Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/03/2024, 22:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6e882ea5cd08e9295bdfe25a8ca33370547f70fa1e37a05031632abdf721a64c.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
6e882ea5cd08e9295bdfe25a8ca33370547f70fa1e37a05031632abdf721a64c.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
6e882ea5cd08e9295bdfe25a8ca33370547f70fa1e37a05031632abdf721a64c.exe
-
Size
188KB
-
MD5
1b14780b547caed61a906f399433bd11
-
SHA1
eca39ccd30eb4c56a00028e594c408ca775b7713
-
SHA256
6e882ea5cd08e9295bdfe25a8ca33370547f70fa1e37a05031632abdf721a64c
-
SHA512
16a6c994b7fce459a1c69bede82431161ecf52b1979711000c107b21090d4ab9e690e7f8391c8d303ba89fef8ca5b108b4f953127ff89534bd1713aa957268cf
-
SSDEEP
3072:UncWlC4mhD2M3qrg1AerDtsr3vhqhEN4MAH+mbPepZBC8qzNJSKrDco:IcWlCRx7Gg1AelhEN4MujGJoSoDco
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldpde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Holjjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qibfdkgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefcif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cddemi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmbib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkodak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikjcmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hoiihcde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koeajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gngnjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inhion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peajngoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beaced32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkeonggf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hojndd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfpqap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmbamdkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ollgiplp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afboll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbpkdd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilpfgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmnjan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nifldj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odhiemil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgnmcdh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfalhgni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddbbngjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iciflfcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akenij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnienqbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfgnka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcijoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjqgpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhohfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhgccijm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqnfon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obdbqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlbcoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acdbpq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccednl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjjcmbci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knenffqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkagndmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okjbimal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogfkpih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmefafql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hahedoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcglfjgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnkioq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khmoionj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgmapcqe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdoiaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbhnga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpapiipo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghcjedcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhdlbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coojpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkefphem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkgejncb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgbmdd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqpbboeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmipdq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjlfkj32.exe -
Executes dropped EXE 64 IoCs
pid Process 2924 Hegmlnbp.exe 4520 Jeaiij32.exe 3640 Kahinkaf.exe 3648 Lojfin32.exe 4044 Mhpgca32.exe 2456 Pdngpo32.exe 3644 Pmmeak32.exe 1768 Qelcamcj.exe 1432 Albkieqj.exe 764 Fjjcmbci.exe 2972 Gqkajk32.exe 3292 Gqokekph.exe 3592 Ijhhenhf.exe 2472 Jmbdmg32.exe 1752 Jgjeppkp.exe 2064 Kfanflne.exe 2192 Lelajb32.exe 4036 Lfmnbjcg.exe 4320 Lmnlpcel.exe 3972 Maaoaa32.exe 1764 Mgbpdgap.exe 2632 Nkpijfgf.exe 1140 Nefmgogl.exe 3004 Nhffijdm.exe 3344 Nncoaq32.exe 2296 Ohpiphlb.exe 4364 Oediim32.exe 4996 Oolnabal.exe 3096 Pdnpeh32.exe 3248 Qdipag32.exe 4260 Qfilkj32.exe 4904 Akfdcq32.exe 4524 Agckiqgg.exe 3692 Abipfifn.exe 4580 Bkhjpn32.exe 1652 Bbeobhlp.exe 1624 Cfbhhfbg.exe 3580 Dngobghg.exe 3132 Decdeama.exe 4624 Fhgccijm.exe 2384 Hjieii32.exe 4144 Imhjlb32.exe 1756 Ifckkhfi.exe 372 Jqhphq32.exe 1080 Jfgefg32.exe 2996 Jqmicpbj.exe 2256 Jjemle32.exe 1044 Jobfdl32.exe 4592 Kaflio32.exe 4428 Kcgekjgp.exe 3852 Kjamhd32.exe 632 Kfhnme32.exe 2680 Mdodbf32.exe 2248 Nalgbi32.exe 4884 Nkdlkope.exe 3624 Omgabj32.exe 1068 Odfcjc32.exe 5128 Oickbjmb.exe 5176 Odhppclh.exe 5240 Onqdhh32.exe 5288 Pjjaci32.exe 5332 Ppdjpcng.exe 5408 Pgnblm32.exe 5448 Qajlje32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pmfhbm32.exe Pjhlfb32.exe File opened for modification C:\Windows\SysWOW64\Dngobghg.exe Cfbhhfbg.exe File created C:\Windows\SysWOW64\Gfifen32.dll Jacnegep.exe File created C:\Windows\SysWOW64\Ldbhbp32.dll Lglopjkg.exe File created C:\Windows\SysWOW64\Fndcdafh.dll Pckfdh32.exe File created C:\Windows\SysWOW64\Ofbjei32.dll Hjchjl32.exe File opened for modification C:\Windows\SysWOW64\Ebkbmqhb.exe Efdbhpbn.exe File created C:\Windows\SysWOW64\Gnjmmfin.dll Eaklcj32.exe File opened for modification C:\Windows\SysWOW64\Fljcfa32.exe Fadoii32.exe File opened for modification C:\Windows\SysWOW64\Ppphkq32.exe Picchg32.exe File opened for modification C:\Windows\SysWOW64\Fokbbcmo.exe Fofigd32.exe File created C:\Windows\SysWOW64\Mofmin32.dll Gcneca32.exe File created C:\Windows\SysWOW64\Haoighmd.exe Hkeajn32.exe File created C:\Windows\SysWOW64\Poqckdap.exe Pbjbfclk.exe File opened for modification C:\Windows\SysWOW64\Cfkenogb.exe Bnhjinpo.exe File opened for modification C:\Windows\SysWOW64\Efdbhpbn.exe Eokjke32.exe File opened for modification C:\Windows\SysWOW64\Igabdekb.exe Holjjd32.exe File opened for modification C:\Windows\SysWOW64\Jnoopm32.exe Jlnbhe32.exe File created C:\Windows\SysWOW64\Denihh32.dll Jbccbi32.exe File created C:\Windows\SysWOW64\Jmafec32.dll Jmbdmg32.exe File opened for modification C:\Windows\SysWOW64\Jcknee32.exe Jlafhkfe.exe File opened for modification C:\Windows\SysWOW64\Almifk32.exe Akkmocjl.exe File created C:\Windows\SysWOW64\Efdbhpbn.exe Eokjke32.exe File opened for modification C:\Windows\SysWOW64\Hmdend32.exe Hboaql32.exe File opened for modification C:\Windows\SysWOW64\Pjkofh32.exe Pjhbah32.exe File created C:\Windows\SysWOW64\Jlnbhe32.exe Jddnah32.exe File created C:\Windows\SysWOW64\Meepoc32.exe Kfdcbiol.exe File created C:\Windows\SysWOW64\Ckefeicm.dll Npfchkop.exe File opened for modification C:\Windows\SysWOW64\Jqihjbod.exe Jdkadb32.exe File created C:\Windows\SysWOW64\Pgebnc32.dll Cmipkb32.exe File created C:\Windows\SysWOW64\Kfngadmp.dll Cmklaaek.exe File created C:\Windows\SysWOW64\Daiegp32.exe Djomjfde.exe File created C:\Windows\SysWOW64\Pbjbfclk.exe Olpjii32.exe File created C:\Windows\SysWOW64\Jbccbi32.exe Ibjqlj32.exe File created C:\Windows\SysWOW64\Gfdahb32.dll Cjaiac32.exe File created C:\Windows\SysWOW64\Gjikhb32.dll Fhdocc32.exe File created C:\Windows\SysWOW64\Hahedoci.exe Hoiihcde.exe File opened for modification C:\Windows\SysWOW64\Oolnabal.exe Oediim32.exe File created C:\Windows\SysWOW64\Jajdff32.exe Jkplilgk.exe File created C:\Windows\SysWOW64\Omdgng32.dll Okjbimal.exe File opened for modification C:\Windows\SysWOW64\Mqpcdn32.exe Mnaghb32.exe File created C:\Windows\SysWOW64\Cimhdglm.dll Dhndil32.exe File created C:\Windows\SysWOW64\Ogljcokf.exe Oqbagd32.exe File created C:\Windows\SysWOW64\Neebkkgi.exe Nnkioq32.exe File created C:\Windows\SysWOW64\Eiijfg32.dll Ldjodh32.exe File opened for modification C:\Windows\SysWOW64\Eaklcj32.exe Ekqcfpmj.exe File created C:\Windows\SysWOW64\Npckcb32.dll Niconj32.exe File opened for modification C:\Windows\SysWOW64\Nifldj32.exe Nophfa32.exe File created C:\Windows\SysWOW64\Epplai32.dll Ikjcmi32.exe File created C:\Windows\SysWOW64\Amdiei32.exe Qibfdkgh.exe File created C:\Windows\SysWOW64\Mqnfon32.exe Mnojcb32.exe File created C:\Windows\SysWOW64\Fhjlkg32.exe Fmehnn32.exe File created C:\Windows\SysWOW64\Oijqbh32.exe Ooalibaf.exe File created C:\Windows\SysWOW64\Chphhn32.exe Cccppgcp.exe File opened for modification C:\Windows\SysWOW64\Ngbgmpcq.exe Nbfoeiei.exe File opened for modification C:\Windows\SysWOW64\Jlafhkfe.exe Jfgnka32.exe File opened for modification C:\Windows\SysWOW64\Dlckik32.exe Coojpg32.exe File created C:\Windows\SysWOW64\Lmqggncn.exe Lgfojd32.exe File created C:\Windows\SysWOW64\Edijfd32.dll Qnlkllcf.exe File created C:\Windows\SysWOW64\Caimachg.exe Cojqdhid.exe File created C:\Windows\SysWOW64\Dcalae32.exe Dpcpei32.exe File opened for modification C:\Windows\SysWOW64\Obanqgkl.exe Ogljcokf.exe File created C:\Windows\SysWOW64\Ilfhfg32.dll Ddhhnana.exe File created C:\Windows\SysWOW64\Likndk32.dll Nhffijdm.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cggnhlml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idbalhho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpcpei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfhbifgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Haoighmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eqalfgll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Daneme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekglfk32.dll" Ekdolcbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmbpbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjobl32.dll" Oqbagd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dooglp32.dll" Dldpde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fajgfiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anadho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmnafpac.dll" Fkiobhac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qccnll32.dll" Kkechjib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomgmanl.dll" Dlgmjdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgedm32.dll" Lgkakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgebnc32.dll" Cmipkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbpjb32.dll" Hoiihcde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghbke32.dll" Koeajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bppjhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djomjfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haajpgna.dll" Fceihh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jenhmaeh.dll" Nocphd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcojoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nncoaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jehcfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plaebilk.dll" Daolgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbfafplq.dll" Ihfglhfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihhnokg.dll" Ffjkdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Locoilae.dll" Dpcpei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denihh32.dll" Jbccbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Papnhbgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdkgam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iojgkbib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiljgjpp.dll" Omdnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jekpljgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Paqebike.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jecoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmmelo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akkmocjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idbalhho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqfohdjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldjldd32.dll" Denlgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lngmhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obanqgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkdmmfmn.dll" Keakqeal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfangk32.dll" Kfpqap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Appgbghf.dll" Mdjapphl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acafdoho.dll" Faakickc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhpgca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qggebl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Goabhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cckmklac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdlhoefk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jphnld32.dll" Oijqbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 6e882ea5cd08e9295bdfe25a8ca33370547f70fa1e37a05031632abdf721a64c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgjeppkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpmgi32.dll" Nildajdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qkmqne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfqogfjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aklgbhpo.dll" Dhhnipbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Koeajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olpjii32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5000 wrote to memory of 2924 5000 6e882ea5cd08e9295bdfe25a8ca33370547f70fa1e37a05031632abdf721a64c.exe 99 PID 5000 wrote to memory of 2924 5000 6e882ea5cd08e9295bdfe25a8ca33370547f70fa1e37a05031632abdf721a64c.exe 99 PID 5000 wrote to memory of 2924 5000 6e882ea5cd08e9295bdfe25a8ca33370547f70fa1e37a05031632abdf721a64c.exe 99 PID 2924 wrote to memory of 4520 2924 Hegmlnbp.exe 100 PID 2924 wrote to memory of 4520 2924 Hegmlnbp.exe 100 PID 2924 wrote to memory of 4520 2924 Hegmlnbp.exe 100 PID 4520 wrote to memory of 3640 4520 Jeaiij32.exe 102 PID 4520 wrote to memory of 3640 4520 Jeaiij32.exe 102 PID 4520 wrote to memory of 3640 4520 Jeaiij32.exe 102 PID 3640 wrote to memory of 3648 3640 Kahinkaf.exe 103 PID 3640 wrote to memory of 3648 3640 Kahinkaf.exe 103 PID 3640 wrote to memory of 3648 3640 Kahinkaf.exe 103 PID 3648 wrote to memory of 4044 3648 Lojfin32.exe 104 PID 3648 wrote to memory of 4044 3648 Lojfin32.exe 104 PID 3648 wrote to memory of 4044 3648 Lojfin32.exe 104 PID 4044 wrote to memory of 2456 4044 Mhpgca32.exe 105 PID 4044 wrote to memory of 2456 4044 Mhpgca32.exe 105 PID 4044 wrote to memory of 2456 4044 Mhpgca32.exe 105 PID 2456 wrote to memory of 3644 2456 Pdngpo32.exe 106 PID 2456 wrote to memory of 3644 2456 Pdngpo32.exe 106 PID 2456 wrote to memory of 3644 2456 Pdngpo32.exe 106 PID 3644 wrote to memory of 1768 3644 Pmmeak32.exe 107 PID 3644 wrote to memory of 1768 3644 Pmmeak32.exe 107 PID 3644 wrote to memory of 1768 3644 Pmmeak32.exe 107 PID 1768 wrote to memory of 1432 1768 Qelcamcj.exe 110 PID 1768 wrote to memory of 1432 1768 Qelcamcj.exe 110 PID 1768 wrote to memory of 1432 1768 Qelcamcj.exe 110 PID 1792 wrote to memory of 764 1792 Cbaehl32.exe 112 PID 1792 wrote to memory of 764 1792 Cbaehl32.exe 112 PID 1792 wrote to memory of 764 1792 Cbaehl32.exe 112 PID 764 wrote to memory of 2972 764 Fjjcmbci.exe 114 PID 764 wrote to memory of 2972 764 Fjjcmbci.exe 114 PID 764 wrote to memory of 2972 764 Fjjcmbci.exe 114 PID 2972 wrote to memory of 3292 2972 Gqkajk32.exe 115 PID 2972 wrote to memory of 3292 2972 Gqkajk32.exe 115 PID 2972 wrote to memory of 3292 2972 Gqkajk32.exe 115 PID 3292 wrote to memory of 3592 3292 Gqokekph.exe 116 PID 3292 wrote to memory of 3592 3292 Gqokekph.exe 116 PID 3292 wrote to memory of 3592 3292 Gqokekph.exe 116 PID 3592 wrote to memory of 2472 3592 Ijhhenhf.exe 117 PID 3592 wrote to memory of 2472 3592 Ijhhenhf.exe 117 PID 3592 wrote to memory of 2472 3592 Ijhhenhf.exe 117 PID 2472 wrote to memory of 1752 2472 Jmbdmg32.exe 118 PID 2472 wrote to memory of 1752 2472 Jmbdmg32.exe 118 PID 2472 wrote to memory of 1752 2472 Jmbdmg32.exe 118 PID 1752 wrote to memory of 2064 1752 Jgjeppkp.exe 119 PID 1752 wrote to memory of 2064 1752 Jgjeppkp.exe 119 PID 1752 wrote to memory of 2064 1752 Jgjeppkp.exe 119 PID 2064 wrote to memory of 2192 2064 Kfanflne.exe 120 PID 2064 wrote to memory of 2192 2064 Kfanflne.exe 120 PID 2064 wrote to memory of 2192 2064 Kfanflne.exe 120 PID 2192 wrote to memory of 4036 2192 Lelajb32.exe 121 PID 2192 wrote to memory of 4036 2192 Lelajb32.exe 121 PID 2192 wrote to memory of 4036 2192 Lelajb32.exe 121 PID 4036 wrote to memory of 4320 4036 Lfmnbjcg.exe 122 PID 4036 wrote to memory of 4320 4036 Lfmnbjcg.exe 122 PID 4036 wrote to memory of 4320 4036 Lfmnbjcg.exe 122 PID 4320 wrote to memory of 3972 4320 Lmnlpcel.exe 123 PID 4320 wrote to memory of 3972 4320 Lmnlpcel.exe 123 PID 4320 wrote to memory of 3972 4320 Lmnlpcel.exe 123 PID 3972 wrote to memory of 1764 3972 Maaoaa32.exe 124 PID 3972 wrote to memory of 1764 3972 Maaoaa32.exe 124 PID 3972 wrote to memory of 1764 3972 Maaoaa32.exe 124 PID 1764 wrote to memory of 2632 1764 Mgbpdgap.exe 125
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e882ea5cd08e9295bdfe25a8ca33370547f70fa1e37a05031632abdf721a64c.exe"C:\Users\Admin\AppData\Local\Temp\6e882ea5cd08e9295bdfe25a8ca33370547f70fa1e37a05031632abdf721a64c.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Hegmlnbp.exeC:\Windows\system32\Hegmlnbp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Jeaiij32.exeC:\Windows\system32\Jeaiij32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Kahinkaf.exeC:\Windows\system32\Kahinkaf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\Lojfin32.exeC:\Windows\system32\Lojfin32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\Mhpgca32.exeC:\Windows\system32\Mhpgca32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\Pdngpo32.exeC:\Windows\system32\Pdngpo32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Pmmeak32.exeC:\Windows\system32\Pmmeak32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\Qelcamcj.exeC:\Windows\system32\Qelcamcj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Albkieqj.exeC:\Windows\system32\Albkieqj.exe10⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Cbaehl32.exeC:\Windows\system32\Cbaehl32.exe11⤵
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Fjjcmbci.exeC:\Windows\system32\Fjjcmbci.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Gqkajk32.exeC:\Windows\system32\Gqkajk32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Gqokekph.exeC:\Windows\system32\Gqokekph.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\Ijhhenhf.exeC:\Windows\system32\Ijhhenhf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\Jmbdmg32.exeC:\Windows\system32\Jmbdmg32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Jgjeppkp.exeC:\Windows\system32\Jgjeppkp.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Kfanflne.exeC:\Windows\system32\Kfanflne.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Lelajb32.exeC:\Windows\system32\Lelajb32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Lfmnbjcg.exeC:\Windows\system32\Lfmnbjcg.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\Lmnlpcel.exeC:\Windows\system32\Lmnlpcel.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\Maaoaa32.exeC:\Windows\system32\Maaoaa32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Mgbpdgap.exeC:\Windows\system32\Mgbpdgap.exe23⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Nkpijfgf.exeC:\Windows\system32\Nkpijfgf.exe24⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Nefmgogl.exeC:\Windows\system32\Nefmgogl.exe25⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Nhffijdm.exeC:\Windows\system32\Nhffijdm.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Nncoaq32.exeC:\Windows\system32\Nncoaq32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3344 -
C:\Windows\SysWOW64\Ohpiphlb.exeC:\Windows\system32\Ohpiphlb.exe28⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Oediim32.exeC:\Windows\system32\Oediim32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4364 -
C:\Windows\SysWOW64\Oolnabal.exeC:\Windows\system32\Oolnabal.exe30⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Pdnpeh32.exeC:\Windows\system32\Pdnpeh32.exe31⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Qdipag32.exeC:\Windows\system32\Qdipag32.exe32⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Qfilkj32.exeC:\Windows\system32\Qfilkj32.exe33⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\Akfdcq32.exeC:\Windows\system32\Akfdcq32.exe34⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Agckiqgg.exeC:\Windows\system32\Agckiqgg.exe35⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Abipfifn.exeC:\Windows\system32\Abipfifn.exe36⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Bkhjpn32.exeC:\Windows\system32\Bkhjpn32.exe37⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Bbeobhlp.exeC:\Windows\system32\Bbeobhlp.exe38⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Cfbhhfbg.exeC:\Windows\system32\Cfbhhfbg.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Dngobghg.exeC:\Windows\system32\Dngobghg.exe40⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Decdeama.exeC:\Windows\system32\Decdeama.exe41⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Fhgccijm.exeC:\Windows\system32\Fhgccijm.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Hjieii32.exeC:\Windows\system32\Hjieii32.exe43⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Imhjlb32.exeC:\Windows\system32\Imhjlb32.exe44⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Ifckkhfi.exeC:\Windows\system32\Ifckkhfi.exe45⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Jqhphq32.exeC:\Windows\system32\Jqhphq32.exe46⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Jfgefg32.exeC:\Windows\system32\Jfgefg32.exe47⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Jqmicpbj.exeC:\Windows\system32\Jqmicpbj.exe48⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Jjemle32.exeC:\Windows\system32\Jjemle32.exe49⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Jobfdl32.exeC:\Windows\system32\Jobfdl32.exe50⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Kaflio32.exeC:\Windows\system32\Kaflio32.exe51⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Kcgekjgp.exeC:\Windows\system32\Kcgekjgp.exe52⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Kjamhd32.exeC:\Windows\system32\Kjamhd32.exe53⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Kfhnme32.exeC:\Windows\system32\Kfhnme32.exe54⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Mdodbf32.exeC:\Windows\system32\Mdodbf32.exe55⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Nalgbi32.exeC:\Windows\system32\Nalgbi32.exe56⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Nkdlkope.exeC:\Windows\system32\Nkdlkope.exe57⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Omgabj32.exeC:\Windows\system32\Omgabj32.exe58⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Odfcjc32.exeC:\Windows\system32\Odfcjc32.exe59⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Oickbjmb.exeC:\Windows\system32\Oickbjmb.exe60⤵
- Executes dropped EXE
PID:5128 -
C:\Windows\SysWOW64\Odhppclh.exeC:\Windows\system32\Odhppclh.exe61⤵
- Executes dropped EXE
PID:5176 -
C:\Windows\SysWOW64\Onqdhh32.exeC:\Windows\system32\Onqdhh32.exe62⤵
- Executes dropped EXE
PID:5240 -
C:\Windows\SysWOW64\Pjjaci32.exeC:\Windows\system32\Pjjaci32.exe63⤵
- Executes dropped EXE
PID:5288 -
C:\Windows\SysWOW64\Ppdjpcng.exeC:\Windows\system32\Ppdjpcng.exe64⤵
- Executes dropped EXE
PID:5332 -
C:\Windows\SysWOW64\Pgnblm32.exeC:\Windows\system32\Pgnblm32.exe65⤵
- Executes dropped EXE
PID:5408 -
C:\Windows\SysWOW64\Qajlje32.exeC:\Windows\system32\Qajlje32.exe66⤵
- Executes dropped EXE
PID:5448 -
C:\Windows\SysWOW64\Qggebl32.exeC:\Windows\system32\Qggebl32.exe67⤵
- Modifies registry class
PID:5496 -
C:\Windows\SysWOW64\Aamipe32.exeC:\Windows\system32\Aamipe32.exe68⤵PID:5536
-
C:\Windows\SysWOW64\Akenij32.exeC:\Windows\system32\Akenij32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5576 -
C:\Windows\SysWOW64\Aaofedkl.exeC:\Windows\system32\Aaofedkl.exe70⤵PID:5616
-
C:\Windows\SysWOW64\Ahinbo32.exeC:\Windows\system32\Ahinbo32.exe71⤵PID:5652
-
C:\Windows\SysWOW64\Anffje32.exeC:\Windows\system32\Anffje32.exe72⤵PID:5700
-
C:\Windows\SysWOW64\Bqpbboeg.exeC:\Windows\system32\Bqpbboeg.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5736 -
C:\Windows\SysWOW64\Bkefphem.exeC:\Windows\system32\Bkefphem.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5784 -
C:\Windows\SysWOW64\Bbpolb32.exeC:\Windows\system32\Bbpolb32.exe75⤵PID:5824
-
C:\Windows\SysWOW64\Cbdhgaid.exeC:\Windows\system32\Cbdhgaid.exe76⤵PID:5864
-
C:\Windows\SysWOW64\Cgaqphgl.exeC:\Windows\system32\Cgaqphgl.exe77⤵PID:5904
-
C:\Windows\SysWOW64\Cnkilbni.exeC:\Windows\system32\Cnkilbni.exe78⤵PID:5944
-
C:\Windows\SysWOW64\Cjaiac32.exeC:\Windows\system32\Cjaiac32.exe79⤵
- Drops file in System32 directory
PID:5984 -
C:\Windows\SysWOW64\Cicjokll.exeC:\Windows\system32\Cicjokll.exe80⤵PID:6024
-
C:\Windows\SysWOW64\Cjdfgc32.exeC:\Windows\system32\Cjdfgc32.exe81⤵PID:6068
-
C:\Windows\SysWOW64\Ciefek32.exeC:\Windows\system32\Ciefek32.exe82⤵PID:6112
-
C:\Windows\SysWOW64\Dbphcpog.exeC:\Windows\system32\Dbphcpog.exe83⤵PID:3356
-
C:\Windows\SysWOW64\Dijppjfd.exeC:\Windows\system32\Dijppjfd.exe84⤵PID:5188
-
C:\Windows\SysWOW64\Dnghhqdk.exeC:\Windows\system32\Dnghhqdk.exe85⤵PID:5248
-
C:\Windows\SysWOW64\Dnienqbi.exeC:\Windows\system32\Dnienqbi.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5316 -
C:\Windows\SysWOW64\Decmjjie.exeC:\Windows\system32\Decmjjie.exe87⤵PID:5416
-
C:\Windows\SysWOW64\Ehklmd32.exeC:\Windows\system32\Ehklmd32.exe88⤵PID:5492
-
C:\Windows\SysWOW64\Fajgfiag.exeC:\Windows\system32\Fajgfiag.exe89⤵
- Modifies registry class
PID:5556 -
C:\Windows\SysWOW64\Fhdocc32.exeC:\Windows\system32\Fhdocc32.exe90⤵
- Drops file in System32 directory
PID:5596 -
C:\Windows\SysWOW64\Falcli32.exeC:\Windows\system32\Falcli32.exe91⤵PID:5660
-
C:\Windows\SysWOW64\Fhflhcfa.exeC:\Windows\system32\Fhflhcfa.exe92⤵PID:5728
-
C:\Windows\SysWOW64\Fblpflfg.exeC:\Windows\system32\Fblpflfg.exe93⤵PID:5808
-
C:\Windows\SysWOW64\Fkgejncb.exeC:\Windows\system32\Fkgejncb.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5872 -
C:\Windows\SysWOW64\Ghmbib32.exeC:\Windows\system32\Ghmbib32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2692 -
C:\Windows\SysWOW64\Gbcffk32.exeC:\Windows\system32\Gbcffk32.exe96⤵PID:6008
-
C:\Windows\SysWOW64\Hocjaj32.exeC:\Windows\system32\Hocjaj32.exe97⤵PID:6080
-
C:\Windows\SysWOW64\Hembndee.exeC:\Windows\system32\Hembndee.exe98⤵PID:1776
-
C:\Windows\SysWOW64\Hoefgj32.exeC:\Windows\system32\Hoefgj32.exe99⤵PID:5212
-
C:\Windows\SysWOW64\Hikkdc32.exeC:\Windows\system32\Hikkdc32.exe100⤵PID:5308
-
C:\Windows\SysWOW64\Hkodak32.exeC:\Windows\system32\Hkodak32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5484 -
C:\Windows\SysWOW64\Hommhi32.exeC:\Windows\system32\Hommhi32.exe102⤵PID:5568
-
C:\Windows\SysWOW64\Iheaqolo.exeC:\Windows\system32\Iheaqolo.exe103⤵PID:5640
-
C:\Windows\SysWOW64\Iooimi32.exeC:\Windows\system32\Iooimi32.exe104⤵PID:5780
-
C:\Windows\SysWOW64\Ilcjgm32.exeC:\Windows\system32\Ilcjgm32.exe105⤵PID:5896
-
C:\Windows\SysWOW64\Ihjjln32.exeC:\Windows\system32\Ihjjln32.exe106⤵PID:5980
-
C:\Windows\SysWOW64\Ifnkeb32.exeC:\Windows\system32\Ifnkeb32.exe107⤵PID:6100
-
C:\Windows\SysWOW64\Ikjcmi32.exeC:\Windows\system32\Ikjcmi32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5184 -
C:\Windows\SysWOW64\Ihndgmdd.exeC:\Windows\system32\Ihndgmdd.exe109⤵PID:5356
-
C:\Windows\SysWOW64\Iohlcg32.exeC:\Windows\system32\Iohlcg32.exe110⤵PID:5560
-
C:\Windows\SysWOW64\Jfgnka32.exeC:\Windows\system32\Jfgnka32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5712 -
C:\Windows\SysWOW64\Jlafhkfe.exeC:\Windows\system32\Jlafhkfe.exe112⤵
- Drops file in System32 directory
PID:5900 -
C:\Windows\SysWOW64\Jcknee32.exeC:\Windows\system32\Jcknee32.exe113⤵PID:6092
-
C:\Windows\SysWOW64\Kfpqap32.exeC:\Windows\system32\Kfpqap32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5544 -
C:\Windows\SysWOW64\Lkkekdhe.exeC:\Windows\system32\Lkkekdhe.exe115⤵PID:5852
-
C:\Windows\SysWOW64\Llmbqdfb.exeC:\Windows\system32\Llmbqdfb.exe116⤵PID:6032
-
C:\Windows\SysWOW64\Lfcfnm32.exeC:\Windows\system32\Lfcfnm32.exe117⤵PID:5392
-
C:\Windows\SysWOW64\Midoph32.exeC:\Windows\system32\Midoph32.exe118⤵PID:5368
-
C:\Windows\SysWOW64\Mcicma32.exeC:\Windows\system32\Mcicma32.exe119⤵PID:2328
-
C:\Windows\SysWOW64\Mjcljk32.exeC:\Windows\system32\Mjcljk32.exe120⤵PID:5972
-
C:\Windows\SysWOW64\Mpenmadn.exeC:\Windows\system32\Mpenmadn.exe121⤵PID:5400
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-