbed.exe Process not Found File created C:\Windows\SysWOW64\Ljbnfleo.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nlaegk32.exe Njciko32.exe File opened for modification C:\Windows\SysWOW64\Cfpnph32.exe Cenahpha.exe File created C:\Windows\SysWOW64\Fijkdmhn.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jedccfqg.exe Process not Found File created C:\Windows\SysWOW64\Kfpcoefj.exe Process not Found File created C:\Windows\SysWOW64\Edgbii32.exe Process not Found File created C:\Windows\SysWOW64\Eabbjc32.exe Eocenh32.exe File created C:\Windows\SysWOW64\Pkfcej32.dll Lgokmgjm.exe File created C:\Windows\SysWOW64\Khbdikip.exe Kfqgab32.exe File created C:\Windows\SysWOW64\Mhafeb32.exe Mniallpq.exe File created C:\Windows\SysWOW64\Mpggodfg.dll Process not Found File created C:\Windows\SysWOW64\Flinad32.dll Process not Found File created C:\Windows\SysWOW64\Laphko32.dll Aqkpeopg.exe File created C:\Windows\SysWOW64\Fgaemg32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jmbklj32.exe Jkdnpo32.exe File opened for modification C:\Windows\SysWOW64\Eoaihhlp.exe Elbmlmml.exe File created C:\Windows\SysWOW64\Jmmjgejj.exe Jfcbjk32.exe File created C:\Windows\SysWOW64\Kibgmdcn.exe Kfckahdj.exe File created C:\Windows\SysWOW64\Hhmkaf32.dll Mpjlklok.exe File created C:\Windows\SysWOW64\Pidcecbj.dll Pfnegggi.exe File created C:\Windows\SysWOW64\Ohfami32.exe Process not Found File created C:\Windows\SysWOW64\Gengje32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gihgfk32.exe Process not Found File created C:\Windows\SysWOW64\Lflbkcll.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oqihnn32.exe Onklabip.exe File created C:\Windows\SysWOW64\Angddopp.exe Alhhhcal.exe File created C:\Windows\SysWOW64\Mnbcedcn.dll Ibqpimpl.exe File created C:\Windows\SysWOW64\Anadoi32.exe Aclpap32.exe File created C:\Windows\SysWOW64\Knghil32.dll Emnbdioi.exe File opened for modification C:\Windows\SysWOW64\Hmbphg32.exe Process not Found File created C:\Windows\SysWOW64\Hlhmjl32.dll Process not Found File created C:\Windows\SysWOW64\Nnmopdep.exe Nkncdifl.exe File created C:\Windows\SysWOW64\Bagplp32.dll Jcioiood.exe File created C:\Windows\SysWOW64\Miaboe32.exe Majjng32.exe File created C:\Windows\SysWOW64\Pmdpecjm.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fbplml32.exe Process not Found File created C:\Windows\SysWOW64\Eccphn32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Oqmhqapg.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 18216 18148 Process not Found 2004 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pagdol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ampkof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lejnmncd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leadnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papdfone.dll" Mldhfpib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll" Iapjlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdepoj32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbcilkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhjfhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcjakp32.dll" Ahhblemi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Conclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll" Ogkcpbam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcdikecn.dll" Oekpkigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emeoooml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fehfljca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hglaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obqhpfck.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdnaigp.dll" Hfcpncdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oendmdab.dll" Jcllonma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aieeeflh.dll" Ncjginjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghoda32.dll" Kilpmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiglalpk.dll" Aaepqjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fahaplon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghipne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Indfca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eimmfkfe.dll" Qcepkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll" Ngpjnkpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncnadk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmbeqne.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll" Nkjjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhogopn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhijep32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adcmmeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llcpoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibobdqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll" Lcbiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfhhoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpoefk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fknicb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agnjelkm.dll" Kkcfid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljgpkonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocfgbfdm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcdihk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhcmal32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeodmbol.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndhmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clbceo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 900 wrote to memory of 3172 900 9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37.exe 89 PID 900 wrote to memory of 3172 900 9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37.exe 89 PID 900 wrote to memory of 3172 900 9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37.exe 89 PID 3172 wrote to memory of 2600 3172 Cpgqpe32.exe 90 PID 3172 wrote to memory of 2600 3172 Cpgqpe32.exe 90 PID 3172 wrote to memory of 2600 3172 Cpgqpe32.exe 90 PID 2600 wrote to memory of 2988 2600 Cedihl32.exe 91 PID 2600 wrote to memory of 2988 2600 Cedihl32.exe 91 PID 2600 wrote to memory of 2988 2600 Cedihl32.exe 91 PID 2988 wrote to memory of 4076 2988 Chbedh32.exe 92 PID 2988 wrote to memory of 4076 2988 Chbedh32.exe 92 PID 2988 wrote to memory of 4076 2988 Chbedh32.exe 92 PID 4076 wrote to memory of 3888 4076 Cpjmee32.exe 93 PID 4076 wrote to memory of 3888 4076 Cpjmee32.exe 93 PID 4076 wrote to memory of 3888 4076 Cpjmee32.exe 93 PID 3888 wrote to memory of 5020 3888 Cchiaqjm.exe 94 PID 3888 wrote to memory of 5020 3888 Cchiaqjm.exe 94 PID 3888 wrote to memory of 5020 3888 Cchiaqjm.exe 94 PID 5020 wrote to memory of 3116 5020 Cibank32.exe 95 PID 5020 wrote to memory of 3116 5020 Cibank32.exe 95 PID 5020 wrote to memory of 3116 5020 Cibank32.exe 95 PID 3116 wrote to memory of 456 3116 Cpljkdig.exe 96 PID 3116 wrote to memory of 456 3116 Cpljkdig.exe 96 PID 3116 wrote to memory of 456 3116 Cpljkdig.exe 96 PID 456 wrote to memory of 3160 456 Camfbm32.exe 97 PID 456 wrote to memory of 3160 456 Camfbm32.exe 97 PID 456 wrote to memory of 3160 456 Camfbm32.exe 97 PID 3160 wrote to memory of 3860 3160 Cpofpdgd.exe 98 PID 3160 wrote to memory of 3860 3160 Cpofpdgd.exe 98 PID 3160 wrote to memory of 3860 3160 Cpofpdgd.exe 98 PID 3860 wrote to memory of 1740 3860 Ccmclp32.exe 99 PID 3860 wrote to memory of 1740 3860 Ccmclp32.exe 99 PID 3860 wrote to memory of 1740 3860 Ccmclp32.exe 99 PID 1740 wrote to memory of 5108 1740 Dlegeemh.exe 100 PID 1740 wrote to memory of 5108 1740 Dlegeemh.exe 100 PID 1740 wrote to memory of 5108 1740 Dlegeemh.exe 100 PID 5108 wrote to memory of 1524 5108 Doccaall.exe 101 PID 5108 wrote to memory of 1524 5108 Doccaall.exe 101 PID 5108 wrote to memory of 1524 5108 Doccaall.exe 101 PID 1524 wrote to memory of 1048 1524 Dabpnlkp.exe 102 PID 1524 wrote to memory of 1048 1524 Dabpnlkp.exe 102 PID 1524 wrote to memory of 1048 1524 Dabpnlkp.exe 102 PID 1048 wrote to memory of 1704 1048 Diihojkb.exe 103 PID 1048 wrote to memory of 1704 1048 Diihojkb.exe 103 PID 1048 wrote to memory of 1704 1048 Diihojkb.exe 103 PID 1704 wrote to memory of 1848 1704 Dlgdkeje.exe 104 PID 1704 wrote to memory of 1848 1704 Dlgdkeje.exe 104 PID 1704 wrote to memory of 1848 1704 Dlgdkeje.exe 104 PID 1848 wrote to memory of 2584 1848 Dofpgqji.exe 105 PID 1848 wrote to memory of 2584 1848 Dofpgqji.exe 105 PID 1848 wrote to memory of 2584 1848 Dofpgqji.exe 105 PID 2584 wrote to memory of 3180 2584 Dadlclim.exe 106 PID 2584 wrote to memory of 3180 2584 Dadlclim.exe 106 PID 2584 wrote to memory of 3180 2584 Dadlclim.exe 106 PID 3180 wrote to memory of 1576 3180 Djlddi32.exe 107 PID 3180 wrote to memory of 1576 3180 Djlddi32.exe 107 PID 3180 wrote to memory of 1576 3180 Djlddi32.exe 107 PID 1576 wrote to memory of 1832 1576 Dohmlp32.exe 108 PID 1576 wrote to memory of 1832 1576 Dohmlp32.exe 108 PID 1576 wrote to memory of 1832 1576 Dohmlp32.exe 108 PID 1832 wrote to memory of 3076 1832 Dagiil32.exe 109 PID 1832 wrote to memory of 3076 1832 Dagiil32.exe 109 PID 1832 wrote to memory of 3076 1832 Dagiil32.exe 109 PID 3076 wrote to memory of 4040 3076 Djnaji32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37.exe"C:\Users\Admin\AppData\Local\Temp\9e6b63edc20d72863a6cf916f6b20c06b16283a82ef12a9a283f25bb9f901b37.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\Cpgqpe32.exeC:\Windows\system32\Cpgqpe32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Cedihl32.exeC:\Windows\system32\Cedihl32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Chbedh32.exeC:\Windows\system32\Chbedh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Cpjmee32.exeC:\Windows\system32\Cpjmee32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Cchiaqjm.exeC:\Windows\system32\Cchiaqjm.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\Cibank32.exeC:\Windows\system32\Cibank32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\Cpljkdig.exeC:\Windows\system32\Cpljkdig.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\Camfbm32.exeC:\Windows\system32\Camfbm32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Cpofpdgd.exeC:\Windows\system32\Cpofpdgd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Ccmclp32.exeC:\Windows\system32\Ccmclp32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\Dlegeemh.exeC:\Windows\system32\Dlegeemh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Doccaall.exeC:\Windows\system32\Doccaall.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\Dabpnlkp.exeC:\Windows\system32\Dabpnlkp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Diihojkb.exeC:\Windows\system32\Diihojkb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Dlgdkeje.exeC:\Windows\system32\Dlgdkeje.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Dofpgqji.exeC:\Windows\system32\Dofpgqji.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Dadlclim.exeC:\Windows\system32\Dadlclim.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Djlddi32.exeC:\Windows\system32\Djlddi32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Dagiil32.exeC:\Windows\system32\Dagiil32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Djnaji32.exeC:\Windows\system32\Djnaji32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Dokjbp32.exeC:\Windows\system32\Dokjbp32.exe23⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Dfdbojmq.exeC:\Windows\system32\Dfdbojmq.exe24⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Dhcnke32.exeC:\Windows\system32\Dhcnke32.exe25⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Dpjflb32.exeC:\Windows\system32\Dpjflb32.exe26⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe27⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Eckonn32.exeC:\Windows\system32\Eckonn32.exe28⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe29⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Epopgbia.exeC:\Windows\system32\Epopgbia.exe30⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Ecmlcmhe.exeC:\Windows\system32\Ecmlcmhe.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Ejgdpg32.exeC:\Windows\system32\Ejgdpg32.exe32⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe33⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Ecphimfb.exeC:\Windows\system32\Ecphimfb.exe34⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe35⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Elhmablc.exeC:\Windows\system32\Elhmablc.exe36⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Ecbenm32.exeC:\Windows\system32\Ecbenm32.exe37⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Ejlmkgkl.exeC:\Windows\system32\Ejlmkgkl.exe38⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Eqfeha32.exeC:\Windows\system32\Eqfeha32.exe39⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe40⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Fjnjqfij.exeC:\Windows\system32\Fjnjqfij.exe41⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Fqhbmqqg.exeC:\Windows\system32\Fqhbmqqg.exe42⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Fbioei32.exeC:\Windows\system32\Fbioei32.exe43⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe44⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Fqkocpod.exeC:\Windows\system32\Fqkocpod.exe45⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe46⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Fjcclf32.exeC:\Windows\system32\Fjcclf32.exe47⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe48⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe49⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Fjepaecb.exeC:\Windows\system32\Fjepaecb.exe50⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Fmclmabe.exeC:\Windows\system32\Fmclmabe.exe51⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe52⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Fcnejk32.exeC:\Windows\system32\Fcnejk32.exe53⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe54⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe55⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Fqaeco32.exeC:\Windows\system32\Fqaeco32.exe56⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Gcpapkgp.exeC:\Windows\system32\Gcpapkgp.exe57⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Gfnnlffc.exeC:\Windows\system32\Gfnnlffc.exe58⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Gogbdl32.exeC:\Windows\system32\Gogbdl32.exe59⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe60⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Gjlfbd32.exeC:\Windows\system32\Gjlfbd32.exe61⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe62⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe63⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Gbgkfg32.exeC:\Windows\system32\Gbgkfg32.exe64⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe65⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Gmmocpjk.exeC:\Windows\system32\Gmmocpjk.exe66⤵PID:3960
-
C:\Windows\SysWOW64\Gpklpkio.exeC:\Windows\system32\Gpklpkio.exe67⤵PID:3564
-
C:\Windows\SysWOW64\Gfedle32.exeC:\Windows\system32\Gfedle32.exe68⤵PID:1020
-
C:\Windows\SysWOW64\Gidphq32.exeC:\Windows\system32\Gidphq32.exe69⤵PID:3524
-
C:\Windows\SysWOW64\Gqkhjn32.exeC:\Windows\system32\Gqkhjn32.exe70⤵PID:4268
-
C:\Windows\SysWOW64\Gcidfi32.exeC:\Windows\system32\Gcidfi32.exe71⤵PID:756
-
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe72⤵PID:4948
-
C:\Windows\SysWOW64\Gifmnpnl.exeC:\Windows\system32\Gifmnpnl.exe73⤵PID:8
-
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe74⤵PID:4320
-
C:\Windows\SysWOW64\Hclakimb.exeC:\Windows\system32\Hclakimb.exe75⤵PID:868
-
C:\Windows\SysWOW64\Hjfihc32.exeC:\Windows\system32\Hjfihc32.exe76⤵PID:1820
-
C:\Windows\SysWOW64\Hmdedo32.exeC:\Windows\system32\Hmdedo32.exe77⤵PID:1780
-
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe78⤵PID:4964
-
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe79⤵PID:540
-
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe80⤵PID:4176
-
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe81⤵PID:2812
-
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe82⤵PID:1008
-
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe83⤵PID:412
-
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe84⤵PID:872
-
C:\Windows\SysWOW64\Hpgkkioa.exeC:\Windows\system32\Hpgkkioa.exe85⤵PID:3384
-
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe86⤵PID:5132
-
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe87⤵PID:5184
-
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe88⤵PID:5224
-
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe89⤵PID:5272
-
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe90⤵PID:5320
-
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe91⤵PID:5360
-
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe92⤵
- Modifies registry class
PID:5408 -
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5456 -
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe94⤵PID:5496
-
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe95⤵PID:5548
-
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe96⤵PID:5584
-
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe97⤵PID:5620
-
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe98⤵PID:5672
-
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe99⤵PID:5716
-
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe100⤵PID:5764
-
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe101⤵PID:5804
-
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe102⤵PID:5840
-
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe103⤵PID:5884
-
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe104⤵PID:5924
-
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe105⤵
- Modifies registry class
PID:5968 -
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe106⤵PID:6008
-
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe107⤵PID:6052
-
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe108⤵PID:6088
-
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe109⤵PID:6140
-
C:\Windows\SysWOW64\Ifopiajn.exeC:\Windows\system32\Ifopiajn.exe110⤵PID:5168
-
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe111⤵PID:5256
-
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe112⤵PID:5308
-
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe113⤵PID:5396
-
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe114⤵PID:5468
-
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe115⤵PID:5524
-
C:\Windows\SysWOW64\Jmkdlkph.exeC:\Windows\system32\Jmkdlkph.exe116⤵PID:5628
-
C:\Windows\SysWOW64\Jagqlj32.exeC:\Windows\system32\Jagqlj32.exe117⤵PID:5712
-
C:\Windows\SysWOW64\Jdemhe32.exeC:\Windows\system32\Jdemhe32.exe118⤵PID:5788
-
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe119⤵PID:5876
-
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe120⤵PID:5944
-
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe121⤵PID:5992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-