Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
161s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/04/2024, 05:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0e8cd9727678fe4df1bf18556b2468fa.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0e8cd9727678fe4df1bf18556b2468fa.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
0e8cd9727678fe4df1bf18556b2468fa.exe
-
Size
400KB
-
MD5
0e8cd9727678fe4df1bf18556b2468fa
-
SHA1
201cb04a4ebc78c1feb945610d3fefc80cf37696
-
SHA256
957f407dd2c9da0e716433d707a6665f433c9b74afe5cf7ee37cf60119530f20
-
SHA512
df51023e40193a9a2f6d15c70010caa18a646e76e04a98477ea2353bc2073d95cfaf401acbb00191b90ba28c0efa811b5692e8418c5db9781a5068b39f3cfb4e
-
SSDEEP
6144:vnhkGheddLAY/Xr4Br3CbArLAZ26RQ8sY6CbArLAY/9bPk6Cbv:WC4Rrgryg426RQagrkj
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jenmcggo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbihmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmeapbpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baepjpea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Becipn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjjnkkjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Malgmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdbjbfjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olkqnjhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ionlhlld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajfobfaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhpckb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcbckk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iffcgoka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cafhap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpaqkgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niconj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iemdep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fapdomgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdffkgpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijcjgcni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iehkpmgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pocpqcpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgieajgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nobdlqnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikjmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fggkifmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbfhne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioolkncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oonlfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Panhbfep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpklql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfchkop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkpoha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdjpff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmfkhmdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogbfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peajngoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokkgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbjcljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcbnpnme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nemchn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Embkhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipoheakj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqiiamjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlgmjdlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Locbpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhnqoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmafjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oofepe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpnga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klloichl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmlfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baepjpea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgngkmkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chfaenfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neaokboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efopeeao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Halmaiog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moglpedd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcbckk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jphkfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Docmqp32.exe -
Executes dropped EXE 64 IoCs
pid Process 4904 Gmimai32.exe 3724 Hedafk32.exe 1704 Hbhboolf.exe 4536 Hplbickp.exe 5068 Hmpcbhji.exe 4024 Hmdlmg32.exe 3576 Ibaeen32.exe 4740 Ifomll32.exe 4992 Ipgbdbqb.exe 4044 Igdgglfl.exe 3176 Ioolkncg.exe 412 Ipoheakj.exe 1204 Jleijb32.exe 3096 Jenmcggo.exe 2312 Jcanll32.exe 2268 Jebfng32.exe 2104 Jokkgl32.exe 1164 Kcidmkpq.exe 1180 Lcimdh32.exe 724 Lmdnbn32.exe 4852 Lcnfohmi.exe 4032 Ljhnlb32.exe 4924 Mmfkhmdi.exe 1836 Mnjqmpgg.exe 3872 Mqkiok32.exe 4660 Nmbjcljl.exe 4440 Nmipdk32.exe 264 Ngqagcag.exe 2320 Oanokhdb.exe 3164 Ojfcdnjc.exe 2840 Ogjdmbil.exe 2924 Pnfiplog.exe 5056 Pmlfqh32.exe 4680 Pjpfjl32.exe 2944 Pnmopk32.exe 1468 Pdjgha32.exe 3516 Panhbfep.exe 1540 Pdmdnadc.exe 4980 Qhjmdp32.exe 4228 Afpjel32.exe 3252 Aogbfi32.exe 2956 Aaenbd32.exe 3472 Afbgkl32.exe 4600 Apjkcadp.exe 1460 Agdcpkll.exe 2132 Aajhndkb.exe 2524 Adhdjpjf.exe 3316 Jpgdai32.exe 4464 Ofckhj32.exe 1004 Ocgkan32.exe 2364 Ofegni32.exe 832 Oonlfo32.exe 1848 Ocihgnam.exe 828 Omalpc32.exe 2932 Ofjqihnn.exe 1216 Fjjjgh32.exe 4588 Fcbnpnme.exe 3032 Jelonkph.exe 3688 Jjihfbno.exe 1036 Jbppgona.exe 1820 Jdalog32.exe 2256 Jlidpe32.exe 4284 Jogqlpde.exe 3348 Jaemilci.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jjnaaa32.exe Jeaiij32.exe File created C:\Windows\SysWOW64\Ioqohb32.exe Iehkpmgl.exe File opened for modification C:\Windows\SysWOW64\Copajm32.exe Cnndbecl.exe File opened for modification C:\Windows\SysWOW64\Jcanll32.exe Jenmcggo.exe File opened for modification C:\Windows\SysWOW64\Edcqojqh.exe Emihbp32.exe File opened for modification C:\Windows\SysWOW64\Jnhphg32.exe Jgngkmkf.exe File created C:\Windows\SysWOW64\Mmlhpaji.exe Lbgcch32.exe File created C:\Windows\SysWOW64\Iqpjhepn.dll Lfgnkgbf.exe File opened for modification C:\Windows\SysWOW64\Bicjjncd.exe Bhnqoo32.exe File opened for modification C:\Windows\SysWOW64\Jgngkmkf.exe Jdpkoalc.exe File opened for modification C:\Windows\SysWOW64\Hcmbnk32.exe Hpofbobf.exe File opened for modification C:\Windows\SysWOW64\Nifnao32.exe Nicalpak.exe File opened for modification C:\Windows\SysWOW64\Apnkfelb.exe Qlpcpffl.exe File created C:\Windows\SysWOW64\Odighm32.dll Idjdqc32.exe File created C:\Windows\SysWOW64\Pafmke32.dll Abnnnjfh.exe File opened for modification C:\Windows\SysWOW64\Kkegbpca.exe Kehojiej.exe File created C:\Windows\SysWOW64\Imabnofj.exe Hmjmnpmb.exe File opened for modification C:\Windows\SysWOW64\Comddn32.exe Cjpllgme.exe File opened for modification C:\Windows\SysWOW64\Ejmild32.exe Edcqojqh.exe File opened for modification C:\Windows\SysWOW64\Aikbpckb.exe Aacjofkp.exe File created C:\Windows\SysWOW64\Cohjmfjh.dll Ajphagha.exe File created C:\Windows\SysWOW64\Lmdnbn32.exe Lcimdh32.exe File opened for modification C:\Windows\SysWOW64\Igedenca.exe Idfhibdn.exe File opened for modification C:\Windows\SysWOW64\Nlbkjf32.exe Niconj32.exe File opened for modification C:\Windows\SysWOW64\Hmpjfdcb.exe Hkbmjhdo.exe File opened for modification C:\Windows\SysWOW64\Nmbjcljl.exe Mqkiok32.exe File created C:\Windows\SysWOW64\Khcjhnoh.dll Pfmdgq32.exe File created C:\Windows\SysWOW64\Ogidij32.dll Oajcnkdl.exe File created C:\Windows\SysWOW64\Gefipm32.dll Iehkpmgl.exe File opened for modification C:\Windows\SysWOW64\Jakkplbc.exe Jedjkkmo.exe File opened for modification C:\Windows\SysWOW64\Jgbccm32.exe Jphkfc32.exe File opened for modification C:\Windows\SysWOW64\Cipppc32.exe Cfaddg32.exe File created C:\Windows\SysWOW64\Gjhdkajh.exe Fcnlng32.exe File created C:\Windows\SysWOW64\Bgkijp32.exe Bdmmnd32.exe File created C:\Windows\SysWOW64\Eimegk32.exe Ebcmjqej.exe File created C:\Windows\SysWOW64\Kekcjc32.dll Gifadggi.exe File created C:\Windows\SysWOW64\Ladpnepb.exe Kcjjajop.exe File opened for modification C:\Windows\SysWOW64\Pjpfjl32.exe Pmlfqh32.exe File opened for modification C:\Windows\SysWOW64\Inhgaipf.exe Hjjnkkjp.exe File created C:\Windows\SysWOW64\Bfabmmhe.exe Bimach32.exe File created C:\Windows\SysWOW64\Knhbflbp.exe Khlinedh.exe File created C:\Windows\SysWOW64\Dibmfb32.exe Dgqqnjea.exe File opened for modification C:\Windows\SysWOW64\Fjmkhkff.exe Fmikoggm.exe File created C:\Windows\SysWOW64\Kfleip32.dll Lmeapbpa.exe File created C:\Windows\SysWOW64\Bdhfaj32.exe Boknic32.exe File opened for modification C:\Windows\SysWOW64\Nimbdi32.exe Naejcl32.exe File created C:\Windows\SysWOW64\Lkjmdeij.dll Plndma32.exe File created C:\Windows\SysWOW64\Bgkmid32.dll Lqfnqjpi.exe File opened for modification C:\Windows\SysWOW64\Hmjmnpmb.exe Hhmdeink.exe File created C:\Windows\SysWOW64\Fcnlng32.exe Fnacfp32.exe File created C:\Windows\SysWOW64\Aaqgop32.exe Ajfobfaj.exe File created C:\Windows\SysWOW64\Hgieipmo.exe Halmaiog.exe File created C:\Windows\SysWOW64\Nfllgl32.dll Cnndbecl.exe File opened for modification C:\Windows\SysWOW64\Illmho32.exe Ikkppgld.exe File opened for modification C:\Windows\SysWOW64\Hoaocf32.exe Gikdep32.exe File created C:\Windows\SysWOW64\Aljhbm32.dll Ipbhch32.exe File created C:\Windows\SysWOW64\Cfidbo32.dll Ipgbdbqb.exe File created C:\Windows\SysWOW64\Bmijpchc.dll Agdcpkll.exe File created C:\Windows\SysWOW64\Ogmeemdg.dll Jpgdai32.exe File created C:\Windows\SysWOW64\Oogdfc32.exe Odbpij32.exe File opened for modification C:\Windows\SysWOW64\Mbppjd32.exe Moacnh32.exe File opened for modification C:\Windows\SysWOW64\Jleijb32.exe Ipoheakj.exe File opened for modification C:\Windows\SysWOW64\Ocihgnam.exe Oonlfo32.exe File opened for modification C:\Windows\SysWOW64\Npipnjmm.exe Niohap32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkhgheg.dll" Kdgcne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggkiha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbpfig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaaakfgk.dll" Ffeaichg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmlkpgia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebplen32.dll" Peajngoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgalejf.dll" Abqjci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnnkaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moacnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 0e8cd9727678fe4df1bf18556b2468fa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcidmkpq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niconj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adhdjpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccbhhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekkmhd32.dll" Fjjnblhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibdlakbf.dll" Hplbickp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jenmcggo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfbfjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgkhi32.dll" Hhegjdag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgonal32.dll" Hnpognhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqfnqjpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmbjcljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apdkmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkknfj32.dll" Fcanmlea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjjnblhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eieijp32.dll" Jleijb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adjjgp32.dll" Mmlhpaji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oediim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpklql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmaakpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amblpikl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eagahnob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkpmbm32.dll" Inhgaipf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhojqcil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmfjmkcf.dll" Iklgkmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjmfmnhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fafkoiji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jljiimeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecblbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aihaifam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhhkhqeo.dll" Bicjjncd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijcjgcni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peajngoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eangimij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkbmjhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofckhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olfgcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjmdeij.dll" Plndma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apjkcadp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eglkmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjkigojc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djndja32.dll" Ahiiqafa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nacmnlkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkchna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnoanl32.dll" Ikjmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diafkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdbfbm32.dll" Jkcpia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nldjnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckakb32.dll" Abodhpic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aiclodaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fboqkn32.dll" Lcnfohmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nemchn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jialhk32.dll" Neclpamg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghjdclhp.dll" Hdaajd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 4904 2188 0e8cd9727678fe4df1bf18556b2468fa.exe 87 PID 2188 wrote to memory of 4904 2188 0e8cd9727678fe4df1bf18556b2468fa.exe 87 PID 2188 wrote to memory of 4904 2188 0e8cd9727678fe4df1bf18556b2468fa.exe 87 PID 4904 wrote to memory of 3724 4904 Gmimai32.exe 88 PID 4904 wrote to memory of 3724 4904 Gmimai32.exe 88 PID 4904 wrote to memory of 3724 4904 Gmimai32.exe 88 PID 3724 wrote to memory of 1704 3724 Hedafk32.exe 89 PID 3724 wrote to memory of 1704 3724 Hedafk32.exe 89 PID 3724 wrote to memory of 1704 3724 Hedafk32.exe 89 PID 1704 wrote to memory of 4536 1704 Hbhboolf.exe 90 PID 1704 wrote to memory of 4536 1704 Hbhboolf.exe 90 PID 1704 wrote to memory of 4536 1704 Hbhboolf.exe 90 PID 4536 wrote to memory of 5068 4536 Hplbickp.exe 92 PID 4536 wrote to memory of 5068 4536 Hplbickp.exe 92 PID 4536 wrote to memory of 5068 4536 Hplbickp.exe 92 PID 5068 wrote to memory of 4024 5068 Hmpcbhji.exe 93 PID 5068 wrote to memory of 4024 5068 Hmpcbhji.exe 93 PID 5068 wrote to memory of 4024 5068 Hmpcbhji.exe 93 PID 4024 wrote to memory of 3576 4024 Hmdlmg32.exe 94 PID 4024 wrote to memory of 3576 4024 Hmdlmg32.exe 94 PID 4024 wrote to memory of 3576 4024 Hmdlmg32.exe 94 PID 3576 wrote to memory of 4740 3576 Ibaeen32.exe 95 PID 3576 wrote to memory of 4740 3576 Ibaeen32.exe 95 PID 3576 wrote to memory of 4740 3576 Ibaeen32.exe 95 PID 4740 wrote to memory of 4992 4740 Ifomll32.exe 96 PID 4740 wrote to memory of 4992 4740 Ifomll32.exe 96 PID 4740 wrote to memory of 4992 4740 Ifomll32.exe 96 PID 4992 wrote to memory of 4044 4992 Ipgbdbqb.exe 97 PID 4992 wrote to memory of 4044 4992 Ipgbdbqb.exe 97 PID 4992 wrote to memory of 4044 4992 Ipgbdbqb.exe 97 PID 4044 wrote to memory of 3176 4044 Igdgglfl.exe 98 PID 4044 wrote to memory of 3176 4044 Igdgglfl.exe 98 PID 4044 wrote to memory of 3176 4044 Igdgglfl.exe 98 PID 3176 wrote to memory of 412 3176 Ioolkncg.exe 99 PID 3176 wrote to memory of 412 3176 Ioolkncg.exe 99 PID 3176 wrote to memory of 412 3176 Ioolkncg.exe 99 PID 412 wrote to memory of 1204 412 Ipoheakj.exe 100 PID 412 wrote to memory of 1204 412 Ipoheakj.exe 100 PID 412 wrote to memory of 1204 412 Ipoheakj.exe 100 PID 1204 wrote to memory of 3096 1204 Jleijb32.exe 101 PID 1204 wrote to memory of 3096 1204 Jleijb32.exe 101 PID 1204 wrote to memory of 3096 1204 Jleijb32.exe 101 PID 3096 wrote to memory of 2312 3096 Jenmcggo.exe 102 PID 3096 wrote to memory of 2312 3096 Jenmcggo.exe 102 PID 3096 wrote to memory of 2312 3096 Jenmcggo.exe 102 PID 2312 wrote to memory of 2268 2312 Jcanll32.exe 103 PID 2312 wrote to memory of 2268 2312 Jcanll32.exe 103 PID 2312 wrote to memory of 2268 2312 Jcanll32.exe 103 PID 2268 wrote to memory of 2104 2268 Jebfng32.exe 104 PID 2268 wrote to memory of 2104 2268 Jebfng32.exe 104 PID 2268 wrote to memory of 2104 2268 Jebfng32.exe 104 PID 2104 wrote to memory of 1164 2104 Jokkgl32.exe 105 PID 2104 wrote to memory of 1164 2104 Jokkgl32.exe 105 PID 2104 wrote to memory of 1164 2104 Jokkgl32.exe 105 PID 1164 wrote to memory of 1180 1164 Kcidmkpq.exe 106 PID 1164 wrote to memory of 1180 1164 Kcidmkpq.exe 106 PID 1164 wrote to memory of 1180 1164 Kcidmkpq.exe 106 PID 1180 wrote to memory of 724 1180 Lcimdh32.exe 107 PID 1180 wrote to memory of 724 1180 Lcimdh32.exe 107 PID 1180 wrote to memory of 724 1180 Lcimdh32.exe 107 PID 724 wrote to memory of 4852 724 Lmdnbn32.exe 108 PID 724 wrote to memory of 4852 724 Lmdnbn32.exe 108 PID 724 wrote to memory of 4852 724 Lmdnbn32.exe 108 PID 4852 wrote to memory of 4032 4852 Lcnfohmi.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e8cd9727678fe4df1bf18556b2468fa.exe"C:\Users\Admin\AppData\Local\Temp\0e8cd9727678fe4df1bf18556b2468fa.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Gmimai32.exeC:\Windows\system32\Gmimai32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\Hedafk32.exeC:\Windows\system32\Hedafk32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\Hbhboolf.exeC:\Windows\system32\Hbhboolf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Hplbickp.exeC:\Windows\system32\Hplbickp.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Hmpcbhji.exeC:\Windows\system32\Hmpcbhji.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Hmdlmg32.exeC:\Windows\system32\Hmdlmg32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\Ibaeen32.exeC:\Windows\system32\Ibaeen32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\Ifomll32.exeC:\Windows\system32\Ifomll32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\Ipgbdbqb.exeC:\Windows\system32\Ipgbdbqb.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Igdgglfl.exeC:\Windows\system32\Igdgglfl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\Ioolkncg.exeC:\Windows\system32\Ioolkncg.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\Ipoheakj.exeC:\Windows\system32\Ipoheakj.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\Jleijb32.exeC:\Windows\system32\Jleijb32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Jenmcggo.exeC:\Windows\system32\Jenmcggo.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Jcanll32.exeC:\Windows\system32\Jcanll32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Jebfng32.exeC:\Windows\system32\Jebfng32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Jokkgl32.exeC:\Windows\system32\Jokkgl32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Kcidmkpq.exeC:\Windows\system32\Kcidmkpq.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Lcimdh32.exeC:\Windows\system32\Lcimdh32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Lmdnbn32.exeC:\Windows\system32\Lmdnbn32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\Lcnfohmi.exeC:\Windows\system32\Lcnfohmi.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Ljhnlb32.exeC:\Windows\system32\Ljhnlb32.exe23⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Mmfkhmdi.exeC:\Windows\system32\Mmfkhmdi.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Mnjqmpgg.exeC:\Windows\system32\Mnjqmpgg.exe25⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Mqkiok32.exeC:\Windows\system32\Mqkiok32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3872 -
C:\Windows\SysWOW64\Nmbjcljl.exeC:\Windows\system32\Nmbjcljl.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4660 -
C:\Windows\SysWOW64\Nmipdk32.exeC:\Windows\system32\Nmipdk32.exe28⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Ngqagcag.exeC:\Windows\system32\Ngqagcag.exe29⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Oanokhdb.exeC:\Windows\system32\Oanokhdb.exe30⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Ojfcdnjc.exeC:\Windows\system32\Ojfcdnjc.exe31⤵
- Executes dropped EXE
PID:3164 -
C:\Windows\SysWOW64\Ogjdmbil.exeC:\Windows\system32\Ogjdmbil.exe32⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Pnfiplog.exeC:\Windows\system32\Pnfiplog.exe33⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Pmlfqh32.exeC:\Windows\system32\Pmlfqh32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5056 -
C:\Windows\SysWOW64\Pjpfjl32.exeC:\Windows\system32\Pjpfjl32.exe35⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Pnmopk32.exeC:\Windows\system32\Pnmopk32.exe36⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Pdjgha32.exeC:\Windows\system32\Pdjgha32.exe37⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Panhbfep.exeC:\Windows\system32\Panhbfep.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Pdmdnadc.exeC:\Windows\system32\Pdmdnadc.exe39⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Qhjmdp32.exeC:\Windows\system32\Qhjmdp32.exe40⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Afpjel32.exeC:\Windows\system32\Afpjel32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Aogbfi32.exeC:\Windows\system32\Aogbfi32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Aaenbd32.exeC:\Windows\system32\Aaenbd32.exe43⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Afbgkl32.exeC:\Windows\system32\Afbgkl32.exe44⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Apjkcadp.exeC:\Windows\system32\Apjkcadp.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4600 -
C:\Windows\SysWOW64\Agdcpkll.exeC:\Windows\system32\Agdcpkll.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1460 -
C:\Windows\SysWOW64\Aajhndkb.exeC:\Windows\system32\Aajhndkb.exe47⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Adhdjpjf.exeC:\Windows\system32\Adhdjpjf.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Jpgdai32.exeC:\Windows\system32\Jpgdai32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3316 -
C:\Windows\SysWOW64\Ofckhj32.exeC:\Windows\system32\Ofckhj32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4464 -
C:\Windows\SysWOW64\Ocgkan32.exeC:\Windows\system32\Ocgkan32.exe51⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Ofegni32.exeC:\Windows\system32\Ofegni32.exe52⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Oonlfo32.exeC:\Windows\system32\Oonlfo32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Ocihgnam.exeC:\Windows\system32\Ocihgnam.exe54⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Omalpc32.exeC:\Windows\system32\Omalpc32.exe55⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Ofjqihnn.exeC:\Windows\system32\Ofjqihnn.exe56⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Fjjjgh32.exeC:\Windows\system32\Fjjjgh32.exe57⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Fcbnpnme.exeC:\Windows\system32\Fcbnpnme.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Jelonkph.exeC:\Windows\system32\Jelonkph.exe59⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Jjihfbno.exeC:\Windows\system32\Jjihfbno.exe60⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Jbppgona.exeC:\Windows\system32\Jbppgona.exe61⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Jdalog32.exeC:\Windows\system32\Jdalog32.exe62⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Jlidpe32.exeC:\Windows\system32\Jlidpe32.exe63⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Jogqlpde.exeC:\Windows\system32\Jogqlpde.exe64⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Jaemilci.exeC:\Windows\system32\Jaemilci.exe65⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Jeaiij32.exeC:\Windows\system32\Jeaiij32.exe66⤵
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Jjnaaa32.exeC:\Windows\system32\Jjnaaa32.exe67⤵PID:4656
-
C:\Windows\SysWOW64\Kkpnga32.exeC:\Windows\system32\Kkpnga32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4048 -
C:\Windows\SysWOW64\Khdoqefq.exeC:\Windows\system32\Khdoqefq.exe69⤵PID:3692
-
C:\Windows\SysWOW64\Kehojiej.exeC:\Windows\system32\Kehojiej.exe70⤵
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Kkegbpca.exeC:\Windows\system32\Kkegbpca.exe71⤵PID:3504
-
C:\Windows\SysWOW64\Kaopoj32.exeC:\Windows\system32\Kaopoj32.exe72⤵PID:4404
-
C:\Windows\SysWOW64\Klddlckd.exeC:\Windows\system32\Klddlckd.exe73⤵PID:636
-
C:\Windows\SysWOW64\Kbnlim32.exeC:\Windows\system32\Kbnlim32.exe74⤵PID:3424
-
C:\Windows\SysWOW64\Kdpiqehp.exeC:\Windows\system32\Kdpiqehp.exe75⤵PID:3224
-
C:\Windows\SysWOW64\Klgqabib.exeC:\Windows\system32\Klgqabib.exe76⤵PID:2220
-
C:\Windows\SysWOW64\Bliajd32.exeC:\Windows\system32\Bliajd32.exe77⤵PID:4432
-
C:\Windows\SysWOW64\Bfoegm32.exeC:\Windows\system32\Bfoegm32.exe78⤵PID:2192
-
C:\Windows\SysWOW64\Bimach32.exeC:\Windows\system32\Bimach32.exe79⤵
- Drops file in System32 directory
PID:4856 -
C:\Windows\SysWOW64\Bfabmmhe.exeC:\Windows\system32\Bfabmmhe.exe80⤵PID:416
-
C:\Windows\SysWOW64\Gglpgd32.exeC:\Windows\system32\Gglpgd32.exe81⤵PID:4976
-
C:\Windows\SysWOW64\Moglpedd.exeC:\Windows\system32\Moglpedd.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4904 -
C:\Windows\SysWOW64\Maehlqch.exeC:\Windows\system32\Maehlqch.exe83⤵PID:4536
-
C:\Windows\SysWOW64\Meadlo32.exeC:\Windows\system32\Meadlo32.exe84⤵PID:4780
-
C:\Windows\SysWOW64\Mgbpdgap.exeC:\Windows\system32\Mgbpdgap.exe85⤵PID:2124
-
C:\Windows\SysWOW64\Nmlhaa32.exeC:\Windows\system32\Nmlhaa32.exe86⤵PID:4644
-
C:\Windows\SysWOW64\Naokbokn.exeC:\Windows\system32\Naokbokn.exe87⤵PID:3052
-
C:\Windows\SysWOW64\Nockkcjg.exeC:\Windows\system32\Nockkcjg.exe88⤵PID:2312
-
C:\Windows\SysWOW64\Nemchn32.exeC:\Windows\system32\Nemchn32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4712 -
C:\Windows\SysWOW64\Ngnppfgb.exeC:\Windows\system32\Ngnppfgb.exe90⤵PID:1304
-
C:\Windows\SysWOW64\Onhhmpoo.exeC:\Windows\system32\Onhhmpoo.exe91⤵PID:440
-
C:\Windows\SysWOW64\Odbpij32.exeC:\Windows\system32\Odbpij32.exe92⤵
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Oogdfc32.exeC:\Windows\system32\Oogdfc32.exe93⤵PID:1896
-
C:\Windows\SysWOW64\Onjebpml.exeC:\Windows\system32\Onjebpml.exe94⤵PID:2736
-
C:\Windows\SysWOW64\Oddmoj32.exeC:\Windows\system32\Oddmoj32.exe95⤵PID:4020
-
C:\Windows\SysWOW64\Oediim32.exeC:\Windows\system32\Oediim32.exe96⤵
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Ohbfeh32.exeC:\Windows\system32\Ohbfeh32.exe97⤵PID:4968
-
C:\Windows\SysWOW64\Okcogc32.exeC:\Windows\system32\Okcogc32.exe98⤵PID:1464
-
C:\Windows\SysWOW64\Ofhcdlgg.exeC:\Windows\system32\Ofhcdlgg.exe99⤵PID:4992
-
C:\Windows\SysWOW64\Philfgdh.exeC:\Windows\system32\Philfgdh.exe100⤵PID:3176
-
C:\Windows\SysWOW64\Pnfdnnbo.exeC:\Windows\system32\Pnfdnnbo.exe101⤵PID:3432
-
C:\Windows\SysWOW64\Phlikg32.exeC:\Windows\system32\Phlikg32.exe102⤵PID:4660
-
C:\Windows\SysWOW64\Pnhacn32.exeC:\Windows\system32\Pnhacn32.exe103⤵PID:1996
-
C:\Windows\SysWOW64\Phneqf32.exeC:\Windows\system32\Phneqf32.exe104⤵PID:4440
-
C:\Windows\SysWOW64\Pohnnqgo.exeC:\Windows\system32\Pohnnqgo.exe105⤵PID:3872
-
C:\Windows\SysWOW64\Pfbfjk32.exeC:\Windows\system32\Pfbfjk32.exe106⤵
- Modifies registry class
PID:628 -
C:\Windows\SysWOW64\Pdeffgff.exeC:\Windows\system32\Pdeffgff.exe107⤵PID:708
-
C:\Windows\SysWOW64\Qkchna32.exeC:\Windows\system32\Qkchna32.exe108⤵
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Qnbdjl32.exeC:\Windows\system32\Qnbdjl32.exe109⤵PID:3484
-
C:\Windows\SysWOW64\Agjhbbob.exeC:\Windows\system32\Agjhbbob.exe110⤵PID:2964
-
C:\Windows\SysWOW64\Aoapcood.exeC:\Windows\system32\Aoapcood.exe111⤵PID:2840
-
C:\Windows\SysWOW64\Anfmeldl.exeC:\Windows\system32\Anfmeldl.exe112⤵PID:4172
-
C:\Windows\SysWOW64\Agaoca32.exeC:\Windows\system32\Agaoca32.exe113⤵PID:1316
-
C:\Windows\SysWOW64\Bfieagka.exeC:\Windows\system32\Bfieagka.exe114⤵PID:4756
-
C:\Windows\SysWOW64\Bihancje.exeC:\Windows\system32\Bihancje.exe115⤵PID:4548
-
C:\Windows\SysWOW64\Bkfmjnii.exeC:\Windows\system32\Bkfmjnii.exe116⤵PID:2536
-
C:\Windows\SysWOW64\Bbpeghpe.exeC:\Windows\system32\Bbpeghpe.exe117⤵PID:644
-
C:\Windows\SysWOW64\Bijncb32.exeC:\Windows\system32\Bijncb32.exe118⤵PID:4384
-
C:\Windows\SysWOW64\Bkhjpn32.exeC:\Windows\system32\Bkhjpn32.exe119⤵PID:2824
-
C:\Windows\SysWOW64\Ceehcc32.exeC:\Windows\system32\Ceehcc32.exe120⤵PID:1308
-
C:\Windows\SysWOW64\Cpklql32.exeC:\Windows\system32\Cpklql32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-