Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
166s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 02:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ee8939a84f3c3db34d4c648063b8b729a1536a837c403be0f564d5cc1cd1ffa6.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
ee8939a84f3c3db34d4c648063b8b729a1536a837c403be0f564d5cc1cd1ffa6.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
ee8939a84f3c3db34d4c648063b8b729a1536a837c403be0f564d5cc1cd1ffa6.exe
-
Size
232KB
-
MD5
d610e52a027897359b373693278b31fe
-
SHA1
d321a61cb721205472633b81aa99bbf5a003ab87
-
SHA256
ee8939a84f3c3db34d4c648063b8b729a1536a837c403be0f564d5cc1cd1ffa6
-
SHA512
c2865b9d98b5e8dcf76e8da5f21cb1169925bb2491dfe0ba7fcb5d36cdfcbcf8d0720ee542fb1889f850cbb4b8f76d4d5174004bd227d2bb9a6e7beeace15290
-
SSDEEP
3072:2IuL3Hbd9IS4gWlINT7usluTXp6UF5wzec+tZOnU1/s5HH0AU/yRvS3u121TzlbX:aL3H/I6Z6s21L7/s50z/Wa3/PNlPX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foplnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ombcdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcfejfag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjmnomi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnicpk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhkmcbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihheqd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkeloa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chbncg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlnomif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cijpkmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojpdgjid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfjofg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mahbck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpeapilo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dihllkal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflmep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idoknmfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akkfop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aocamk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heapmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lefdld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fapdomgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgieipmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkbmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edihof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlnnfghd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjpjoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hojibgkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koodka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpgqik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egijfjmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgieipmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naaqhlmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eohcon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqojlbcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mflbdibj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjofg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdcaahbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkkofn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moljgeco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlmopqdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmdmki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idahcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pagbklae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebocpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpjjpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmhfbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmbdnhme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlhlcnge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkqliaki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neqoidmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bngnmjql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckbegmin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhnlapbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecafgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aejmdegn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bajjeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ingpgcmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnkbmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbbnim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfeahffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlqohhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opbcdieb.exe -
Executes dropped EXE 64 IoCs
pid Process 4660 Efampahd.exe 1036 Fghcqq32.exe 4784 Fgmllpng.exe 4716 Gpjjpe32.exe 3548 Hjpkjh32.exe 2092 Ihheqd32.exe 3220 Ihjafd32.exe 2352 Jcgldl32.exe 3848 Jicdlc32.exe 1068 Jifabb32.exe 2420 Kimgba32.exe 5096 Kmkpipaf.exe 4572 Lagepl32.exe 1428 Mapgfk32.exe 1112 Nfdfoala.exe 3908 Nmbhgjoi.exe 3968 Oahgnh32.exe 4384 Pdmikb32.exe 3696 Qpkppbho.exe 1160 Akenij32.exe 1540 Adbkmo32.exe 5024 Aqilaplo.exe 1892 Bbhhlccb.exe 4468 Bhennm32.exe 908 Bqdlmo32.exe 2088 Cnmebblf.exe 4856 Daeddlco.exe 1288 Elaobdmm.exe 2400 Faamghko.exe 4740 Feofmf32.exe 660 Glinjqhb.exe 452 Hkjjfkcm.exe 4708 Ieiajckh.exe 3196 Jcfejfag.exe 1184 Kjipmoai.exe 3980 Kicfijal.exe 4780 Liabjh32.exe 1212 Mmahff32.exe 1048 Mminfech.exe 892 Nfabok32.exe 224 Ndjldo32.exe 4776 Nboiekjd.exe 404 Opcjno32.exe 4532 Opefdo32.exe 4492 Oibdhd32.exe 1368 Ppafpm32.exe 4308 Qgdabflp.exe 4968 Apaofk32.exe 5164 Alhpkldp.exe 5208 Angleokb.exe 5256 Acgacegg.exe 5304 Bnaolm32.exe 5352 Cknbkpif.exe 5392 Cjflblll.exe 5436 Djhiglji.exe 5472 Dgqblp32.exe 5524 Dkokbn32.exe 5568 Ecoiapdj.exe 5604 Ecafgo32.exe 5648 Fcepbooa.exe 5704 Faiplcmk.exe 5748 Flcndk32.exe 5804 Gaccbaeq.exe 5840 Geqlhp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Chokcakp.exe Cmiffhkj.exe File created C:\Windows\SysWOW64\Fbjicl32.dll Gmndjf32.exe File opened for modification C:\Windows\SysWOW64\Dccbln32.exe Dacebkko.exe File created C:\Windows\SysWOW64\Molefh32.exe Mfaqafjl.exe File created C:\Windows\SysWOW64\Ljkfjnfd.dll Pmlmdd32.exe File created C:\Windows\SysWOW64\Mmahff32.exe Liabjh32.exe File created C:\Windows\SysWOW64\Miaooo32.dll Behiec32.exe File created C:\Windows\SysWOW64\Dfpfhg32.dll Kanffogf.exe File opened for modification C:\Windows\SysWOW64\Bjokno32.exe Bmkjdj32.exe File opened for modification C:\Windows\SysWOW64\Ohjlqklp.exe Oeffip32.exe File created C:\Windows\SysWOW64\Blploo32.dll Dkgqpaed.exe File opened for modification C:\Windows\SysWOW64\Ikfgeh32.exe Hdmohnhl.exe File created C:\Windows\SysWOW64\Oeaadmkh.dll Fbkdjh32.exe File created C:\Windows\SysWOW64\Idhdieal.dll Ofaeffpa.exe File created C:\Windows\SysWOW64\Dbnebbgl.dll Mflbdibj.exe File opened for modification C:\Windows\SysWOW64\Oibdhd32.exe Opefdo32.exe File created C:\Windows\SysWOW64\Mebchf32.exe Mnhkklbb.exe File created C:\Windows\SysWOW64\Famipk32.dll Ahdgnj32.exe File created C:\Windows\SysWOW64\Hlalhlfd.dll Ebpjjk32.exe File created C:\Windows\SysWOW64\Fnegqjne.exe Flfjdn32.exe File created C:\Windows\SysWOW64\Lknocb32.exe Lddgghfo.exe File created C:\Windows\SysWOW64\Efnolmmb.dll Fealcc32.exe File opened for modification C:\Windows\SysWOW64\Nfabok32.exe Mminfech.exe File opened for modification C:\Windows\SysWOW64\Obgeqcnn.exe Omkmhlpf.exe File opened for modification C:\Windows\SysWOW64\Knhkkfod.exe Khkbcopl.exe File created C:\Windows\SysWOW64\Pcjioknl.exe Pibdff32.exe File created C:\Windows\SysWOW64\Jgkdkg32.exe Jlfpnn32.exe File created C:\Windows\SysWOW64\Ecafgo32.exe Ecoiapdj.exe File created C:\Windows\SysWOW64\Cbdebpif.dll Pneelmjo.exe File opened for modification C:\Windows\SysWOW64\Panabc32.exe Pjdifibo.exe File created C:\Windows\SysWOW64\Cajblmci.exe Chbncg32.exe File created C:\Windows\SysWOW64\Kblknfhm.dll Pcjioknl.exe File opened for modification C:\Windows\SysWOW64\Obanqgkl.exe Odnngclb.exe File opened for modification C:\Windows\SysWOW64\Kjgenjhe.exe Koaaaaip.exe File created C:\Windows\SysWOW64\Cgofoamj.dll Ompmie32.exe File opened for modification C:\Windows\SysWOW64\Qlmopqdc.exe Qahkch32.exe File created C:\Windows\SysWOW64\Abmkknod.dll Cakjfcfe.exe File opened for modification C:\Windows\SysWOW64\Mlnpdc32.exe Mdckpqod.exe File created C:\Windows\SysWOW64\Cdabmcdi.exe Cjindm32.exe File opened for modification C:\Windows\SysWOW64\Efhcld32.exe Ealkcm32.exe File created C:\Windows\SysWOW64\Pobbadje.dll Akenij32.exe File created C:\Windows\SysWOW64\Elllpd32.dll Oagpne32.exe File created C:\Windows\SysWOW64\Goepgg32.exe Gmdcpoid.exe File created C:\Windows\SysWOW64\Kakjpb32.dll Koaaaaip.exe File created C:\Windows\SysWOW64\Lfeldj32.exe Lqhdlc32.exe File created C:\Windows\SysWOW64\Jeoqhi32.dll Nboiekjd.exe File created C:\Windows\SysWOW64\Cecdiafb.dll Dpphcf32.exe File opened for modification C:\Windows\SysWOW64\Jifabb32.exe Jicdlc32.exe File created C:\Windows\SysWOW64\Ejneph32.dll Miaica32.exe File created C:\Windows\SysWOW64\Jnfamk32.dll Eangimij.exe File opened for modification C:\Windows\SysWOW64\Ckaffjbg.exe Bjpjoa32.exe File created C:\Windows\SysWOW64\Cpfoehnm.dll Iefnjm32.exe File created C:\Windows\SysWOW64\Kflono32.dll Ldhbnhlm.exe File created C:\Windows\SysWOW64\Jbbllj32.dll Idahcm32.exe File opened for modification C:\Windows\SysWOW64\Ahdgnj32.exe Aecnmo32.exe File created C:\Windows\SysWOW64\Cleeafbi.exe Clbhkfdl.exe File created C:\Windows\SysWOW64\Mjbkbj32.dll Gpjjpe32.exe File created C:\Windows\SysWOW64\Hdndibdf.dll Aogkhjii.exe File created C:\Windows\SysWOW64\Moedgenf.dll Liocgc32.exe File opened for modification C:\Windows\SysWOW64\Dfcjoa32.exe Dkmebh32.exe File created C:\Windows\SysWOW64\Kmplgl32.dll Eecpaeoo.exe File created C:\Windows\SysWOW64\Qqfmnk32.exe Qgnief32.exe File created C:\Windows\SysWOW64\Bjpjoa32.exe Bcfabgel.exe File created C:\Windows\SysWOW64\Djhiglji.exe Cjflblll.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7132 5036 WerFault.exe 784 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Angleokb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papgndfl.dll" Kmdlolmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jenhmaeh.dll" Mhenpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjifcejk.dll" Jibejb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbdbck32.dll" Cijpkmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alkidi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiipacmo.dll" Lgpocm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emhkmcbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hojibgkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffdddg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dklhmlac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbedffg.dll" Cfqmjajc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eblpqono.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fechhcal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hedaoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fghcqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbkdjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgkdkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphabc32.dll" Hedaoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfjfoidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecafgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gijmlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glinjqhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bccfleqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emhkmcbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefnl32.dll" Jlqohhja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnaolm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iandjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffgegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efgofpbf.dll" Nfjofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfhkop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndigmnkj.dll" Fpjjkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfcjoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eohcon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqlbncjp.dll" Emkeho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dojgnpke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndfpjh32.dll" Ffgegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabebdka.dll" Lnendhol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebocpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnmebblf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liabjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgekepjo.dll" Opbcdieb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhcibd32.dll" Knenffqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peddhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eecpaeoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akmbepke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bngnmjql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hklpaeno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cobciblp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjahfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clbhkfdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpiceon.dll" Aapeakij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjndpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfmcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofaeffpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obgeqcnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llofnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfbjhd32.dll" Pgefogop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmaknole.dll" Lppbdmig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkjehbaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glndff32.dll" Hojibgkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jidpblik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jefbomoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfiaomkb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1612 wrote to memory of 4660 1612 ee8939a84f3c3db34d4c648063b8b729a1536a837c403be0f564d5cc1cd1ffa6.exe 99 PID 1612 wrote to memory of 4660 1612 ee8939a84f3c3db34d4c648063b8b729a1536a837c403be0f564d5cc1cd1ffa6.exe 99 PID 1612 wrote to memory of 4660 1612 ee8939a84f3c3db34d4c648063b8b729a1536a837c403be0f564d5cc1cd1ffa6.exe 99 PID 4660 wrote to memory of 1036 4660 Efampahd.exe 100 PID 4660 wrote to memory of 1036 4660 Efampahd.exe 100 PID 4660 wrote to memory of 1036 4660 Efampahd.exe 100 PID 1036 wrote to memory of 4784 1036 Fghcqq32.exe 101 PID 1036 wrote to memory of 4784 1036 Fghcqq32.exe 101 PID 1036 wrote to memory of 4784 1036 Fghcqq32.exe 101 PID 4784 wrote to memory of 4716 4784 Fgmllpng.exe 102 PID 4784 wrote to memory of 4716 4784 Fgmllpng.exe 102 PID 4784 wrote to memory of 4716 4784 Fgmllpng.exe 102 PID 4716 wrote to memory of 3548 4716 Gpjjpe32.exe 103 PID 4716 wrote to memory of 3548 4716 Gpjjpe32.exe 103 PID 4716 wrote to memory of 3548 4716 Gpjjpe32.exe 103 PID 3548 wrote to memory of 2092 3548 Hjpkjh32.exe 104 PID 3548 wrote to memory of 2092 3548 Hjpkjh32.exe 104 PID 3548 wrote to memory of 2092 3548 Hjpkjh32.exe 104 PID 2092 wrote to memory of 3220 2092 Ihheqd32.exe 105 PID 2092 wrote to memory of 3220 2092 Ihheqd32.exe 105 PID 2092 wrote to memory of 3220 2092 Ihheqd32.exe 105 PID 3220 wrote to memory of 2352 3220 Ihjafd32.exe 106 PID 3220 wrote to memory of 2352 3220 Ihjafd32.exe 106 PID 3220 wrote to memory of 2352 3220 Ihjafd32.exe 106 PID 2352 wrote to memory of 3848 2352 Jcgldl32.exe 107 PID 2352 wrote to memory of 3848 2352 Jcgldl32.exe 107 PID 2352 wrote to memory of 3848 2352 Jcgldl32.exe 107 PID 3848 wrote to memory of 1068 3848 Jicdlc32.exe 108 PID 3848 wrote to memory of 1068 3848 Jicdlc32.exe 108 PID 3848 wrote to memory of 1068 3848 Jicdlc32.exe 108 PID 1068 wrote to memory of 2420 1068 Jifabb32.exe 109 PID 1068 wrote to memory of 2420 1068 Jifabb32.exe 109 PID 1068 wrote to memory of 2420 1068 Jifabb32.exe 109 PID 2420 wrote to memory of 5096 2420 Kimgba32.exe 110 PID 2420 wrote to memory of 5096 2420 Kimgba32.exe 110 PID 2420 wrote to memory of 5096 2420 Kimgba32.exe 110 PID 5096 wrote to memory of 4572 5096 Kmkpipaf.exe 111 PID 5096 wrote to memory of 4572 5096 Kmkpipaf.exe 111 PID 5096 wrote to memory of 4572 5096 Kmkpipaf.exe 111 PID 4572 wrote to memory of 1428 4572 Lagepl32.exe 112 PID 4572 wrote to memory of 1428 4572 Lagepl32.exe 112 PID 4572 wrote to memory of 1428 4572 Lagepl32.exe 112 PID 1428 wrote to memory of 1112 1428 Mapgfk32.exe 113 PID 1428 wrote to memory of 1112 1428 Mapgfk32.exe 113 PID 1428 wrote to memory of 1112 1428 Mapgfk32.exe 113 PID 1112 wrote to memory of 3908 1112 Nfdfoala.exe 114 PID 1112 wrote to memory of 3908 1112 Nfdfoala.exe 114 PID 1112 wrote to memory of 3908 1112 Nfdfoala.exe 114 PID 3908 wrote to memory of 3968 3908 Nmbhgjoi.exe 115 PID 3908 wrote to memory of 3968 3908 Nmbhgjoi.exe 115 PID 3908 wrote to memory of 3968 3908 Nmbhgjoi.exe 115 PID 3968 wrote to memory of 4384 3968 Oahgnh32.exe 116 PID 3968 wrote to memory of 4384 3968 Oahgnh32.exe 116 PID 3968 wrote to memory of 4384 3968 Oahgnh32.exe 116 PID 4384 wrote to memory of 3696 4384 Pdmikb32.exe 117 PID 4384 wrote to memory of 3696 4384 Pdmikb32.exe 117 PID 4384 wrote to memory of 3696 4384 Pdmikb32.exe 117 PID 3696 wrote to memory of 1160 3696 Qpkppbho.exe 118 PID 3696 wrote to memory of 1160 3696 Qpkppbho.exe 118 PID 3696 wrote to memory of 1160 3696 Qpkppbho.exe 118 PID 1160 wrote to memory of 1540 1160 Akenij32.exe 119 PID 1160 wrote to memory of 1540 1160 Akenij32.exe 119 PID 1160 wrote to memory of 1540 1160 Akenij32.exe 119 PID 1540 wrote to memory of 5024 1540 Adbkmo32.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee8939a84f3c3db34d4c648063b8b729a1536a837c403be0f564d5cc1cd1ffa6.exe"C:\Users\Admin\AppData\Local\Temp\ee8939a84f3c3db34d4c648063b8b729a1536a837c403be0f564d5cc1cd1ffa6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Efampahd.exeC:\Windows\system32\Efampahd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Fghcqq32.exeC:\Windows\system32\Fghcqq32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Fgmllpng.exeC:\Windows\system32\Fgmllpng.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Gpjjpe32.exeC:\Windows\system32\Gpjjpe32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Hjpkjh32.exeC:\Windows\system32\Hjpkjh32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\Ihheqd32.exeC:\Windows\system32\Ihheqd32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Ihjafd32.exeC:\Windows\system32\Ihjafd32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Jcgldl32.exeC:\Windows\system32\Jcgldl32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Jicdlc32.exeC:\Windows\system32\Jicdlc32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\Jifabb32.exeC:\Windows\system32\Jifabb32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Kimgba32.exeC:\Windows\system32\Kimgba32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Kmkpipaf.exeC:\Windows\system32\Kmkpipaf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Lagepl32.exeC:\Windows\system32\Lagepl32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Mapgfk32.exeC:\Windows\system32\Mapgfk32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Nfdfoala.exeC:\Windows\system32\Nfdfoala.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Nmbhgjoi.exeC:\Windows\system32\Nmbhgjoi.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\Oahgnh32.exeC:\Windows\system32\Oahgnh32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\Pdmikb32.exeC:\Windows\system32\Pdmikb32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\Qpkppbho.exeC:\Windows\system32\Qpkppbho.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Akenij32.exeC:\Windows\system32\Akenij32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Adbkmo32.exeC:\Windows\system32\Adbkmo32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Aqilaplo.exeC:\Windows\system32\Aqilaplo.exe23⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Bbhhlccb.exeC:\Windows\system32\Bbhhlccb.exe24⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Bhennm32.exeC:\Windows\system32\Bhennm32.exe25⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Bqdlmo32.exeC:\Windows\system32\Bqdlmo32.exe26⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Cnmebblf.exeC:\Windows\system32\Cnmebblf.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Daeddlco.exeC:\Windows\system32\Daeddlco.exe28⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Elaobdmm.exeC:\Windows\system32\Elaobdmm.exe29⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Faamghko.exeC:\Windows\system32\Faamghko.exe30⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Feofmf32.exeC:\Windows\system32\Feofmf32.exe31⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Glinjqhb.exeC:\Windows\system32\Glinjqhb.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:660 -
C:\Windows\SysWOW64\Hkjjfkcm.exeC:\Windows\system32\Hkjjfkcm.exe33⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Ieiajckh.exeC:\Windows\system32\Ieiajckh.exe34⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Jcfejfag.exeC:\Windows\system32\Jcfejfag.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Kjipmoai.exeC:\Windows\system32\Kjipmoai.exe36⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Kicfijal.exeC:\Windows\system32\Kicfijal.exe37⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Liabjh32.exeC:\Windows\system32\Liabjh32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4780 -
C:\Windows\SysWOW64\Mmahff32.exeC:\Windows\system32\Mmahff32.exe39⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Mminfech.exeC:\Windows\system32\Mminfech.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\Nfabok32.exeC:\Windows\system32\Nfabok32.exe41⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Ndjldo32.exeC:\Windows\system32\Ndjldo32.exe42⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Nboiekjd.exeC:\Windows\system32\Nboiekjd.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4776 -
C:\Windows\SysWOW64\Opcjno32.exeC:\Windows\system32\Opcjno32.exe44⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Opefdo32.exeC:\Windows\system32\Opefdo32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4532 -
C:\Windows\SysWOW64\Oibdhd32.exeC:\Windows\system32\Oibdhd32.exe46⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Ppafpm32.exeC:\Windows\system32\Ppafpm32.exe47⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Qgdabflp.exeC:\Windows\system32\Qgdabflp.exe48⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Apaofk32.exeC:\Windows\system32\Apaofk32.exe49⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Alhpkldp.exeC:\Windows\system32\Alhpkldp.exe50⤵
- Executes dropped EXE
PID:5164 -
C:\Windows\SysWOW64\Angleokb.exeC:\Windows\system32\Angleokb.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:5208 -
C:\Windows\SysWOW64\Acgacegg.exeC:\Windows\system32\Acgacegg.exe52⤵
- Executes dropped EXE
PID:5256 -
C:\Windows\SysWOW64\Bnaolm32.exeC:\Windows\system32\Bnaolm32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:5304 -
C:\Windows\SysWOW64\Cknbkpif.exeC:\Windows\system32\Cknbkpif.exe54⤵
- Executes dropped EXE
PID:5352 -
C:\Windows\SysWOW64\Cjflblll.exeC:\Windows\system32\Cjflblll.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5392 -
C:\Windows\SysWOW64\Djhiglji.exeC:\Windows\system32\Djhiglji.exe56⤵
- Executes dropped EXE
PID:5436 -
C:\Windows\SysWOW64\Dgqblp32.exeC:\Windows\system32\Dgqblp32.exe57⤵
- Executes dropped EXE
PID:5472 -
C:\Windows\SysWOW64\Dkokbn32.exeC:\Windows\system32\Dkokbn32.exe58⤵
- Executes dropped EXE
PID:5524 -
C:\Windows\SysWOW64\Ecoiapdj.exeC:\Windows\system32\Ecoiapdj.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5568 -
C:\Windows\SysWOW64\Ecafgo32.exeC:\Windows\system32\Ecafgo32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5604 -
C:\Windows\SysWOW64\Fcepbooa.exeC:\Windows\system32\Fcepbooa.exe61⤵
- Executes dropped EXE
PID:5648 -
C:\Windows\SysWOW64\Faiplcmk.exeC:\Windows\system32\Faiplcmk.exe62⤵
- Executes dropped EXE
PID:5704 -
C:\Windows\SysWOW64\Flcndk32.exeC:\Windows\system32\Flcndk32.exe63⤵
- Executes dropped EXE
PID:5748 -
C:\Windows\SysWOW64\Gaccbaeq.exeC:\Windows\system32\Gaccbaeq.exe64⤵
- Executes dropped EXE
PID:5804 -
C:\Windows\SysWOW64\Geqlhp32.exeC:\Windows\system32\Geqlhp32.exe65⤵
- Executes dropped EXE
PID:5840 -
C:\Windows\SysWOW64\Gjndpg32.exeC:\Windows\system32\Gjndpg32.exe66⤵
- Modifies registry class
PID:5884 -
C:\Windows\SysWOW64\Ghadjkhh.exeC:\Windows\system32\Ghadjkhh.exe67⤵PID:5932
-
C:\Windows\SysWOW64\Gmnmbbgp.exeC:\Windows\system32\Gmnmbbgp.exe68⤵PID:5972
-
C:\Windows\SysWOW64\Hklpaeno.exeC:\Windows\system32\Hklpaeno.exe69⤵
- Modifies registry class
PID:6016 -
C:\Windows\SysWOW64\Iefnjm32.exeC:\Windows\system32\Iefnjm32.exe70⤵
- Drops file in System32 directory
PID:6056 -
C:\Windows\SysWOW64\Iamoon32.exeC:\Windows\system32\Iamoon32.exe71⤵PID:6108
-
C:\Windows\SysWOW64\Ioclnblj.exeC:\Windows\system32\Ioclnblj.exe72⤵PID:3464
-
C:\Windows\SysWOW64\Ihkpgg32.exeC:\Windows\system32\Ihkpgg32.exe73⤵PID:5156
-
C:\Windows\SysWOW64\Inhion32.exeC:\Windows\system32\Inhion32.exe74⤵PID:5220
-
C:\Windows\SysWOW64\Jlponebi.exeC:\Windows\system32\Jlponebi.exe75⤵PID:5288
-
C:\Windows\SysWOW64\Jamhflqq.exeC:\Windows\system32\Jamhflqq.exe76⤵PID:5328
-
C:\Windows\SysWOW64\Jkeloa32.exeC:\Windows\system32\Jkeloa32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5444 -
C:\Windows\SysWOW64\Kdbjbfjl.exeC:\Windows\system32\Kdbjbfjl.exe78⤵PID:5512
-
C:\Windows\SysWOW64\Kohnpoib.exeC:\Windows\system32\Kohnpoib.exe79⤵PID:5588
-
C:\Windows\SysWOW64\Lkchpoka.exeC:\Windows\system32\Lkchpoka.exe80⤵PID:5656
-
C:\Windows\SysWOW64\Lhjeoc32.exeC:\Windows\system32\Lhjeoc32.exe81⤵PID:5672
-
C:\Windows\SysWOW64\Lbbjhini.exeC:\Windows\system32\Lbbjhini.exe82⤵PID:5716
-
C:\Windows\SysWOW64\Lmhnea32.exeC:\Windows\system32\Lmhnea32.exe83⤵PID:5824
-
C:\Windows\SysWOW64\Nnidcg32.exeC:\Windows\system32\Nnidcg32.exe84⤵PID:5780
-
C:\Windows\SysWOW64\Niohap32.exeC:\Windows\system32\Niohap32.exe85⤵PID:5912
-
C:\Windows\SysWOW64\Nbgljf32.exeC:\Windows\system32\Nbgljf32.exe86⤵PID:5988
-
C:\Windows\SysWOW64\Nfeepdbg.exeC:\Windows\system32\Nfeepdbg.exe87⤵PID:6048
-
C:\Windows\SysWOW64\Opbcdieb.exeC:\Windows\system32\Opbcdieb.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6116 -
C:\Windows\SysWOW64\Oijgmokc.exeC:\Windows\system32\Oijgmokc.exe89⤵PID:5152
-
C:\Windows\SysWOW64\Onjmjegg.exeC:\Windows\system32\Onjmjegg.exe90⤵PID:4388
-
C:\Windows\SysWOW64\Omkmhlpf.exeC:\Windows\system32\Omkmhlpf.exe91⤵
- Drops file in System32 directory
PID:5292 -
C:\Windows\SysWOW64\Obgeqcnn.exeC:\Windows\system32\Obgeqcnn.exe92⤵
- Modifies registry class
PID:5368 -
C:\Windows\SysWOW64\Oianmm32.exeC:\Windows\system32\Oianmm32.exe93⤵PID:5448
-
C:\Windows\SysWOW64\Pehnboko.exeC:\Windows\system32\Pehnboko.exe94⤵PID:5544
-
C:\Windows\SysWOW64\Plbfohbl.exeC:\Windows\system32\Plbfohbl.exe95⤵PID:5700
-
C:\Windows\SysWOW64\Pldcdhpi.exeC:\Windows\system32\Pldcdhpi.exe96⤵PID:5036
-
C:\Windows\SysWOW64\Plgpjhnf.exeC:\Windows\system32\Plgpjhnf.exe97⤵PID:5812
-
C:\Windows\SysWOW64\Pfmdgq32.exeC:\Windows\system32\Pfmdgq32.exe98⤵PID:5896
-
C:\Windows\SysWOW64\Ppgeff32.exeC:\Windows\system32\Ppgeff32.exe99⤵PID:6040
-
C:\Windows\SysWOW64\Qfanbpjg.exeC:\Windows\system32\Qfanbpjg.exe100⤵PID:6088
-
C:\Windows\SysWOW64\Qmnbej32.exeC:\Windows\system32\Qmnbej32.exe101⤵PID:964
-
C:\Windows\SysWOW64\Aeigilml.exeC:\Windows\system32\Aeigilml.exe102⤵PID:4464
-
C:\Windows\SysWOW64\Abmhbplf.exeC:\Windows\system32\Abmhbplf.exe103⤵PID:5468
-
C:\Windows\SysWOW64\Amblpikl.exeC:\Windows\system32\Amblpikl.exe104⤵PID:5620
-
C:\Windows\SysWOW64\Aepmjk32.exeC:\Windows\system32\Aepmjk32.exe105⤵PID:5928
-
C:\Windows\SysWOW64\Enlqdc32.exeC:\Windows\system32\Enlqdc32.exe106⤵PID:5140
-
C:\Windows\SysWOW64\Emfgpo32.exeC:\Windows\system32\Emfgpo32.exe107⤵PID:5600
-
C:\Windows\SysWOW64\Imnoni32.exeC:\Windows\system32\Imnoni32.exe108⤵PID:3224
-
C:\Windows\SysWOW64\Ihcclb32.exeC:\Windows\system32\Ihcclb32.exe109⤵PID:6068
-
C:\Windows\SysWOW64\Ikdlmmbh.exeC:\Windows\system32\Ikdlmmbh.exe110⤵PID:1092
-
C:\Windows\SysWOW64\Iandjg32.exeC:\Windows\system32\Iandjg32.exe111⤵
- Modifies registry class
PID:5180 -
C:\Windows\SysWOW64\Ihhmgaqb.exeC:\Windows\system32\Ihhmgaqb.exe112⤵PID:1612
-
C:\Windows\SysWOW64\Imeeohoi.exeC:\Windows\system32\Imeeohoi.exe113⤵PID:2804
-
C:\Windows\SysWOW64\Igmjhnej.exeC:\Windows\system32\Igmjhnej.exe114⤵PID:5892
-
C:\Windows\SysWOW64\Jpfnqc32.exeC:\Windows\system32\Jpfnqc32.exe115⤵PID:6084
-
C:\Windows\SysWOW64\Jmjojh32.exeC:\Windows\system32\Jmjojh32.exe116⤵PID:3572
-
C:\Windows\SysWOW64\Jhocgqjj.exeC:\Windows\system32\Jhocgqjj.exe117⤵PID:5712
-
C:\Windows\SysWOW64\Jmlkpgia.exeC:\Windows\system32\Jmlkpgia.exe118⤵PID:1096
-
C:\Windows\SysWOW64\Jhdlbp32.exeC:\Windows\system32\Jhdlbp32.exe119⤵PID:3536
-
C:\Windows\SysWOW64\Jdkmgali.exeC:\Windows\system32\Jdkmgali.exe120⤵PID:4440
-
C:\Windows\SysWOW64\Kdmjmqjf.exeC:\Windows\system32\Kdmjmqjf.exe121⤵PID:3060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-