Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
160s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 21:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0dc896da1830f3c89a41c81bc95ac05b.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
0dc896da1830f3c89a41c81bc95ac05b.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
0dc896da1830f3c89a41c81bc95ac05b.exe
-
Size
96KB
-
MD5
0dc896da1830f3c89a41c81bc95ac05b
-
SHA1
63a0e837d539799cb5adfa8fd8ff0ac08242a4db
-
SHA256
15a870023e7a83f4ce2eca1b374bdee2577f60ebae84c151ad8f843cefa9485c
-
SHA512
639a7bd083c81c630f23df9668487a65725a9e99faf57a140c5dec36fbd0c4118318e6a2918b1040e5295649bf70ba5802c32f7e648cc496c3799f6309817c31
-
SSDEEP
1536:CL8NWNecmoR7nWmxdhO8jFSdCx2LBsBMu/HCmiDcg3MZRP3cEW3AE:0YoR7FdhJjFyHBa6miEo
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohdlke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lklbnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqndahiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdhaca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bidlqhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjpllgme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gloecbaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnaalghe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmomga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfhmcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdalim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhdfll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inmplh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldgmgml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apddmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckpjob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgmfel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjklcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhihejhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfbpahlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlkldmjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kckgff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jookjpam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkgleegf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfpbfljd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdihmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiabap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdkadb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcggbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfjjqg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjbmfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnaalghe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngbeok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdopcmlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfemfhje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbjbfclk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfcnka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ephlgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoccii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejlmppha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojfcmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbhifj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnljdqkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljlagndl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpofbobf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpfidh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnmeic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgbfbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgefae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgmbmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kllhjplh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcjlna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pijcjcmq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbmbiqqp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bejoqm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpjofefp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihbphcpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jppnjpji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ealopnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqphbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mekmgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phombg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lifqbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baanhi32.exe -
Executes dropped EXE 64 IoCs
pid Process 4496 Dhgjll32.exe 3044 Gebimmco.exe 2608 Gllajf32.exe 2964 Hcaibo32.exe 4048 Hjpkjh32.exe 1640 Hfgloiqf.exe 1552 Ioppho32.exe 3892 Imjgbb32.exe 1168 Jgbhdkml.exe 796 Jifabb32.exe 1152 Jjemle32.exe 2064 Kaflio32.exe 4896 Kpnepk32.exe 5016 Najjmjkg.exe 792 Onngci32.exe 4056 Odhppclh.exe 2896 Pjgemi32.exe 1084 Qpmmfbfl.exe 3472 Ajjjjghg.exe 1280 Anjpeelk.exe 3624 Bjcmpepm.exe 1836 Ckmmpg32.exe 1080 Cbfema32.exe 3464 Daeddlco.exe 5112 Dnienqbi.exe 2388 Dajnol32.exe 1048 Enpknplq.exe 1096 Eieplhlf.exe 5088 Fbjcplhj.exe 2284 Fkiapn32.exe 2168 Gedohfmp.exe 1204 Jkomhhae.exe 4060 Jchaoe32.exe 2676 Jcmkjeko.exe 1948 Kkmijf32.exe 4592 Kcfnqccd.exe 1464 Lbnggpfj.exe 1560 Lfcfnm32.exe 5068 Mcggga32.exe 2232 Midoph32.exe 3992 Mjheejff.exe 1564 Npgjbabk.exe 4580 Niblafgi.exe 4908 Nmpdgdmp.exe 2120 Obccpj32.exe 4928 Ojmgggdo.exe 5044 Oibdhd32.exe 3000 Ajggjq32.exe 4544 Aneppo32.exe 5048 Bkpfjb32.exe 4540 Bqahmhpi.exe 1644 Cdbmifdl.exe 1264 Cmblhh32.exe 2508 Dcgcaq32.exe 756 Eanqpdgi.exe 1376 Ecoiapdj.exe 2524 Flmhclod.exe 4176 Fmbnfcam.exe 4276 Goipae32.exe 5084 Gechnpid.exe 2728 Glompi32.exe 3604 Gehbio32.exe 1244 Hopfadlp.exe 960 Hkggfe32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Keekab32.dll Objphn32.exe File created C:\Windows\SysWOW64\Ffgegh32.exe Efnbqi32.exe File created C:\Windows\SysWOW64\Ndjleb32.dll Fqphbi32.exe File created C:\Windows\SysWOW64\Lbaipffa.dll Oljonc32.exe File created C:\Windows\SysWOW64\Nbphqahb.exe Nhegblcd.exe File created C:\Windows\SysWOW64\Bigbgehl.exe Bpnnnp32.exe File created C:\Windows\SysWOW64\Dngqia32.exe Cmedca32.exe File created C:\Windows\SysWOW64\Jmfdpkeo.exe Ifjoma32.exe File created C:\Windows\SysWOW64\Gnnomb32.dll Hgdedj32.exe File opened for modification C:\Windows\SysWOW64\Dkbgcd32.exe Dnnfjp32.exe File created C:\Windows\SysWOW64\Kmjjlh32.dll Hgliie32.exe File created C:\Windows\SysWOW64\Aknhia32.dll Jdnnjane.exe File opened for modification C:\Windows\SysWOW64\Kcdmifip.exe Kabpan32.exe File created C:\Windows\SysWOW64\Mcggga32.exe Lfcfnm32.exe File created C:\Windows\SysWOW64\Qolbgbgb.exe Pbjbfclk.exe File created C:\Windows\SysWOW64\Pogmdm32.dll Niifnf32.exe File opened for modification C:\Windows\SysWOW64\Inmplh32.exe Hkeajn32.exe File created C:\Windows\SysWOW64\Lojgbmpm.dll Ljlagndl.exe File created C:\Windows\SysWOW64\Ngpekcgb.dll Mcklac32.exe File opened for modification C:\Windows\SysWOW64\Lgkakm32.exe Lpqioclc.exe File created C:\Windows\SysWOW64\Gpciecgl.dll Ejoogm32.exe File created C:\Windows\SysWOW64\Hqddjp32.exe Hjjlme32.exe File created C:\Windows\SysWOW64\Dhgjll32.exe 0dc896da1830f3c89a41c81bc95ac05b.exe File created C:\Windows\SysWOW64\Phqdjm32.dll Fjanjb32.exe File created C:\Windows\SysWOW64\Fadoii32.exe Flgfqb32.exe File created C:\Windows\SysWOW64\Pkcannmj.exe Pefhfgoc.exe File opened for modification C:\Windows\SysWOW64\Fnlcknle.exe Eddnbhfe.exe File opened for modification C:\Windows\SysWOW64\Fdihmh32.exe Fjccpo32.exe File opened for modification C:\Windows\SysWOW64\Aiabap32.exe Abgjdeai.exe File created C:\Windows\SysWOW64\Najjmjkg.exe Kpnepk32.exe File opened for modification C:\Windows\SysWOW64\Daeddlco.exe Cbfema32.exe File created C:\Windows\SysWOW64\Fdqeglpa.dll Ephlgc32.exe File created C:\Windows\SysWOW64\Chkokq32.exe Bhmbjb32.exe File opened for modification C:\Windows\SysWOW64\Aealea32.exe Apddmk32.exe File created C:\Windows\SysWOW64\Gqicdqoc.dll Fdogcqhl.exe File created C:\Windows\SysWOW64\Jhkane32.dll Jchaoe32.exe File created C:\Windows\SysWOW64\Bkcghbbk.dll Fcgemhic.exe File created C:\Windows\SysWOW64\Nmhajf32.dll Ckpjob32.exe File created C:\Windows\SysWOW64\Llfgjbke.dll Phombg32.exe File created C:\Windows\SysWOW64\Jlbecadc.exe Jamafidm.exe File opened for modification C:\Windows\SysWOW64\Cfabfbnb.exe Cpgjjhfe.exe File opened for modification C:\Windows\SysWOW64\Bqahmhpi.exe Bkpfjb32.exe File created C:\Windows\SysWOW64\Icbbnice.dll Dodjemee.exe File created C:\Windows\SysWOW64\Jnemabne.dll Dbgnobpg.exe File opened for modification C:\Windows\SysWOW64\Ndlamg32.exe Ncjdeooo.exe File created C:\Windows\SysWOW64\Cboilbmo.exe Cleqoh32.exe File created C:\Windows\SysWOW64\Fjfgealk.exe Fppchile.exe File created C:\Windows\SysWOW64\Kabpan32.exe Jibejb32.exe File created C:\Windows\SysWOW64\Jncapf32.exe Jhmfba32.exe File created C:\Windows\SysWOW64\Pcogglmf.exe Pijcjcmq.exe File created C:\Windows\SysWOW64\Jmencp32.dll Abgjdeai.exe File created C:\Windows\SysWOW64\Agojdnng.exe Qlpcpffl.exe File created C:\Windows\SysWOW64\Fdfoblfp.dll Oofacdaj.exe File created C:\Windows\SysWOW64\Abonhkgf.dll Flcegd32.exe File created C:\Windows\SysWOW64\Kdbnhokm.dll Nbadmege.exe File created C:\Windows\SysWOW64\Dkbgcd32.exe Dnnfjp32.exe File opened for modification C:\Windows\SysWOW64\Eenfff32.exe Dndnjllg.exe File created C:\Windows\SysWOW64\Imjgbb32.exe Ioppho32.exe File created C:\Windows\SysWOW64\Blqlgdhi.exe Bcfkiock.exe File created C:\Windows\SysWOW64\Onkbebpi.dll Pbgghn32.exe File created C:\Windows\SysWOW64\Jppnjpji.exe Jejjlg32.exe File created C:\Windows\SysWOW64\Dekiokdi.dll Okjcdq32.exe File created C:\Windows\SysWOW64\Afcjmbhn.dll Pigfdcoc.exe File opened for modification C:\Windows\SysWOW64\Kabpan32.exe Jibejb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnpmgngb.dll" Agojdnng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbgom32.dll" Nnbeie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjpjoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ednolp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbmheomi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Infqdbdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lennih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhnako32.dll" Lglopjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfenmdkp.dll" Nalpbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhnlapbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppgkh32.dll" Doojni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoeacho.dll" Jncapf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppkopail.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eohmdhki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obdkak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pijcjcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phqdjm32.dll" Fjanjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmfdpkeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mklnbgao.dll" Kpbmme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgefae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npgjbabk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jppnjpji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qolbgbgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibmmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdihmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbppaedo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndbhcn32.dll" Nhegblcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogadadh.dll" Lfcfnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffempndc.dll" Ncjdeooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 0dc896da1830f3c89a41c81bc95ac05b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahfmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abdaca32.dll" Dhdaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doojni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdhpoegg.dll" Cjpllgme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhlamhkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlbecadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmblhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eomgkc32.dll" Ddfikaeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdalim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beaelofp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oapljmgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flebmcil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cefolk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhbdbpnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlaahojd.dll" Llgcin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oloaamqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlmdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbjbfclk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnabic32.dll" Nklbfaae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebfmecpm.dll" Cpgjjhfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akblpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmbgnabc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmfkda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knnicgle.dll" Gllajf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfacai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmmoekem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikhfkk32.dll" Dqipeboj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aldeap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfacai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcdmifip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afjjil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eanqpdgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icdcdp32.dll" Pchljlpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqipeboj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2704 wrote to memory of 4496 2704 0dc896da1830f3c89a41c81bc95ac05b.exe 95 PID 2704 wrote to memory of 4496 2704 0dc896da1830f3c89a41c81bc95ac05b.exe 95 PID 2704 wrote to memory of 4496 2704 0dc896da1830f3c89a41c81bc95ac05b.exe 95 PID 4496 wrote to memory of 3044 4496 Dhgjll32.exe 96 PID 4496 wrote to memory of 3044 4496 Dhgjll32.exe 96 PID 4496 wrote to memory of 3044 4496 Dhgjll32.exe 96 PID 3044 wrote to memory of 2608 3044 Gebimmco.exe 97 PID 3044 wrote to memory of 2608 3044 Gebimmco.exe 97 PID 3044 wrote to memory of 2608 3044 Gebimmco.exe 97 PID 2608 wrote to memory of 2964 2608 Gllajf32.exe 98 PID 2608 wrote to memory of 2964 2608 Gllajf32.exe 98 PID 2608 wrote to memory of 2964 2608 Gllajf32.exe 98 PID 2964 wrote to memory of 4048 2964 Hcaibo32.exe 99 PID 2964 wrote to memory of 4048 2964 Hcaibo32.exe 99 PID 2964 wrote to memory of 4048 2964 Hcaibo32.exe 99 PID 4048 wrote to memory of 1640 4048 Hjpkjh32.exe 100 PID 4048 wrote to memory of 1640 4048 Hjpkjh32.exe 100 PID 4048 wrote to memory of 1640 4048 Hjpkjh32.exe 100 PID 1640 wrote to memory of 1552 1640 Hfgloiqf.exe 101 PID 1640 wrote to memory of 1552 1640 Hfgloiqf.exe 101 PID 1640 wrote to memory of 1552 1640 Hfgloiqf.exe 101 PID 1552 wrote to memory of 3892 1552 Ioppho32.exe 102 PID 1552 wrote to memory of 3892 1552 Ioppho32.exe 102 PID 1552 wrote to memory of 3892 1552 Ioppho32.exe 102 PID 3892 wrote to memory of 1168 3892 Imjgbb32.exe 103 PID 3892 wrote to memory of 1168 3892 Imjgbb32.exe 103 PID 3892 wrote to memory of 1168 3892 Imjgbb32.exe 103 PID 1168 wrote to memory of 796 1168 Jgbhdkml.exe 104 PID 1168 wrote to memory of 796 1168 Jgbhdkml.exe 104 PID 1168 wrote to memory of 796 1168 Jgbhdkml.exe 104 PID 796 wrote to memory of 1152 796 Jifabb32.exe 105 PID 796 wrote to memory of 1152 796 Jifabb32.exe 105 PID 796 wrote to memory of 1152 796 Jifabb32.exe 105 PID 1152 wrote to memory of 2064 1152 Jjemle32.exe 106 PID 1152 wrote to memory of 2064 1152 Jjemle32.exe 106 PID 1152 wrote to memory of 2064 1152 Jjemle32.exe 106 PID 2064 wrote to memory of 4896 2064 Kaflio32.exe 107 PID 2064 wrote to memory of 4896 2064 Kaflio32.exe 107 PID 2064 wrote to memory of 4896 2064 Kaflio32.exe 107 PID 4896 wrote to memory of 5016 4896 Kpnepk32.exe 108 PID 4896 wrote to memory of 5016 4896 Kpnepk32.exe 108 PID 4896 wrote to memory of 5016 4896 Kpnepk32.exe 108 PID 5016 wrote to memory of 792 5016 Najjmjkg.exe 109 PID 5016 wrote to memory of 792 5016 Najjmjkg.exe 109 PID 5016 wrote to memory of 792 5016 Najjmjkg.exe 109 PID 792 wrote to memory of 4056 792 Onngci32.exe 110 PID 792 wrote to memory of 4056 792 Onngci32.exe 110 PID 792 wrote to memory of 4056 792 Onngci32.exe 110 PID 4056 wrote to memory of 2896 4056 Odhppclh.exe 112 PID 4056 wrote to memory of 2896 4056 Odhppclh.exe 112 PID 4056 wrote to memory of 2896 4056 Odhppclh.exe 112 PID 2896 wrote to memory of 1084 2896 Pjgemi32.exe 113 PID 2896 wrote to memory of 1084 2896 Pjgemi32.exe 113 PID 2896 wrote to memory of 1084 2896 Pjgemi32.exe 113 PID 1084 wrote to memory of 3472 1084 Qpmmfbfl.exe 114 PID 1084 wrote to memory of 3472 1084 Qpmmfbfl.exe 114 PID 1084 wrote to memory of 3472 1084 Qpmmfbfl.exe 114 PID 3472 wrote to memory of 1280 3472 Ajjjjghg.exe 115 PID 3472 wrote to memory of 1280 3472 Ajjjjghg.exe 115 PID 3472 wrote to memory of 1280 3472 Ajjjjghg.exe 115 PID 1280 wrote to memory of 3624 1280 Anjpeelk.exe 117 PID 1280 wrote to memory of 3624 1280 Anjpeelk.exe 117 PID 1280 wrote to memory of 3624 1280 Anjpeelk.exe 117 PID 3624 wrote to memory of 1836 3624 Bjcmpepm.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dc896da1830f3c89a41c81bc95ac05b.exe"C:\Users\Admin\AppData\Local\Temp\0dc896da1830f3c89a41c81bc95ac05b.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Dhgjll32.exeC:\Windows\system32\Dhgjll32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\Gebimmco.exeC:\Windows\system32\Gebimmco.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Gllajf32.exeC:\Windows\system32\Gllajf32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Hcaibo32.exeC:\Windows\system32\Hcaibo32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Hjpkjh32.exeC:\Windows\system32\Hjpkjh32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\Hfgloiqf.exeC:\Windows\system32\Hfgloiqf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Ioppho32.exeC:\Windows\system32\Ioppho32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Imjgbb32.exeC:\Windows\system32\Imjgbb32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\Jgbhdkml.exeC:\Windows\system32\Jgbhdkml.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Jifabb32.exeC:\Windows\system32\Jifabb32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Jjemle32.exeC:\Windows\system32\Jjemle32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Kaflio32.exeC:\Windows\system32\Kaflio32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Kpnepk32.exeC:\Windows\system32\Kpnepk32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\Najjmjkg.exeC:\Windows\system32\Najjmjkg.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Onngci32.exeC:\Windows\system32\Onngci32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\Odhppclh.exeC:\Windows\system32\Odhppclh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\Pjgemi32.exeC:\Windows\system32\Pjgemi32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Qpmmfbfl.exeC:\Windows\system32\Qpmmfbfl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Ajjjjghg.exeC:\Windows\system32\Ajjjjghg.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\Anjpeelk.exeC:\Windows\system32\Anjpeelk.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Bjcmpepm.exeC:\Windows\system32\Bjcmpepm.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\Ckmmpg32.exeC:\Windows\system32\Ckmmpg32.exe23⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Cbfema32.exeC:\Windows\system32\Cbfema32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\Daeddlco.exeC:\Windows\system32\Daeddlco.exe25⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Dnienqbi.exeC:\Windows\system32\Dnienqbi.exe26⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Dajnol32.exeC:\Windows\system32\Dajnol32.exe27⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Enpknplq.exeC:\Windows\system32\Enpknplq.exe28⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Eieplhlf.exeC:\Windows\system32\Eieplhlf.exe29⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Fbjcplhj.exeC:\Windows\system32\Fbjcplhj.exe30⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Fkiapn32.exeC:\Windows\system32\Fkiapn32.exe31⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Gedohfmp.exeC:\Windows\system32\Gedohfmp.exe32⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Jkomhhae.exeC:\Windows\system32\Jkomhhae.exe33⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Jchaoe32.exeC:\Windows\system32\Jchaoe32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4060 -
C:\Windows\SysWOW64\Jcmkjeko.exeC:\Windows\system32\Jcmkjeko.exe35⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Kkmijf32.exeC:\Windows\system32\Kkmijf32.exe36⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Kcfnqccd.exeC:\Windows\system32\Kcfnqccd.exe37⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Lbnggpfj.exeC:\Windows\system32\Lbnggpfj.exe38⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Lfcfnm32.exeC:\Windows\system32\Lfcfnm32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Mcggga32.exeC:\Windows\system32\Mcggga32.exe40⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Midoph32.exeC:\Windows\system32\Midoph32.exe41⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Mjheejff.exeC:\Windows\system32\Mjheejff.exe42⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Npgjbabk.exeC:\Windows\system32\Npgjbabk.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Niblafgi.exeC:\Windows\system32\Niblafgi.exe44⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Nmpdgdmp.exeC:\Windows\system32\Nmpdgdmp.exe45⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Obccpj32.exeC:\Windows\system32\Obccpj32.exe46⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Ojmgggdo.exeC:\Windows\system32\Ojmgggdo.exe47⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Oibdhd32.exeC:\Windows\system32\Oibdhd32.exe48⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Ajggjq32.exeC:\Windows\system32\Ajggjq32.exe49⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Aneppo32.exeC:\Windows\system32\Aneppo32.exe50⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Bkpfjb32.exeC:\Windows\system32\Bkpfjb32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5048 -
C:\Windows\SysWOW64\Bqahmhpi.exeC:\Windows\system32\Bqahmhpi.exe52⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Cdbmifdl.exeC:\Windows\system32\Cdbmifdl.exe53⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Cmblhh32.exeC:\Windows\system32\Cmblhh32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1264 -
C:\Windows\SysWOW64\Dcgcaq32.exeC:\Windows\system32\Dcgcaq32.exe55⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Eanqpdgi.exeC:\Windows\system32\Eanqpdgi.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Ecoiapdj.exeC:\Windows\system32\Ecoiapdj.exe57⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Flmhclod.exeC:\Windows\system32\Flmhclod.exe58⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Fmbnfcam.exeC:\Windows\system32\Fmbnfcam.exe59⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Goipae32.exeC:\Windows\system32\Goipae32.exe60⤵
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\Gechnpid.exeC:\Windows\system32\Gechnpid.exe61⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Glompi32.exeC:\Windows\system32\Glompi32.exe62⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Gehbio32.exeC:\Windows\system32\Gehbio32.exe63⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Hopfadlp.exeC:\Windows\system32\Hopfadlp.exe64⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Hkggfe32.exeC:\Windows\system32\Hkggfe32.exe65⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Hoglbc32.exeC:\Windows\system32\Hoglbc32.exe66⤵PID:3080
-
C:\Windows\SysWOW64\Hecadm32.exeC:\Windows\system32\Hecadm32.exe67⤵PID:2764
-
C:\Windows\SysWOW64\Hlmiagbo.exeC:\Windows\system32\Hlmiagbo.exe68⤵PID:4016
-
C:\Windows\SysWOW64\Iamoon32.exeC:\Windows\system32\Iamoon32.exe69⤵PID:4284
-
C:\Windows\SysWOW64\Jookjpam.exeC:\Windows\system32\Jookjpam.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2828 -
C:\Windows\SysWOW64\Jlblcdpf.exeC:\Windows\system32\Jlblcdpf.exe71⤵PID:3880
-
C:\Windows\SysWOW64\Jdnqgg32.exeC:\Windows\system32\Jdnqgg32.exe72⤵PID:3896
-
C:\Windows\SysWOW64\Ldlmieaa.exeC:\Windows\system32\Ldlmieaa.exe73⤵PID:4076
-
C:\Windows\SysWOW64\Lfnfhg32.exeC:\Windows\system32\Lfnfhg32.exe74⤵PID:400
-
C:\Windows\SysWOW64\Mieeka32.exeC:\Windows\system32\Mieeka32.exe75⤵PID:2256
-
C:\Windows\SysWOW64\Nkkggl32.exeC:\Windows\system32\Nkkggl32.exe76⤵PID:4320
-
C:\Windows\SysWOW64\Nlmdml32.exeC:\Windows\system32\Nlmdml32.exe77⤵
- Modifies registry class
PID:5128 -
C:\Windows\SysWOW64\Neeifa32.exeC:\Windows\system32\Neeifa32.exe78⤵PID:5188
-
C:\Windows\SysWOW64\Nejbaqgo.exeC:\Windows\system32\Nejbaqgo.exe79⤵PID:5232
-
C:\Windows\SysWOW64\Nnbfjf32.exeC:\Windows\system32\Nnbfjf32.exe80⤵PID:5288
-
C:\Windows\SysWOW64\Oihkgo32.exeC:\Windows\system32\Oihkgo32.exe81⤵PID:5336
-
C:\Windows\SysWOW64\Obqopddf.exeC:\Windows\system32\Obqopddf.exe82⤵PID:5380
-
C:\Windows\SysWOW64\Olkqnjhd.exeC:\Windows\system32\Olkqnjhd.exe83⤵PID:5444
-
C:\Windows\SysWOW64\Pbjbfclk.exeC:\Windows\system32\Pbjbfclk.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5504 -
C:\Windows\SysWOW64\Qolbgbgb.exeC:\Windows\system32\Qolbgbgb.exe85⤵
- Modifies registry class
PID:5540 -
C:\Windows\SysWOW64\Qlpcpffl.exeC:\Windows\system32\Qlpcpffl.exe86⤵
- Drops file in System32 directory
PID:5596 -
C:\Windows\SysWOW64\Agojdnng.exeC:\Windows\system32\Agojdnng.exe87⤵
- Modifies registry class
PID:5644 -
C:\Windows\SysWOW64\Bcfkiock.exeC:\Windows\system32\Bcfkiock.exe88⤵
- Drops file in System32 directory
PID:5688 -
C:\Windows\SysWOW64\Blqlgdhi.exeC:\Windows\system32\Blqlgdhi.exe89⤵PID:5728
-
C:\Windows\SysWOW64\Bidlqhgc.exeC:\Windows\system32\Bidlqhgc.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5768 -
C:\Windows\SysWOW64\Cnealfkf.exeC:\Windows\system32\Cnealfkf.exe91⤵PID:5812
-
C:\Windows\SysWOW64\Cgmfel32.exeC:\Windows\system32\Cgmfel32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5848 -
C:\Windows\SysWOW64\Cngnbfid.exeC:\Windows\system32\Cngnbfid.exe93⤵PID:5900
-
C:\Windows\SysWOW64\Cjpllgme.exeC:\Windows\system32\Cjpllgme.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5944 -
C:\Windows\SysWOW64\Dodjemee.exeC:\Windows\system32\Dodjemee.exe95⤵
- Drops file in System32 directory
PID:6000 -
C:\Windows\SysWOW64\Egeemiml.exeC:\Windows\system32\Egeemiml.exe96⤵PID:6040
-
C:\Windows\SysWOW64\Emanepld.exeC:\Windows\system32\Emanepld.exe97⤵PID:6096
-
C:\Windows\SysWOW64\Fcgemhic.exeC:\Windows\system32\Fcgemhic.exe98⤵
- Drops file in System32 directory
PID:6132 -
C:\Windows\SysWOW64\Fjanjb32.exeC:\Windows\system32\Fjanjb32.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:5160 -
C:\Windows\SysWOW64\Fppchile.exeC:\Windows\system32\Fppchile.exe100⤵
- Drops file in System32 directory
PID:5268 -
C:\Windows\SysWOW64\Fjfgealk.exeC:\Windows\system32\Fjfgealk.exe101⤵PID:5368
-
C:\Windows\SysWOW64\Gfcnka32.exeC:\Windows\system32\Gfcnka32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4664 -
C:\Windows\SysWOW64\Gaibhj32.exeC:\Windows\system32\Gaibhj32.exe103⤵PID:5480
-
C:\Windows\SysWOW64\Hdaajd32.exeC:\Windows\system32\Hdaajd32.exe104⤵PID:1268
-
C:\Windows\SysWOW64\Jhmfba32.exeC:\Windows\system32\Jhmfba32.exe105⤵
- Drops file in System32 directory
PID:5672 -
C:\Windows\SysWOW64\Jncapf32.exeC:\Windows\system32\Jncapf32.exe106⤵
- Modifies registry class
PID:5736 -
C:\Windows\SysWOW64\Kkioojpp.exeC:\Windows\system32\Kkioojpp.exe107⤵PID:6052
-
C:\Windows\SysWOW64\Lonnfg32.exeC:\Windows\system32\Lonnfg32.exe108⤵PID:6128
-
C:\Windows\SysWOW64\Lglopjkg.exeC:\Windows\system32\Lglopjkg.exe109⤵
- Modifies registry class
PID:5276 -
C:\Windows\SysWOW64\Mhpeelnd.exeC:\Windows\system32\Mhpeelnd.exe110⤵PID:4360
-
C:\Windows\SysWOW64\Mggolhaj.exeC:\Windows\system32\Mggolhaj.exe111⤵PID:4212
-
C:\Windows\SysWOW64\Mbmbiqqp.exeC:\Windows\system32\Mbmbiqqp.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4044 -
C:\Windows\SysWOW64\Ngodlgka.exeC:\Windows\system32\Ngodlgka.exe113⤵PID:5640
-
C:\Windows\SysWOW64\Nejkfj32.exeC:\Windows\system32\Nejkfj32.exe114⤵PID:5720
-
C:\Windows\SysWOW64\Onbpop32.exeC:\Windows\system32\Onbpop32.exe115⤵PID:5776
-
C:\Windows\SysWOW64\Oelhljaq.exeC:\Windows\system32\Oelhljaq.exe116⤵PID:3096
-
C:\Windows\SysWOW64\Okkidceh.exeC:\Windows\system32\Okkidceh.exe117⤵PID:5800
-
C:\Windows\SysWOW64\Ppkopail.exeC:\Windows\system32\Ppkopail.exe118⤵
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Pbiklmhp.exeC:\Windows\system32\Pbiklmhp.exe119⤵PID:5896
-
C:\Windows\SysWOW64\Plifea32.exeC:\Windows\system32\Plifea32.exe120⤵PID:6108
-
C:\Windows\SysWOW64\Abjdbj32.exeC:\Windows\system32\Abjdbj32.exe121⤵PID:1984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-