Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 04:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ee890e8a9447073d18a0f6899385cceb62f7d1fdcd7cc48dccef40328871b162.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
ee890e8a9447073d18a0f6899385cceb62f7d1fdcd7cc48dccef40328871b162.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
ee890e8a9447073d18a0f6899385cceb62f7d1fdcd7cc48dccef40328871b162.exe
-
Size
60KB
-
MD5
4f30502315a50e9e0d3d52d4a9f11152
-
SHA1
93646a83d6117d1d5527a7518b9333e92bf3303c
-
SHA256
ee890e8a9447073d18a0f6899385cceb62f7d1fdcd7cc48dccef40328871b162
-
SHA512
17f65ebdeb892b9772daf030857a76099cbf9f528088eeb1c3e889b0e15073518da030f0997ed81de800b9d7427456cb09a66e5907b5ad463c47eff571ba3d88
-
SSDEEP
1536:Da1/v71lrRQfEMsysTg7QzMW6FaDa0B86l1rs:e1H7HRQFshr6wa0B86l1rs
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdciiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmbphg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebkbbmqj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiccje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmphaaln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iondqhpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chkobkod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkmgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjblje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjjkaabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcgiefen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjfmkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bogkmgba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpkdjofm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegkpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omalpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmkdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjfmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klbnajqc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jepjhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjlopc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhnhajba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbebbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modpib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhhiemoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbpedjnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcnfohmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjjkaabc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibgdlg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jllhpkfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlofcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojcpdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piapkbeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njfkmphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kheekkjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojnfihmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oanokhdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcoccc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnldla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egohdegl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnhoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jemfhacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkgeainn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipbaol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njedbjej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifomll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgkmgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcnfohmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpcapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmpolgoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgcjfbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbihjifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcmodajm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbohpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlljnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbbeml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmdlmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chdialdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chnlgjlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbnhoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbcncibp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chfegk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcmodajm.exe -
Executes dropped EXE 64 IoCs
pid Process 2804 Holfoqcm.exe 2592 Hefnkkkj.exe 3864 Hmmfmhll.exe 2596 Hplbickp.exe 2564 Hbjoeojc.exe 2072 Hidgai32.exe 4368 Hmpcbhji.exe 1756 Hoaojp32.exe 4612 Hblkjo32.exe 2876 Hekgfj32.exe 4568 Hmbphg32.exe 2260 Hlepcdoa.exe 2604 Hbohpn32.exe 1588 Hmdlmg32.exe 3744 Hpchib32.exe 1820 Ifmqfm32.exe 2688 Iikmbh32.exe 4648 Iohejo32.exe 2524 Ifomll32.exe 3628 Iinjhh32.exe 60 Illfdc32.exe 2376 Iojbpo32.exe 1088 Igajal32.exe 4844 Imkbnf32.exe 1976 Ipjoja32.exe 5064 Igdgglfl.exe 4580 Iibccgep.exe 1276 Ilqoobdd.exe 4856 Ioolkncg.exe 376 Ieidhh32.exe 2696 Impliekg.exe 3076 Ipoheakj.exe 2312 Jcmdaljn.exe 4520 Jiglnf32.exe 3288 Jleijb32.exe 1420 Jpaekqhh.exe 3436 Jcoaglhk.exe 3268 Jgkmgk32.exe 2276 Jiiicf32.exe 3236 Jlgepanl.exe 4904 Jpcapp32.exe 1764 Jcanll32.exe 1376 Jepjhg32.exe 4004 Jngbjd32.exe 1040 Jpenfp32.exe 2380 Johnamkm.exe 2740 Jebfng32.exe 4552 Jniood32.exe 2000 Jllokajf.exe 4928 Jokkgl32.exe 1988 Jgbchj32.exe 2620 Jjpode32.exe 540 Jlolpq32.exe 3540 Komhll32.exe 3116 Kgdpni32.exe 4396 Kjblje32.exe 1500 Knnhjcog.exe 4932 Kpmdfonj.exe 4896 Kckqbj32.exe 3548 Kjeiodek.exe 3700 Klcekpdo.exe 4352 Koaagkcb.exe 4336 Kgiiiidd.exe 4808 Kncaec32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gejhef32.exe Gpmomo32.exe File opened for modification C:\Windows\SysWOW64\Kckqbj32.exe Kpmdfonj.exe File created C:\Windows\SysWOW64\Pjkakfla.dll Lcdciiec.exe File opened for modification C:\Windows\SysWOW64\Npbceggm.exe Njfkmphe.exe File opened for modification C:\Windows\SysWOW64\Lpochfji.exe Lhgkgijg.exe File created C:\Windows\SysWOW64\Gpolbo32.exe Gghdaa32.exe File opened for modification C:\Windows\SysWOW64\Gaebef32.exe Gngeik32.exe File created C:\Windows\SysWOW64\Diadam32.dll Ljpaqmgb.exe File created C:\Windows\SysWOW64\Filapfbo.exe Fqeioiam.exe File created C:\Windows\SysWOW64\Nmdkcj32.dll Lfiokmkc.exe File created C:\Windows\SysWOW64\Fpnkah32.dll Nbbeml32.exe File opened for modification C:\Windows\SysWOW64\Ioolkncg.exe Ilqoobdd.exe File created C:\Windows\SysWOW64\Ndnljbeg.dll Lcimdh32.exe File created C:\Windows\SysWOW64\Npbceggm.exe Njfkmphe.exe File created C:\Windows\SysWOW64\Lmnbjama.dll Palklf32.exe File created C:\Windows\SysWOW64\Bhhiemoj.exe Apaadpng.exe File opened for modification C:\Windows\SysWOW64\Doojec32.exe Dggbcf32.exe File created C:\Windows\SysWOW64\Kafkmp32.dll Jemfhacc.exe File opened for modification C:\Windows\SysWOW64\Mjpjgj32.exe Mbibfm32.exe File opened for modification C:\Windows\SysWOW64\Lggejg32.exe Lopmii32.exe File created C:\Windows\SysWOW64\Gfkcaoef.dll Njfkmphe.exe File created C:\Windows\SysWOW64\Ofmdio32.exe Omdppiif.exe File created C:\Windows\SysWOW64\Lpochfji.exe Lhgkgijg.exe File created C:\Windows\SysWOW64\Geqnma32.dll Amlogfel.exe File opened for modification C:\Windows\SysWOW64\Bkgeainn.exe Bhhiemoj.exe File opened for modification C:\Windows\SysWOW64\Fkofga32.exe Fgcjfbed.exe File created C:\Windows\SysWOW64\Mhegobpi.dll Ilqoobdd.exe File created C:\Windows\SysWOW64\Ebfign32.exe Eohmkb32.exe File created C:\Windows\SysWOW64\Gflonn32.dll Ojemig32.exe File created C:\Windows\SysWOW64\Ipbaol32.exe Ihkjno32.exe File opened for modification C:\Windows\SysWOW64\Mjggal32.exe Mfkkqmiq.exe File created C:\Windows\SysWOW64\Jlolpq32.exe Jjpode32.exe File created C:\Windows\SysWOW64\Oeeape32.dll Bhmbqm32.exe File opened for modification C:\Windows\SysWOW64\Enfckp32.exe Dkhgod32.exe File created C:\Windows\SysWOW64\Gbhhqamj.dll Njgqhicg.exe File created C:\Windows\SysWOW64\Hlhmjl32.dll Pbhgoh32.exe File created C:\Windows\SysWOW64\Pjbcplpe.exe Pffgom32.exe File created C:\Windows\SysWOW64\Ckbemgcp.exe Chdialdl.exe File opened for modification C:\Windows\SysWOW64\Mbibfm32.exe Mlljnf32.exe File created C:\Windows\SysWOW64\Glqfgdpo.dll Mfpell32.exe File created C:\Windows\SysWOW64\Oflmnh32.exe Opbean32.exe File created C:\Windows\SysWOW64\Kgkfnh32.exe Kodnmkap.exe File created C:\Windows\SysWOW64\Dpkmal32.exe Dojqjdbl.exe File created C:\Windows\SysWOW64\Dndhqgbm.dll Kpiqfima.exe File opened for modification C:\Windows\SysWOW64\Kpiqfima.exe Khbiello.exe File opened for modification C:\Windows\SysWOW64\Lcgpni32.exe Lnjgfb32.exe File created C:\Windows\SysWOW64\Bobabg32.exe Bkgeainn.exe File opened for modification C:\Windows\SysWOW64\Fnkfmm32.exe Fkmjaa32.exe File created C:\Windows\SysWOW64\Lpmkebjc.dll Bhhiemoj.exe File opened for modification C:\Windows\SysWOW64\Ggmmlamj.exe Geoapenf.exe File created C:\Windows\SysWOW64\Anjcohke.dll Jbepme32.exe File created C:\Windows\SysWOW64\Hidgai32.exe Hbjoeojc.exe File created C:\Windows\SysWOW64\Doojec32.exe Dggbcf32.exe File created C:\Windows\SysWOW64\Icbcjhfb.dll Opbean32.exe File created C:\Windows\SysWOW64\Nlhego32.dll Nmhijd32.exe File opened for modification C:\Windows\SysWOW64\Chdialdl.exe Cpmapodj.exe File created C:\Windows\SysWOW64\Oblknjim.dll Cgqlcg32.exe File opened for modification C:\Windows\SysWOW64\Njgqhicg.exe Nbphglbe.exe File created C:\Windows\SysWOW64\Ilqoobdd.exe Iibccgep.exe File created C:\Windows\SysWOW64\Dblamanm.dll Ppikbm32.exe File created C:\Windows\SysWOW64\Egohdegl.exe Edplhjhi.exe File created C:\Windows\SysWOW64\Caecnh32.dll Modpib32.exe File created C:\Windows\SysWOW64\Bnnkgo32.dll Koaagkcb.exe File created C:\Windows\SysWOW64\Agimkk32.exe Adkqoohc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10816 10732 WerFault.exe 500 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjaonjaj.dll" Ebkbbmqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gihpkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfibjl32.dll" Hlkfbocp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlgoek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmgilf32.dll" Mbibfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njedbjej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hefnkkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlepcdoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnbjama.dll" Palklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlofiddl.dll" Hldiinke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cepjip32.dll" Dhbebj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqnjgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcnfohmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gimngjie.dll" Ehbnigjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnjgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chdialdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgcjfbed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbphglbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbebbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piapkbeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oanokhdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjbcplpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chfegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fijdjfdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjcohke.dll" Jbepme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbbeml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kodnmkap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfiokmkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifomll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inclga32.dll" Heegad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlppno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbihjifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koaagkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfeljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchdqkfl.dll" Ngndaccj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdlfcb32.dll" Agimkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njljch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcanll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkdinefi.dll" Egohdegl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmcpoedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lodabb32.dll" Omalpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebkbbmqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phgibp32.dll" Oqhoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obnehj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oflmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omfekbdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Illfdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcgiefen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqpfmlce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbjnhape.dll" Hifmmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipdndloi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhego32.dll" Nmhijd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljnlecmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljceqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbdco32.dll" Hlblcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klfaapbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgkfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjjkejin.dll" Jlikkkhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpecpo32.dll" Klbnajqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnihkq32.dll" Mfeeabda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjfmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmadjhb.dll" Pjaleemj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khbiello.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbibfm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4264 wrote to memory of 2804 4264 ee890e8a9447073d18a0f6899385cceb62f7d1fdcd7cc48dccef40328871b162.exe 89 PID 4264 wrote to memory of 2804 4264 ee890e8a9447073d18a0f6899385cceb62f7d1fdcd7cc48dccef40328871b162.exe 89 PID 4264 wrote to memory of 2804 4264 ee890e8a9447073d18a0f6899385cceb62f7d1fdcd7cc48dccef40328871b162.exe 89 PID 2804 wrote to memory of 2592 2804 Holfoqcm.exe 90 PID 2804 wrote to memory of 2592 2804 Holfoqcm.exe 90 PID 2804 wrote to memory of 2592 2804 Holfoqcm.exe 90 PID 2592 wrote to memory of 3864 2592 Hefnkkkj.exe 91 PID 2592 wrote to memory of 3864 2592 Hefnkkkj.exe 91 PID 2592 wrote to memory of 3864 2592 Hefnkkkj.exe 91 PID 3864 wrote to memory of 2596 3864 Hmmfmhll.exe 92 PID 3864 wrote to memory of 2596 3864 Hmmfmhll.exe 92 PID 3864 wrote to memory of 2596 3864 Hmmfmhll.exe 92 PID 2596 wrote to memory of 2564 2596 Hplbickp.exe 93 PID 2596 wrote to memory of 2564 2596 Hplbickp.exe 93 PID 2596 wrote to memory of 2564 2596 Hplbickp.exe 93 PID 2564 wrote to memory of 2072 2564 Hbjoeojc.exe 94 PID 2564 wrote to memory of 2072 2564 Hbjoeojc.exe 94 PID 2564 wrote to memory of 2072 2564 Hbjoeojc.exe 94 PID 2072 wrote to memory of 4368 2072 Hidgai32.exe 95 PID 2072 wrote to memory of 4368 2072 Hidgai32.exe 95 PID 2072 wrote to memory of 4368 2072 Hidgai32.exe 95 PID 4368 wrote to memory of 1756 4368 Hmpcbhji.exe 96 PID 4368 wrote to memory of 1756 4368 Hmpcbhji.exe 96 PID 4368 wrote to memory of 1756 4368 Hmpcbhji.exe 96 PID 1756 wrote to memory of 4612 1756 Hoaojp32.exe 97 PID 1756 wrote to memory of 4612 1756 Hoaojp32.exe 97 PID 1756 wrote to memory of 4612 1756 Hoaojp32.exe 97 PID 4612 wrote to memory of 2876 4612 Hblkjo32.exe 98 PID 4612 wrote to memory of 2876 4612 Hblkjo32.exe 98 PID 4612 wrote to memory of 2876 4612 Hblkjo32.exe 98 PID 2876 wrote to memory of 4568 2876 Hekgfj32.exe 100 PID 2876 wrote to memory of 4568 2876 Hekgfj32.exe 100 PID 2876 wrote to memory of 4568 2876 Hekgfj32.exe 100 PID 4568 wrote to memory of 2260 4568 Hmbphg32.exe 101 PID 4568 wrote to memory of 2260 4568 Hmbphg32.exe 101 PID 4568 wrote to memory of 2260 4568 Hmbphg32.exe 101 PID 2260 wrote to memory of 2604 2260 Hlepcdoa.exe 102 PID 2260 wrote to memory of 2604 2260 Hlepcdoa.exe 102 PID 2260 wrote to memory of 2604 2260 Hlepcdoa.exe 102 PID 2604 wrote to memory of 1588 2604 Hbohpn32.exe 103 PID 2604 wrote to memory of 1588 2604 Hbohpn32.exe 103 PID 2604 wrote to memory of 1588 2604 Hbohpn32.exe 103 PID 1588 wrote to memory of 3744 1588 Hmdlmg32.exe 104 PID 1588 wrote to memory of 3744 1588 Hmdlmg32.exe 104 PID 1588 wrote to memory of 3744 1588 Hmdlmg32.exe 104 PID 3744 wrote to memory of 1820 3744 Hpchib32.exe 105 PID 3744 wrote to memory of 1820 3744 Hpchib32.exe 105 PID 3744 wrote to memory of 1820 3744 Hpchib32.exe 105 PID 1820 wrote to memory of 2688 1820 Ifmqfm32.exe 107 PID 1820 wrote to memory of 2688 1820 Ifmqfm32.exe 107 PID 1820 wrote to memory of 2688 1820 Ifmqfm32.exe 107 PID 2688 wrote to memory of 4648 2688 Iikmbh32.exe 108 PID 2688 wrote to memory of 4648 2688 Iikmbh32.exe 108 PID 2688 wrote to memory of 4648 2688 Iikmbh32.exe 108 PID 4648 wrote to memory of 2524 4648 Iohejo32.exe 109 PID 4648 wrote to memory of 2524 4648 Iohejo32.exe 109 PID 4648 wrote to memory of 2524 4648 Iohejo32.exe 109 PID 2524 wrote to memory of 3628 2524 Ifomll32.exe 111 PID 2524 wrote to memory of 3628 2524 Ifomll32.exe 111 PID 2524 wrote to memory of 3628 2524 Ifomll32.exe 111 PID 3628 wrote to memory of 60 3628 Iinjhh32.exe 112 PID 3628 wrote to memory of 60 3628 Iinjhh32.exe 112 PID 3628 wrote to memory of 60 3628 Iinjhh32.exe 112 PID 60 wrote to memory of 2376 60 Illfdc32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee890e8a9447073d18a0f6899385cceb62f7d1fdcd7cc48dccef40328871b162.exe"C:\Users\Admin\AppData\Local\Temp\ee890e8a9447073d18a0f6899385cceb62f7d1fdcd7cc48dccef40328871b162.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\Holfoqcm.exeC:\Windows\system32\Holfoqcm.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Hefnkkkj.exeC:\Windows\system32\Hefnkkkj.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Hmmfmhll.exeC:\Windows\system32\Hmmfmhll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\Hplbickp.exeC:\Windows\system32\Hplbickp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Hbjoeojc.exeC:\Windows\system32\Hbjoeojc.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Hidgai32.exeC:\Windows\system32\Hidgai32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Hmpcbhji.exeC:\Windows\system32\Hmpcbhji.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\Hoaojp32.exeC:\Windows\system32\Hoaojp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Hblkjo32.exeC:\Windows\system32\Hblkjo32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\Hekgfj32.exeC:\Windows\system32\Hekgfj32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Hmbphg32.exeC:\Windows\system32\Hmbphg32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Hlepcdoa.exeC:\Windows\system32\Hlepcdoa.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Hbohpn32.exeC:\Windows\system32\Hbohpn32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Hmdlmg32.exeC:\Windows\system32\Hmdlmg32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Hpchib32.exeC:\Windows\system32\Hpchib32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\Ifmqfm32.exeC:\Windows\system32\Ifmqfm32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Iikmbh32.exeC:\Windows\system32\Iikmbh32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Iohejo32.exeC:\Windows\system32\Iohejo32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\Ifomll32.exeC:\Windows\system32\Ifomll32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Iinjhh32.exeC:\Windows\system32\Iinjhh32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\Illfdc32.exeC:\Windows\system32\Illfdc32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\Iojbpo32.exeC:\Windows\system32\Iojbpo32.exe23⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Igajal32.exeC:\Windows\system32\Igajal32.exe24⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Imkbnf32.exeC:\Windows\system32\Imkbnf32.exe25⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Ipjoja32.exeC:\Windows\system32\Ipjoja32.exe26⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Igdgglfl.exeC:\Windows\system32\Igdgglfl.exe27⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Iibccgep.exeC:\Windows\system32\Iibccgep.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4580 -
C:\Windows\SysWOW64\Ilqoobdd.exeC:\Windows\system32\Ilqoobdd.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Ioolkncg.exeC:\Windows\system32\Ioolkncg.exe30⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Ieidhh32.exeC:\Windows\system32\Ieidhh32.exe31⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Impliekg.exeC:\Windows\system32\Impliekg.exe32⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Ipoheakj.exeC:\Windows\system32\Ipoheakj.exe33⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Jcmdaljn.exeC:\Windows\system32\Jcmdaljn.exe34⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Jiglnf32.exeC:\Windows\system32\Jiglnf32.exe35⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Jleijb32.exeC:\Windows\system32\Jleijb32.exe36⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Jpaekqhh.exeC:\Windows\system32\Jpaekqhh.exe37⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Jcoaglhk.exeC:\Windows\system32\Jcoaglhk.exe38⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Jgkmgk32.exeC:\Windows\system32\Jgkmgk32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Jiiicf32.exeC:\Windows\system32\Jiiicf32.exe40⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Jlgepanl.exeC:\Windows\system32\Jlgepanl.exe41⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Jpcapp32.exeC:\Windows\system32\Jpcapp32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Jcanll32.exeC:\Windows\system32\Jcanll32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Jepjhg32.exeC:\Windows\system32\Jepjhg32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Jngbjd32.exeC:\Windows\system32\Jngbjd32.exe45⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Jpenfp32.exeC:\Windows\system32\Jpenfp32.exe46⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Johnamkm.exeC:\Windows\system32\Johnamkm.exe47⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Jebfng32.exeC:\Windows\system32\Jebfng32.exe48⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Jniood32.exeC:\Windows\system32\Jniood32.exe49⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Jllokajf.exeC:\Windows\system32\Jllokajf.exe50⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Jokkgl32.exeC:\Windows\system32\Jokkgl32.exe51⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Jgbchj32.exeC:\Windows\system32\Jgbchj32.exe52⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Jjpode32.exeC:\Windows\system32\Jjpode32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Jlolpq32.exeC:\Windows\system32\Jlolpq32.exe54⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Komhll32.exeC:\Windows\system32\Komhll32.exe55⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Kgdpni32.exeC:\Windows\system32\Kgdpni32.exe56⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Kjblje32.exeC:\Windows\system32\Kjblje32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Knnhjcog.exeC:\Windows\system32\Knnhjcog.exe58⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Kpmdfonj.exeC:\Windows\system32\Kpmdfonj.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4932 -
C:\Windows\SysWOW64\Kckqbj32.exeC:\Windows\system32\Kckqbj32.exe60⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Kjeiodek.exeC:\Windows\system32\Kjeiodek.exe61⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Klcekpdo.exeC:\Windows\system32\Klcekpdo.exe62⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Koaagkcb.exeC:\Windows\system32\Koaagkcb.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4352 -
C:\Windows\SysWOW64\Kgiiiidd.exeC:\Windows\system32\Kgiiiidd.exe64⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Kncaec32.exeC:\Windows\system32\Kncaec32.exe65⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Klfaapbl.exeC:\Windows\system32\Klfaapbl.exe66⤵
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Kodnmkap.exeC:\Windows\system32\Kodnmkap.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:3104 -
C:\Windows\SysWOW64\Kgkfnh32.exeC:\Windows\system32\Kgkfnh32.exe68⤵
- Modifies registry class
PID:3608 -
C:\Windows\SysWOW64\Kfnfjehl.exeC:\Windows\system32\Kfnfjehl.exe69⤵PID:3792
-
C:\Windows\SysWOW64\Knenkbio.exeC:\Windows\system32\Knenkbio.exe70⤵PID:2568
-
C:\Windows\SysWOW64\Kofkbk32.exeC:\Windows\system32\Kofkbk32.exe71⤵PID:1220
-
C:\Windows\SysWOW64\Kcbfcigf.exeC:\Windows\system32\Kcbfcigf.exe72⤵PID:3244
-
C:\Windows\SysWOW64\Kjlopc32.exeC:\Windows\system32\Kjlopc32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2724 -
C:\Windows\SysWOW64\Lpfgmnfp.exeC:\Windows\system32\Lpfgmnfp.exe74⤵PID:924
-
C:\Windows\SysWOW64\Lcdciiec.exeC:\Windows\system32\Lcdciiec.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\Ljnlecmp.exeC:\Windows\system32\Ljnlecmp.exe76⤵
- Modifies registry class
PID:4372 -
C:\Windows\SysWOW64\Lnjgfb32.exeC:\Windows\system32\Lnjgfb32.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Lcgpni32.exeC:\Windows\system32\Lcgpni32.exe78⤵PID:5152
-
C:\Windows\SysWOW64\Lfeljd32.exeC:\Windows\system32\Lfeljd32.exe79⤵
- Modifies registry class
PID:5196 -
C:\Windows\SysWOW64\Lnldla32.exeC:\Windows\system32\Lnldla32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5240 -
C:\Windows\SysWOW64\Lcimdh32.exeC:\Windows\system32\Lcimdh32.exe81⤵
- Drops file in System32 directory
PID:5284 -
C:\Windows\SysWOW64\Ljceqb32.exeC:\Windows\system32\Ljceqb32.exe82⤵
- Modifies registry class
PID:5328 -
C:\Windows\SysWOW64\Lmaamn32.exeC:\Windows\system32\Lmaamn32.exe83⤵PID:5368
-
C:\Windows\SysWOW64\Lopmii32.exeC:\Windows\system32\Lopmii32.exe84⤵
- Drops file in System32 directory
PID:5412 -
C:\Windows\SysWOW64\Lggejg32.exeC:\Windows\system32\Lggejg32.exe85⤵PID:5456
-
C:\Windows\SysWOW64\Ljeafb32.exeC:\Windows\system32\Ljeafb32.exe86⤵PID:5500
-
C:\Windows\SysWOW64\Lcnfohmi.exeC:\Windows\system32\Lcnfohmi.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5544 -
C:\Windows\SysWOW64\Lncjlq32.exeC:\Windows\system32\Lncjlq32.exe88⤵PID:5584
-
C:\Windows\SysWOW64\Mqafhl32.exeC:\Windows\system32\Mqafhl32.exe89⤵PID:5624
-
C:\Windows\SysWOW64\Mcpcdg32.exeC:\Windows\system32\Mcpcdg32.exe90⤵PID:5664
-
C:\Windows\SysWOW64\Mjjkaabc.exeC:\Windows\system32\Mjjkaabc.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5708 -
C:\Windows\SysWOW64\Mnegbp32.exeC:\Windows\system32\Mnegbp32.exe92⤵PID:5752
-
C:\Windows\SysWOW64\Mogcihaj.exeC:\Windows\system32\Mogcihaj.exe93⤵PID:5796
-
C:\Windows\SysWOW64\Mjlhgaqp.exeC:\Windows\system32\Mjlhgaqp.exe94⤵PID:5840
-
C:\Windows\SysWOW64\Mmkdcm32.exeC:\Windows\system32\Mmkdcm32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5884 -
C:\Windows\SysWOW64\Mjodla32.exeC:\Windows\system32\Mjodla32.exe96⤵PID:5928
-
C:\Windows\SysWOW64\Mqimikfj.exeC:\Windows\system32\Mqimikfj.exe97⤵PID:5972
-
C:\Windows\SysWOW64\Mcgiefen.exeC:\Windows\system32\Mcgiefen.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6012 -
C:\Windows\SysWOW64\Mfeeabda.exeC:\Windows\system32\Mfeeabda.exe99⤵
- Modifies registry class
PID:6052 -
C:\Windows\SysWOW64\Mjaabq32.exeC:\Windows\system32\Mjaabq32.exe100⤵PID:6092
-
C:\Windows\SysWOW64\Mmpmnl32.exeC:\Windows\system32\Mmpmnl32.exe101⤵PID:6128
-
C:\Windows\SysWOW64\Mcifkf32.exeC:\Windows\system32\Mcifkf32.exe102⤵PID:5136
-
C:\Windows\SysWOW64\Nqmfdj32.exeC:\Windows\system32\Nqmfdj32.exe103⤵PID:5228
-
C:\Windows\SysWOW64\Nclbpf32.exeC:\Windows\system32\Nclbpf32.exe104⤵PID:5268
-
C:\Windows\SysWOW64\Njfkmphe.exeC:\Windows\system32\Njfkmphe.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5356 -
C:\Windows\SysWOW64\Npbceggm.exeC:\Windows\system32\Npbceggm.exe106⤵PID:5436
-
C:\Windows\SysWOW64\Nflkbanj.exeC:\Windows\system32\Nflkbanj.exe107⤵PID:5492
-
C:\Windows\SysWOW64\Nqbpojnp.exeC:\Windows\system32\Nqbpojnp.exe108⤵PID:5576
-
C:\Windows\SysWOW64\Npepkf32.exeC:\Windows\system32\Npepkf32.exe109⤵PID:5660
-
C:\Windows\SysWOW64\Njjdho32.exeC:\Windows\system32\Njjdho32.exe110⤵PID:5724
-
C:\Windows\SysWOW64\Npgmpf32.exeC:\Windows\system32\Npgmpf32.exe111⤵PID:5792
-
C:\Windows\SysWOW64\Ngndaccj.exeC:\Windows\system32\Ngndaccj.exe112⤵
- Modifies registry class
PID:5856 -
C:\Windows\SysWOW64\Npiiffqe.exeC:\Windows\system32\Npiiffqe.exe113⤵PID:5920
-
C:\Windows\SysWOW64\Ojomcopk.exeC:\Windows\system32\Ojomcopk.exe114⤵PID:6000
-
C:\Windows\SysWOW64\Oaifpi32.exeC:\Windows\system32\Oaifpi32.exe115⤵PID:6068
-
C:\Windows\SysWOW64\Onmfimga.exeC:\Windows\system32\Onmfimga.exe116⤵PID:5124
-
C:\Windows\SysWOW64\Ocjoadei.exeC:\Windows\system32\Ocjoadei.exe117⤵PID:5216
-
C:\Windows\SysWOW64\Oanokhdb.exeC:\Windows\system32\Oanokhdb.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5324 -
C:\Windows\SysWOW64\Omdppiif.exeC:\Windows\system32\Omdppiif.exe119⤵
- Drops file in System32 directory
PID:5408 -
C:\Windows\SysWOW64\Ofmdio32.exeC:\Windows\system32\Ofmdio32.exe120⤵PID:5528
-
C:\Windows\SysWOW64\Pfoann32.exeC:\Windows\system32\Pfoann32.exe121⤵PID:3416
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-