Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
164s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/04/2024, 05:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2cbf413a42cf4da21fe76e36e264a357.exe
Resource
win7-20240319-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
2cbf413a42cf4da21fe76e36e264a357.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
2cbf413a42cf4da21fe76e36e264a357.exe
-
Size
112KB
-
MD5
2cbf413a42cf4da21fe76e36e264a357
-
SHA1
a0c9aa07926f2194484c35265b0a340fc7c76dd3
-
SHA256
f03c4fd0f23da05e040b4e6ffda8eb04e4bd79e2804ecea15406670912adb235
-
SHA512
212bc38ba5ad9786de0e659426a0a372f1087228576ee850a6833afce743df95453478e9c395ea9e33b997495a226c556b01ffaa0576ee98ae84ac765e88e24c
-
SSDEEP
3072:h6BbMZOtOlmzXhYpn4eIaSgFeJLCQnFIBOaCUjKaVLjd:wBbuyhC4etSgFeJLbnCBbC+nVLjd
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odbpij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adockl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llpcceho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgqfmcge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npbcollj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oigdmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afqifo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malgmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aiplff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqhdnaln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pijiif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkimae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeilgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocopncke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjhfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfldap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cffcilob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aphngglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmqhlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kalcik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afclpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcfhco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcddemmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imknli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpgihh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcbngeqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbacekmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbhhbjfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdeffgff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgiibnib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfjhocij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icgqqmib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Poajdlcq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmfnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbbgbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jafjfmak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbdpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdmaoahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbmheomi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caebfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fggdic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcpadd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Memalfcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjeibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jplmglbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alaaajmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnglhnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emphhhoh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgakkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkechjib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpbmpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qehjoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bckpihef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obpkcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kplijk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iomcqa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmliem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeeomegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pphjbgfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmbmefob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akmbepke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cekhihig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emeffcid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpbfbo32.exe -
Executes dropped EXE 64 IoCs
pid Process 2208 Omalpc32.exe 4004 Ocnabm32.exe 2708 Padnaq32.exe 2296 Pmphaaln.exe 3492 Pciqnk32.exe 516 Qikbaaml.exe 4288 Aagdnn32.exe 420 Bfkbfd32.exe 1664 Bbdpad32.exe 4564 Ckpamabg.exe 456 Ckggnp32.exe 1300 Dmjmekgn.exe 3104 Djgdkk32.exe 3504 Ecdbop32.exe 4192 Enopghee.exe 760 Fdmaoahm.exe 5044 Fjocbhbo.exe 552 Gjcmngnj.exe 1928 Haidfpki.exe 3556 Hannao32.exe 3496 Jblflp32.exe 4980 Kalcik32.exe 1988 Lbebilli.exe 4456 Lbhool32.exe 1192 Llpchaqg.exe 2380 Mhiabbdi.exe 4548 Memalfcb.exe 4736 Nocbfjmc.exe 776 Oljoen32.exe 4860 Obpkcc32.exe 4808 Pkoemhao.exe 2244 Qkfkng32.exe 1828 Afqifo32.exe 3456 Bblcfo32.exe 3500 Bclppboi.exe 4392 Bfoegm32.exe 1452 Cekhihig.exe 4816 Dpgbgpbe.exe 1884 Dcmedk32.exe 1556 Emeffcid.exe 1956 Egmjpi32.exe 3416 Fjeibc32.exe 1624 Fcbgfhii.exe 4988 Gddqejni.exe 4876 Hqddqj32.exe 4632 Imfdaigj.exe 4280 Imknli32.exe 2588 Jmpgghoo.exe 380 Jelhcd32.exe 2556 Jaefne32.exe 2248 Kfkamk32.exe 1416 Laglkb32.exe 3084 Mkdiog32.exe 2276 Mdokmm32.exe 1616 Nhbmnj32.exe 3036 Nnoefagj.exe 2860 Nggjog32.exe 5132 Nejgbn32.exe 5172 Odbpij32.exe 5212 Oahnhncc.exe 5252 Okqbac32.exe 5292 Ofhcdlgg.exe 5340 Okeklcen.exe 5380 Pdeffgff.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iiibdc32.exe Icgqqmib.exe File created C:\Windows\SysWOW64\Lamofk32.dll Llpcceho.exe File created C:\Windows\SysWOW64\Pafcda32.dll Bbacekmj.exe File opened for modification C:\Windows\SysWOW64\Cifdcm32.exe Cbllfboa.exe File created C:\Windows\SysWOW64\Padnaq32.exe Ocnabm32.exe File created C:\Windows\SysWOW64\Mgfqgkib.exe Mplhjabe.exe File opened for modification C:\Windows\SysWOW64\Ajnkmjqj.exe Phekliab.exe File created C:\Windows\SysWOW64\Qeijbapg.dll Lobpadoe.exe File created C:\Windows\SysWOW64\Djojepof.dll Enopghee.exe File created C:\Windows\SysWOW64\Peifchgg.dll Amikae32.exe File opened for modification C:\Windows\SysWOW64\Fbmhglqi.exe Fggdic32.exe File opened for modification C:\Windows\SysWOW64\Bliacj32.exe Bmddbm32.exe File created C:\Windows\SysWOW64\Cmlckhig.exe Caebfg32.exe File created C:\Windows\SysWOW64\Mncjffbl.exe Mjeaph32.exe File opened for modification C:\Windows\SysWOW64\Nocbfjmc.exe Memalfcb.exe File created C:\Windows\SysWOW64\Jnaighhk.exe Hpmpgfhd.exe File created C:\Windows\SysWOW64\Ooibee32.exe Nbbefafp.exe File created C:\Windows\SysWOW64\Mnlihm32.dll Ejlmppha.exe File created C:\Windows\SysWOW64\Kipiefce.dll Afqifo32.exe File opened for modification C:\Windows\SysWOW64\Nejgbn32.exe Nggjog32.exe File opened for modification C:\Windows\SysWOW64\Caebfg32.exe Chmnnamb.exe File opened for modification C:\Windows\SysWOW64\Gmbmefob.exe Gdjilphb.exe File opened for modification C:\Windows\SysWOW64\Hmhhnmao.exe Hfnpacjb.exe File created C:\Windows\SysWOW64\Pjpokm32.exe Pphjbgfj.exe File opened for modification C:\Windows\SysWOW64\Mgaoda32.exe Mnhkklbb.exe File created C:\Windows\SysWOW64\Jlijdbin.dll Nnafgd32.exe File opened for modification C:\Windows\SysWOW64\Mlcgam32.exe Lcocmi32.exe File created C:\Windows\SysWOW64\Nejkfj32.exe Moofmeal.exe File opened for modification C:\Windows\SysWOW64\Papnhbgi.exe Pghiomqi.exe File created C:\Windows\SysWOW64\Nhfpjghi.exe Malgmm32.exe File created C:\Windows\SysWOW64\Hapelm32.dll Nmenmgab.exe File opened for modification C:\Windows\SysWOW64\Ajanmqbc.exe Afcffb32.exe File created C:\Windows\SysWOW64\Nbgigian.dll Fhjlkg32.exe File created C:\Windows\SysWOW64\Cifdcm32.exe Cbllfboa.exe File created C:\Windows\SysWOW64\Leknan32.dll Dllfpg32.exe File opened for modification C:\Windows\SysWOW64\Ocldhqgb.exe Nqfbkf32.exe File created C:\Windows\SysWOW64\Oekpdoll.exe Opnglhnd.exe File created C:\Windows\SysWOW64\Hbnbgcei.dll Hgahnjpk.exe File created C:\Windows\SysWOW64\Fqebcqhe.dll Bbmjjk32.exe File created C:\Windows\SysWOW64\Epdigjaa.exe Ejjqjp32.exe File created C:\Windows\SysWOW64\Hannao32.exe Haidfpki.exe File created C:\Windows\SysWOW64\Lmqggncn.exe Kigoeagd.exe File created C:\Windows\SysWOW64\Madjbg32.exe Mglfibmh.exe File opened for modification C:\Windows\SysWOW64\Edbhgokc.exe Cnlhhi32.exe File created C:\Windows\SysWOW64\Lhjadp32.dll Nlcaeo32.exe File created C:\Windows\SysWOW64\Dodjemee.exe Cfeplh32.exe File opened for modification C:\Windows\SysWOW64\Adockl32.exe Abngccbl.exe File opened for modification C:\Windows\SysWOW64\Fjfegl32.exe Emphhhoh.exe File opened for modification C:\Windows\SysWOW64\Knpeii32.exe Kcfgaq32.exe File created C:\Windows\SysWOW64\Bblcfo32.exe Afqifo32.exe File created C:\Windows\SysWOW64\Iciaji32.exe Ikfgeh32.exe File created C:\Windows\SysWOW64\Emeffcid.exe Dcmedk32.exe File created C:\Windows\SysWOW64\Aiplff32.exe Abedil32.exe File created C:\Windows\SysWOW64\Ohfpng32.dll Aegbji32.exe File created C:\Windows\SysWOW64\Kehhjfif.exe Jpkpbpko.exe File created C:\Windows\SysWOW64\Bohiliof.exe Bbdhbepl.exe File opened for modification C:\Windows\SysWOW64\Jghpkq32.exe Jpnhof32.exe File opened for modification C:\Windows\SysWOW64\Nnoefagj.exe Nhbmnj32.exe File created C:\Windows\SysWOW64\Kejepfgd.exe Kehhjfif.exe File created C:\Windows\SysWOW64\Pjfloq32.dll Mgoboake.exe File created C:\Windows\SysWOW64\Ljgngaia.dll Khplia32.exe File created C:\Windows\SysWOW64\Ghpkld32.dll Qikbaaml.exe File created C:\Windows\SysWOW64\Ognnmkdm.dll Ngkjbkem.exe File opened for modification C:\Windows\SysWOW64\Pphjbgfj.exe Pgoejapi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jipbjd32.dll" Gjebbfni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Moofmeal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkpglqgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcakmhde.dll" Alaaajmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnaighhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fegeke32.dll" Offnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqlkon32.dll" Bmpaad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jaefne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Calfiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agchhlbc.dll" Gmqgjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Linmlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogidij32.dll" Nklbfaae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fncbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iadhpj32.dll" Hnfehm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olehai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpjigbie.dll" Mcaiif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gplookpg.dll" Fbmhglqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaahdof.dll" Jfhljc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcohej32.dll" Nfgbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngdgaia.dll" Ljmfdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkmlgeje.dll" Ojkepmqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnmjmmpa.dll" Hmhhnmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngddegd.dll" Jplkig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djlkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abhaaf32.dll" Flnlaahl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpbmpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Keifneoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmjmekgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Appaangd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkhkdjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npbcollj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iecclhak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggbmkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bblcfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojgbpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmpaad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aalndaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okqbac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fplimi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afcffb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kehhjfif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfglomin.dll" Oidopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gighom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epdigjaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paifdeda.dll" Fjocbhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efepln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jncobabm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oheofn32.dll" Jdcplkoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aepmjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdhao32.dll" Npipnjmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nblcgpho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbpne32.dll" Afclpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llfmba32.dll" Pjpokm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cliahf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fimonh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljmfdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qkfkng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjoeoedo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdehpnep.dll" Cjhfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjkfjhn.dll" Olmficce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mppapchl.dll" Epfflj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cifdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqbbicel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbmheomi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3448 wrote to memory of 2208 3448 2cbf413a42cf4da21fe76e36e264a357.exe 94 PID 3448 wrote to memory of 2208 3448 2cbf413a42cf4da21fe76e36e264a357.exe 94 PID 3448 wrote to memory of 2208 3448 2cbf413a42cf4da21fe76e36e264a357.exe 94 PID 2208 wrote to memory of 4004 2208 Omalpc32.exe 95 PID 2208 wrote to memory of 4004 2208 Omalpc32.exe 95 PID 2208 wrote to memory of 4004 2208 Omalpc32.exe 95 PID 4004 wrote to memory of 2708 4004 Ocnabm32.exe 96 PID 4004 wrote to memory of 2708 4004 Ocnabm32.exe 96 PID 4004 wrote to memory of 2708 4004 Ocnabm32.exe 96 PID 2708 wrote to memory of 2296 2708 Padnaq32.exe 97 PID 2708 wrote to memory of 2296 2708 Padnaq32.exe 97 PID 2708 wrote to memory of 2296 2708 Padnaq32.exe 97 PID 2296 wrote to memory of 3492 2296 Pmphaaln.exe 98 PID 2296 wrote to memory of 3492 2296 Pmphaaln.exe 98 PID 2296 wrote to memory of 3492 2296 Pmphaaln.exe 98 PID 3492 wrote to memory of 516 3492 Pciqnk32.exe 99 PID 3492 wrote to memory of 516 3492 Pciqnk32.exe 99 PID 3492 wrote to memory of 516 3492 Pciqnk32.exe 99 PID 516 wrote to memory of 4288 516 Qikbaaml.exe 101 PID 516 wrote to memory of 4288 516 Qikbaaml.exe 101 PID 516 wrote to memory of 4288 516 Qikbaaml.exe 101 PID 4288 wrote to memory of 420 4288 Aagdnn32.exe 102 PID 4288 wrote to memory of 420 4288 Aagdnn32.exe 102 PID 4288 wrote to memory of 420 4288 Aagdnn32.exe 102 PID 420 wrote to memory of 1664 420 Bfkbfd32.exe 103 PID 420 wrote to memory of 1664 420 Bfkbfd32.exe 103 PID 420 wrote to memory of 1664 420 Bfkbfd32.exe 103 PID 1664 wrote to memory of 4564 1664 Bbdpad32.exe 104 PID 1664 wrote to memory of 4564 1664 Bbdpad32.exe 104 PID 1664 wrote to memory of 4564 1664 Bbdpad32.exe 104 PID 4564 wrote to memory of 456 4564 Ckpamabg.exe 105 PID 4564 wrote to memory of 456 4564 Ckpamabg.exe 105 PID 4564 wrote to memory of 456 4564 Ckpamabg.exe 105 PID 456 wrote to memory of 1300 456 Ckggnp32.exe 106 PID 456 wrote to memory of 1300 456 Ckggnp32.exe 106 PID 456 wrote to memory of 1300 456 Ckggnp32.exe 106 PID 1300 wrote to memory of 3104 1300 Dmjmekgn.exe 107 PID 1300 wrote to memory of 3104 1300 Dmjmekgn.exe 107 PID 1300 wrote to memory of 3104 1300 Dmjmekgn.exe 107 PID 3104 wrote to memory of 3504 3104 Djgdkk32.exe 108 PID 3104 wrote to memory of 3504 3104 Djgdkk32.exe 108 PID 3104 wrote to memory of 3504 3104 Djgdkk32.exe 108 PID 3504 wrote to memory of 4192 3504 Ecdbop32.exe 109 PID 3504 wrote to memory of 4192 3504 Ecdbop32.exe 109 PID 3504 wrote to memory of 4192 3504 Ecdbop32.exe 109 PID 4192 wrote to memory of 760 4192 Enopghee.exe 110 PID 4192 wrote to memory of 760 4192 Enopghee.exe 110 PID 4192 wrote to memory of 760 4192 Enopghee.exe 110 PID 760 wrote to memory of 5044 760 Fdmaoahm.exe 111 PID 760 wrote to memory of 5044 760 Fdmaoahm.exe 111 PID 760 wrote to memory of 5044 760 Fdmaoahm.exe 111 PID 5044 wrote to memory of 552 5044 Fjocbhbo.exe 112 PID 5044 wrote to memory of 552 5044 Fjocbhbo.exe 112 PID 5044 wrote to memory of 552 5044 Fjocbhbo.exe 112 PID 552 wrote to memory of 1928 552 Gjcmngnj.exe 113 PID 552 wrote to memory of 1928 552 Gjcmngnj.exe 113 PID 552 wrote to memory of 1928 552 Gjcmngnj.exe 113 PID 1928 wrote to memory of 3556 1928 Haidfpki.exe 114 PID 1928 wrote to memory of 3556 1928 Haidfpki.exe 114 PID 1928 wrote to memory of 3556 1928 Haidfpki.exe 114 PID 3556 wrote to memory of 3496 3556 Hannao32.exe 115 PID 3556 wrote to memory of 3496 3556 Hannao32.exe 115 PID 3556 wrote to memory of 3496 3556 Hannao32.exe 115 PID 3496 wrote to memory of 4980 3496 Jblflp32.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cbf413a42cf4da21fe76e36e264a357.exe"C:\Users\Admin\AppData\Local\Temp\2cbf413a42cf4da21fe76e36e264a357.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\Omalpc32.exeC:\Windows\system32\Omalpc32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Ocnabm32.exeC:\Windows\system32\Ocnabm32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\Padnaq32.exeC:\Windows\system32\Padnaq32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Pmphaaln.exeC:\Windows\system32\Pmphaaln.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Pciqnk32.exeC:\Windows\system32\Pciqnk32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\Qikbaaml.exeC:\Windows\system32\Qikbaaml.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\Aagdnn32.exeC:\Windows\system32\Aagdnn32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\Bfkbfd32.exeC:\Windows\system32\Bfkbfd32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:420 -
C:\Windows\SysWOW64\Bbdpad32.exeC:\Windows\system32\Bbdpad32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Ckpamabg.exeC:\Windows\system32\Ckpamabg.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Ckggnp32.exeC:\Windows\system32\Ckggnp32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Dmjmekgn.exeC:\Windows\system32\Dmjmekgn.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Djgdkk32.exeC:\Windows\system32\Djgdkk32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\Ecdbop32.exeC:\Windows\system32\Ecdbop32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Enopghee.exeC:\Windows\system32\Enopghee.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\Fdmaoahm.exeC:\Windows\system32\Fdmaoahm.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Fjocbhbo.exeC:\Windows\system32\Fjocbhbo.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Gjcmngnj.exeC:\Windows\system32\Gjcmngnj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Haidfpki.exeC:\Windows\system32\Haidfpki.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Hannao32.exeC:\Windows\system32\Hannao32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\Jblflp32.exeC:\Windows\system32\Jblflp32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Kalcik32.exeC:\Windows\system32\Kalcik32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Lbebilli.exeC:\Windows\system32\Lbebilli.exe24⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Lbhool32.exeC:\Windows\system32\Lbhool32.exe25⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Llpchaqg.exeC:\Windows\system32\Llpchaqg.exe26⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Mhiabbdi.exeC:\Windows\system32\Mhiabbdi.exe27⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Memalfcb.exeC:\Windows\system32\Memalfcb.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4548 -
C:\Windows\SysWOW64\Nocbfjmc.exeC:\Windows\system32\Nocbfjmc.exe29⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Oljoen32.exeC:\Windows\system32\Oljoen32.exe30⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Obpkcc32.exeC:\Windows\system32\Obpkcc32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Pkoemhao.exeC:\Windows\system32\Pkoemhao.exe32⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Qkfkng32.exeC:\Windows\system32\Qkfkng32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Afqifo32.exeC:\Windows\system32\Afqifo32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Bblcfo32.exeC:\Windows\system32\Bblcfo32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:3456 -
C:\Windows\SysWOW64\Bclppboi.exeC:\Windows\system32\Bclppboi.exe36⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Bfoegm32.exeC:\Windows\system32\Bfoegm32.exe37⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Cekhihig.exeC:\Windows\system32\Cekhihig.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Dpgbgpbe.exeC:\Windows\system32\Dpgbgpbe.exe39⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Dcmedk32.exeC:\Windows\system32\Dcmedk32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Emeffcid.exeC:\Windows\system32\Emeffcid.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Egmjpi32.exeC:\Windows\system32\Egmjpi32.exe42⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Fjeibc32.exeC:\Windows\system32\Fjeibc32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Fcbgfhii.exeC:\Windows\system32\Fcbgfhii.exe44⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Gddqejni.exeC:\Windows\system32\Gddqejni.exe45⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Hqddqj32.exeC:\Windows\system32\Hqddqj32.exe46⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Imfdaigj.exeC:\Windows\system32\Imfdaigj.exe47⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Imknli32.exeC:\Windows\system32\Imknli32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Jmpgghoo.exeC:\Windows\system32\Jmpgghoo.exe49⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Jelhcd32.exeC:\Windows\system32\Jelhcd32.exe50⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Jaefne32.exeC:\Windows\system32\Jaefne32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Kfkamk32.exeC:\Windows\system32\Kfkamk32.exe52⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Laglkb32.exeC:\Windows\system32\Laglkb32.exe53⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Mkdiog32.exeC:\Windows\system32\Mkdiog32.exe54⤵
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\Mdokmm32.exeC:\Windows\system32\Mdokmm32.exe55⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Nhbmnj32.exeC:\Windows\system32\Nhbmnj32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Nnoefagj.exeC:\Windows\system32\Nnoefagj.exe57⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Nggjog32.exeC:\Windows\system32\Nggjog32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Nejgbn32.exeC:\Windows\system32\Nejgbn32.exe59⤵
- Executes dropped EXE
PID:5132 -
C:\Windows\SysWOW64\Odbpij32.exeC:\Windows\system32\Odbpij32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5172 -
C:\Windows\SysWOW64\Oahnhncc.exeC:\Windows\system32\Oahnhncc.exe61⤵
- Executes dropped EXE
PID:5212 -
C:\Windows\SysWOW64\Okqbac32.exeC:\Windows\system32\Okqbac32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:5252 -
C:\Windows\SysWOW64\Ofhcdlgg.exeC:\Windows\system32\Ofhcdlgg.exe63⤵
- Executes dropped EXE
PID:5292 -
C:\Windows\SysWOW64\Okeklcen.exeC:\Windows\system32\Okeklcen.exe64⤵
- Executes dropped EXE
PID:5340 -
C:\Windows\SysWOW64\Pdeffgff.exeC:\Windows\system32\Pdeffgff.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5380 -
C:\Windows\SysWOW64\Qbkcek32.exeC:\Windows\system32\Qbkcek32.exe66⤵PID:5420
-
C:\Windows\SysWOW64\Adnilfnl.exeC:\Windows\system32\Adnilfnl.exe67⤵PID:5460
-
C:\Windows\SysWOW64\Aeeomegd.exeC:\Windows\system32\Aeeomegd.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5520 -
C:\Windows\SysWOW64\Dfemdcba.exeC:\Windows\system32\Dfemdcba.exe69⤵PID:5572
-
C:\Windows\SysWOW64\Fgcjea32.exeC:\Windows\system32\Fgcjea32.exe70⤵PID:5616
-
C:\Windows\SysWOW64\Ggafgo32.exeC:\Windows\system32\Ggafgo32.exe71⤵PID:5656
-
C:\Windows\SysWOW64\Ggdbmoho.exeC:\Windows\system32\Ggdbmoho.exe72⤵PID:5700
-
C:\Windows\SysWOW64\Hhleefhe.exeC:\Windows\system32\Hhleefhe.exe73⤵PID:5744
-
C:\Windows\SysWOW64\Hqjcgbbo.exeC:\Windows\system32\Hqjcgbbo.exe74⤵PID:5784
-
C:\Windows\SysWOW64\Hjbhph32.exeC:\Windows\system32\Hjbhph32.exe75⤵PID:5824
-
C:\Windows\SysWOW64\Igghilhi.exeC:\Windows\system32\Igghilhi.exe76⤵PID:5876
-
C:\Windows\SysWOW64\Icdoolge.exeC:\Windows\system32\Icdoolge.exe77⤵PID:5920
-
C:\Windows\SysWOW64\Jikjmbmb.exeC:\Windows\system32\Jikjmbmb.exe78⤵PID:5972
-
C:\Windows\SysWOW64\Kplijk32.exeC:\Windows\system32\Kplijk32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1728 -
C:\Windows\SysWOW64\Jeanfkob.exeC:\Windows\system32\Jeanfkob.exe80⤵PID:5400
-
C:\Windows\SysWOW64\Kbfjljhf.exeC:\Windows\system32\Kbfjljhf.exe81⤵PID:5468
-
C:\Windows\SysWOW64\Kbkdgj32.exeC:\Windows\system32\Kbkdgj32.exe82⤵PID:2032
-
C:\Windows\SysWOW64\Mkdagm32.exeC:\Windows\system32\Mkdagm32.exe83⤵PID:2332
-
C:\Windows\SysWOW64\Mfiedfmd.exeC:\Windows\system32\Mfiedfmd.exe84⤵PID:5624
-
C:\Windows\SysWOW64\Npipnjmm.exeC:\Windows\system32\Npipnjmm.exe85⤵
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Nfgbec32.exeC:\Windows\system32\Nfgbec32.exe86⤵
- Modifies registry class
PID:5712 -
C:\Windows\SysWOW64\Opiidhoj.exeC:\Windows\system32\Opiidhoj.exe87⤵PID:5768
-
C:\Windows\SysWOW64\Opkfjgmh.exeC:\Windows\system32\Opkfjgmh.exe88⤵PID:5836
-
C:\Windows\SysWOW64\Pfenga32.exeC:\Windows\system32\Pfenga32.exe89⤵PID:3340
-
C:\Windows\SysWOW64\Qmnbej32.exeC:\Windows\system32\Qmnbej32.exe90⤵PID:5988
-
C:\Windows\SysWOW64\Abjkmqni.exeC:\Windows\system32\Abjkmqni.exe91⤵PID:6016
-
C:\Windows\SysWOW64\Aepmjk32.exeC:\Windows\system32\Aepmjk32.exe92⤵
- Modifies registry class
PID:3868 -
C:\Windows\SysWOW64\Bpodmb32.exeC:\Windows\system32\Bpodmb32.exe93⤵PID:412
-
C:\Windows\SysWOW64\Cfeplh32.exeC:\Windows\system32\Cfeplh32.exe94⤵
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\Dodjemee.exeC:\Windows\system32\Dodjemee.exe95⤵PID:6052
-
C:\Windows\SysWOW64\Djlkhe32.exeC:\Windows\system32\Djlkhe32.exe96⤵
- Modifies registry class
PID:5012 -
C:\Windows\SysWOW64\Fplimi32.exeC:\Windows\system32\Fplimi32.exe97⤵
- Modifies registry class
PID:4104 -
C:\Windows\SysWOW64\Fjanjb32.exeC:\Windows\system32\Fjanjb32.exe98⤵PID:4932
-
C:\Windows\SysWOW64\Gpgihh32.exeC:\Windows\system32\Gpgihh32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4352 -
C:\Windows\SysWOW64\Gmkibl32.exeC:\Windows\system32\Gmkibl32.exe100⤵PID:2992
-
C:\Windows\SysWOW64\Hpchdf32.exeC:\Windows\system32\Hpchdf32.exe101⤵PID:3712
-
C:\Windows\SysWOW64\Hnfehm32.exeC:\Windows\system32\Hnfehm32.exe102⤵
- Modifies registry class
PID:4520 -
C:\Windows\SysWOW64\Hphbpehj.exeC:\Windows\system32\Hphbpehj.exe103⤵PID:4088
-
C:\Windows\SysWOW64\Idmafc32.exeC:\Windows\system32\Idmafc32.exe104⤵PID:4980
-
C:\Windows\SysWOW64\Iobecl32.exeC:\Windows\system32\Iobecl32.exe105⤵PID:3860
-
C:\Windows\SysWOW64\Jddggb32.exeC:\Windows\system32\Jddggb32.exe106⤵PID:732
-
C:\Windows\SysWOW64\Jmnheggo.exeC:\Windows\system32\Jmnheggo.exe107⤵PID:1076
-
C:\Windows\SysWOW64\Lnfgmc32.exeC:\Windows\system32\Lnfgmc32.exe108⤵PID:3648
-
C:\Windows\SysWOW64\Moofmeal.exeC:\Windows\system32\Moofmeal.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:3984 -
C:\Windows\SysWOW64\Nejkfj32.exeC:\Windows\system32\Nejkfj32.exe110⤵PID:5204
-
C:\Windows\SysWOW64\Oigdmh32.exeC:\Windows\system32\Oigdmh32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5248 -
C:\Windows\SysWOW64\Olmficce.exeC:\Windows\system32\Olmficce.exe112⤵
- Modifies registry class
PID:5244 -
C:\Windows\SysWOW64\Pijiif32.exeC:\Windows\system32\Pijiif32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2928 -
C:\Windows\SysWOW64\Appaangd.exeC:\Windows\system32\Appaangd.exe114⤵
- Modifies registry class
PID:5280 -
C:\Windows\SysWOW64\Ahkffqdo.exeC:\Windows\system32\Ahkffqdo.exe115⤵PID:2232
-
C:\Windows\SysWOW64\Aikbpckb.exeC:\Windows\system32\Aikbpckb.exe116⤵PID:6000
-
C:\Windows\SysWOW64\Booaii32.exeC:\Windows\system32\Booaii32.exe117⤵PID:5084
-
C:\Windows\SysWOW64\Cpbgnlfo.exeC:\Windows\system32\Cpbgnlfo.exe118⤵PID:5356
-
C:\Windows\SysWOW64\Dohmff32.exeC:\Windows\system32\Dohmff32.exe119⤵PID:5428
-
C:\Windows\SysWOW64\Fbiooolb.exeC:\Windows\system32\Fbiooolb.exe120⤵PID:380
-
C:\Windows\SysWOW64\Foplnb32.exeC:\Windows\system32\Foplnb32.exe121⤵PID:2804
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-