Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
126s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2024, 21:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4a8812e55820ca43caae8c5d930ea9433befdf0b550bc19561383b0192c73247.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
4a8812e55820ca43caae8c5d930ea9433befdf0b550bc19561383b0192c73247.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
4a8812e55820ca43caae8c5d930ea9433befdf0b550bc19561383b0192c73247.exe
-
Size
49KB
-
MD5
fb1a4b9b093003226c7969b9a16dad07
-
SHA1
664b6ac943bf8352398c20fc944d91b76b29aab5
-
SHA256
4a8812e55820ca43caae8c5d930ea9433befdf0b550bc19561383b0192c73247
-
SHA512
6a11b81489ce85d38150e4b7b0ae0689d683828709beb482edc16a61eb4ec48718f514241312d7bea35b2ddc709c8ac124eb76fb9e7706baeb6d59ba6d2891f2
-
SSDEEP
768:EJOn39DyVjPq3do1dLin9+VNcEXhnxYIq+vOGMnxJ/1H5Ma2Xdnh7:EctDyV8do1dLM9INcEXhnxNtknxDaDl
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eainnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eahhcd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehcfkhel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imdgjlgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Homadjin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djcoko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omnqhbap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkmihi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Accnco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfhgfaha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jphkfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajphagha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfogohpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfkamk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbefkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glnnofhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdpicj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcinie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qemoff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aebhaede.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnqbmadp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Limioiia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfmacoep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajphagha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpqgjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqahmhpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doqbifpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnihlf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehaieh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Didnmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgncaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nccqbeec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oenljoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahonbhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aebhaede.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qolbgbgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfnooe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifmcmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agcikk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liqibm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poomom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfhkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdobgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkjoqnei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkgbjkac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aihaifam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmooak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldanloba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejmild32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdobgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfkehk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glmqjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhidcffq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gebimmco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbeinb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njghkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhbakk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amodnenk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liqibm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmndjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idljll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnpgdmjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqnfon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngbpbjoe.exe -
Executes dropped EXE 64 IoCs
pid Process 3932 Gnoacp32.exe 1840 Jnfjbj32.exe 3356 Kccbjq32.exe 4780 Kmncif32.exe 3612 Kfkamk32.exe 1244 Ldanloba.exe 368 Lmqiec32.exe 2116 Mgbpdgap.exe 2096 Nahdapae.exe 4488 Noqofdlj.exe 3928 Ndpcdjho.exe 4680 Qnpgdmjd.exe 3900 Agmehamp.exe 3432 Afpbkicl.exe 4960 Afdkfh32.exe 5076 Bijncb32.exe 3840 Ciaddaaj.exe 4592 Cnnllhpa.exe 4804 Dlnlak32.exe 4980 Doqbifpl.exe 1216 Epbkhhel.exe 1048 Efampahd.exe 2060 Fhefmjlp.exe 3948 Foonjd32.exe 3136 Fpqgjf32.exe 1680 Gebimmco.exe 4232 Glnnofhi.exe 2784 Ggfobofl.exe 3868 Hfniikha.exe 3156 Hgpbhmna.exe 1488 Hfeoijbi.exe 5032 Hhehkepj.exe 4996 Icklhnop.exe 2744 Ifihdi32.exe 1824 Jjemle32.exe 5012 Kgcqlh32.exe 3120 Glpdjpbj.exe 4796 Gammbfqa.exe 3292 Ghgeoq32.exe 4820 Hkjjfkcm.exe 4648 Hllcfnhm.exe 4352 Ihgnfnjl.exe 2968 Iljpgl32.exe 3988 Jbghpc32.exe 1948 Jcknee32.exe 232 Limioiia.exe 3684 Lmmokgne.exe 756 Npgjbabk.exe 4672 Omnqhbap.exe 400 Ppafpm32.exe 436 Pilgnb32.exe 1544 Pindcboi.exe 3732 Aiejda32.exe 2688 Alfcflfb.exe 4312 Agkgceeh.exe 2232 Aneppo32.exe 1920 Almifk32.exe 2168 Bgbmdd32.exe 2660 Bnlfqngm.exe 648 Bcinie32.exe 3800 Bkepeaaa.exe 2796 Bqahmhpi.exe 216 Bqdechnf.exe 224 Cmpoch32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Afdkfh32.exe Afpbkicl.exe File created C:\Windows\SysWOW64\Bijncb32.exe Afdkfh32.exe File created C:\Windows\SysWOW64\Gogiac32.dll Hmbpbk32.exe File created C:\Windows\SysWOW64\Dpqcoj32.exe Didnmp32.exe File created C:\Windows\SysWOW64\Ligglo32.exe Lcmopeae.exe File created C:\Windows\SysWOW64\Jkfakb32.exe Ifihckmi.exe File created C:\Windows\SysWOW64\Ndpcdjho.exe Noqofdlj.exe File created C:\Windows\SysWOW64\Jddbop32.dll Bidefbcg.exe File created C:\Windows\SysWOW64\Keinepch.exe Knofif32.exe File created C:\Windows\SysWOW64\Plbmhadm.exe Pehekgmp.exe File opened for modification C:\Windows\SysWOW64\Iacepmik.exe Ihicah32.exe File created C:\Windows\SysWOW64\Jbghpc32.exe Iljpgl32.exe File created C:\Windows\SysWOW64\Phiong32.dll Bijncb32.exe File opened for modification C:\Windows\SysWOW64\Bonjnc32.exe Beefenie.exe File created C:\Windows\SysWOW64\Blmihnln.dll Fojenfeg.exe File opened for modification C:\Windows\SysWOW64\Nblcgpho.exe Nlbkjf32.exe File created C:\Windows\SysWOW64\Agmehamp.exe Qnpgdmjd.exe File opened for modification C:\Windows\SysWOW64\Bqahmhpi.exe Bkepeaaa.exe File created C:\Windows\SysWOW64\Ghgeoq32.exe Gammbfqa.exe File opened for modification C:\Windows\SysWOW64\Fplimi32.exe Fnjmea32.exe File opened for modification C:\Windows\SysWOW64\Jpoagb32.exe Jgbccm32.exe File created C:\Windows\SysWOW64\Bonjnc32.exe Beefenie.exe File created C:\Windows\SysWOW64\Pjickj32.dll Fhmpkmpm.exe File created C:\Windows\SysWOW64\Cjiefocn.dll Jqihjbod.exe File created C:\Windows\SysWOW64\Lmqiec32.exe Ldanloba.exe File created C:\Windows\SysWOW64\Pilgnb32.exe Ppafpm32.exe File created C:\Windows\SysWOW64\Kbjenkaf.dll Oghgbe32.exe File created C:\Windows\SysWOW64\Obombeqb.dll Nlefebfg.exe File created C:\Windows\SysWOW64\Fmfnig32.exe Fmdach32.exe File opened for modification C:\Windows\SysWOW64\Lmqiec32.exe Ldanloba.exe File created C:\Windows\SysWOW64\Mciokcgg.exe Mddbjg32.exe File created C:\Windows\SysWOW64\Dflebj32.dll Iomcqa32.exe File created C:\Windows\SysWOW64\Hhfpka32.dll Bqahmhpi.exe File created C:\Windows\SysWOW64\Bonkjk32.dll Cemcqcgi.exe File opened for modification C:\Windows\SysWOW64\Foebmn32.exe Eoollocp.exe File created C:\Windows\SysWOW64\Ocjgcd32.exe Ohebek32.exe File created C:\Windows\SysWOW64\Mmcomooj.dll Mbgjlq32.exe File created C:\Windows\SysWOW64\Pbpall32.exe Pnnokn32.exe File created C:\Windows\SysWOW64\Eoapldei.exe Ehhgpj32.exe File created C:\Windows\SysWOW64\Ndjfmf32.dll Ehhgpj32.exe File created C:\Windows\SysWOW64\Delcgpmm.dll Ifmcmg32.exe File opened for modification C:\Windows\SysWOW64\Ocqncp32.exe Nbhkjicf.exe File opened for modification C:\Windows\SysWOW64\Peimcaae.exe Pqihgcma.exe File created C:\Windows\SysWOW64\Bcclaf32.dll Dpqcoj32.exe File created C:\Windows\SysWOW64\Mglkge32.dll Fmdach32.exe File opened for modification C:\Windows\SysWOW64\Pilgnb32.exe Ppafpm32.exe File created C:\Windows\SysWOW64\Djlppb32.dll Fnhppa32.exe File opened for modification C:\Windows\SysWOW64\Jikojcaa.exe Ifmcmg32.exe File created C:\Windows\SysWOW64\Mfkcec32.dll Jikojcaa.exe File created C:\Windows\SysWOW64\Mmiccf32.exe Lifqbi32.exe File created C:\Windows\SysWOW64\Lijjba32.dll Edqdij32.exe File created C:\Windows\SysWOW64\Ojoflnjh.dll Idieob32.exe File created C:\Windows\SysWOW64\Hfniikha.exe Ggfobofl.exe File created C:\Windows\SysWOW64\Dmbbmbea.dll Dcglfjgf.exe File created C:\Windows\SysWOW64\Iomcqa32.exe Ikjapden.exe File opened for modification C:\Windows\SysWOW64\Ogcfncjf.exe Ncfmhecp.exe File created C:\Windows\SysWOW64\Amodnenk.exe Afboll32.exe File opened for modification C:\Windows\SysWOW64\Hgdlnp32.exe Hphglf32.exe File created C:\Windows\SysWOW64\Ggfobofl.exe Glnnofhi.exe File opened for modification C:\Windows\SysWOW64\Comddn32.exe Bodano32.exe File opened for modification C:\Windows\SysWOW64\Imnoni32.exe Hjfplo32.exe File created C:\Windows\SysWOW64\Hdpicj32.exe Hocqkc32.exe File created C:\Windows\SysWOW64\Pbfkhg32.dll Alnmdojp.exe File opened for modification C:\Windows\SysWOW64\Hlqmla32.exe Hgdedj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4924 5472 WerFault.exe 695 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldanloba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aochga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgkbfjeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpnlicne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgpggm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmakgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciaddaaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpoagb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qimfoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdbheajp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbghpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlapiaeg.dll" Dcqmpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgobe32.dll" Hlmiagbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cijpkmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnjmea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdnkekie.dll" Mpdkol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfneamlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afddge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jncpnljf.dll" Ahgjnpna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcigneeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dckdddcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Encgdbqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oelnpk32.dll" Aaianaoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgncaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhkcql32.dll" Edcqojqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efampahd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajikhfpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpeohnhn.dll" Beefenie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpjlgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bijncb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imdgjlgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klapgq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehecpgbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pimkkfka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aneppo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojgbpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kopdmlcq.dll" Igbhpned.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkjoqnei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biaiqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onlbdmpg.dll" Qfneamlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpeobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceiemclg.dll" Foonjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aochga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Galonj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boldcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edqdij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnclpelo.dll" Jnfcbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebjckppa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihgnfnjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifckmnbd.dll" Aemqdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpjleadh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmfjodgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pehekgmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knchio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loaafnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocebha32.dll" Kfgddi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cggnhlml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehaieh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bggijc32.dll" Qemoff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmkgdgej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnqbmadp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blakhgoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofcni32.dll" Cmiffhkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnejfn32.dll" Algiaepd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2104 wrote to memory of 3932 2104 4a8812e55820ca43caae8c5d930ea9433befdf0b550bc19561383b0192c73247.exe 90 PID 2104 wrote to memory of 3932 2104 4a8812e55820ca43caae8c5d930ea9433befdf0b550bc19561383b0192c73247.exe 90 PID 2104 wrote to memory of 3932 2104 4a8812e55820ca43caae8c5d930ea9433befdf0b550bc19561383b0192c73247.exe 90 PID 3932 wrote to memory of 1840 3932 Gnoacp32.exe 91 PID 3932 wrote to memory of 1840 3932 Gnoacp32.exe 91 PID 3932 wrote to memory of 1840 3932 Gnoacp32.exe 91 PID 1840 wrote to memory of 3356 1840 Jnfjbj32.exe 92 PID 1840 wrote to memory of 3356 1840 Jnfjbj32.exe 92 PID 1840 wrote to memory of 3356 1840 Jnfjbj32.exe 92 PID 3356 wrote to memory of 4780 3356 Kccbjq32.exe 412 PID 3356 wrote to memory of 4780 3356 Kccbjq32.exe 412 PID 3356 wrote to memory of 4780 3356 Kccbjq32.exe 412 PID 4780 wrote to memory of 3612 4780 Kmncif32.exe 94 PID 4780 wrote to memory of 3612 4780 Kmncif32.exe 94 PID 4780 wrote to memory of 3612 4780 Kmncif32.exe 94 PID 3612 wrote to memory of 1244 3612 Kfkamk32.exe 95 PID 3612 wrote to memory of 1244 3612 Kfkamk32.exe 95 PID 3612 wrote to memory of 1244 3612 Kfkamk32.exe 95 PID 1244 wrote to memory of 368 1244 Ldanloba.exe 96 PID 1244 wrote to memory of 368 1244 Ldanloba.exe 96 PID 1244 wrote to memory of 368 1244 Ldanloba.exe 96 PID 368 wrote to memory of 2116 368 Lmqiec32.exe 97 PID 368 wrote to memory of 2116 368 Lmqiec32.exe 97 PID 368 wrote to memory of 2116 368 Lmqiec32.exe 97 PID 2116 wrote to memory of 2096 2116 Mgbpdgap.exe 369 PID 2116 wrote to memory of 2096 2116 Mgbpdgap.exe 369 PID 2116 wrote to memory of 2096 2116 Mgbpdgap.exe 369 PID 2096 wrote to memory of 4488 2096 Nahdapae.exe 99 PID 2096 wrote to memory of 4488 2096 Nahdapae.exe 99 PID 2096 wrote to memory of 4488 2096 Nahdapae.exe 99 PID 4488 wrote to memory of 3928 4488 Noqofdlj.exe 101 PID 4488 wrote to memory of 3928 4488 Noqofdlj.exe 101 PID 4488 wrote to memory of 3928 4488 Noqofdlj.exe 101 PID 3928 wrote to memory of 4680 3928 Ndpcdjho.exe 102 PID 3928 wrote to memory of 4680 3928 Ndpcdjho.exe 102 PID 3928 wrote to memory of 4680 3928 Ndpcdjho.exe 102 PID 4680 wrote to memory of 3900 4680 Qnpgdmjd.exe 212 PID 4680 wrote to memory of 3900 4680 Qnpgdmjd.exe 212 PID 4680 wrote to memory of 3900 4680 Qnpgdmjd.exe 212 PID 3900 wrote to memory of 3432 3900 Agmehamp.exe 104 PID 3900 wrote to memory of 3432 3900 Agmehamp.exe 104 PID 3900 wrote to memory of 3432 3900 Agmehamp.exe 104 PID 3432 wrote to memory of 4960 3432 Afpbkicl.exe 106 PID 3432 wrote to memory of 4960 3432 Afpbkicl.exe 106 PID 3432 wrote to memory of 4960 3432 Afpbkicl.exe 106 PID 4960 wrote to memory of 5076 4960 Afdkfh32.exe 107 PID 4960 wrote to memory of 5076 4960 Afdkfh32.exe 107 PID 4960 wrote to memory of 5076 4960 Afdkfh32.exe 107 PID 5076 wrote to memory of 3840 5076 Bijncb32.exe 447 PID 5076 wrote to memory of 3840 5076 Bijncb32.exe 447 PID 5076 wrote to memory of 3840 5076 Bijncb32.exe 447 PID 3840 wrote to memory of 4592 3840 Ciaddaaj.exe 109 PID 3840 wrote to memory of 4592 3840 Ciaddaaj.exe 109 PID 3840 wrote to memory of 4592 3840 Ciaddaaj.exe 109 PID 4592 wrote to memory of 4804 4592 Cnnllhpa.exe 110 PID 4592 wrote to memory of 4804 4592 Cnnllhpa.exe 110 PID 4592 wrote to memory of 4804 4592 Cnnllhpa.exe 110 PID 4804 wrote to memory of 4980 4804 Dlnlak32.exe 246 PID 4804 wrote to memory of 4980 4804 Dlnlak32.exe 246 PID 4804 wrote to memory of 4980 4804 Dlnlak32.exe 246 PID 4980 wrote to memory of 1216 4980 Doqbifpl.exe 416 PID 4980 wrote to memory of 1216 4980 Doqbifpl.exe 416 PID 4980 wrote to memory of 1216 4980 Doqbifpl.exe 416 PID 1216 wrote to memory of 1048 1216 Epbkhhel.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a8812e55820ca43caae8c5d930ea9433befdf0b550bc19561383b0192c73247.exe"C:\Users\Admin\AppData\Local\Temp\4a8812e55820ca43caae8c5d930ea9433befdf0b550bc19561383b0192c73247.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Gnoacp32.exeC:\Windows\system32\Gnoacp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\Jnfjbj32.exeC:\Windows\system32\Jnfjbj32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Kccbjq32.exeC:\Windows\system32\Kccbjq32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Kmncif32.exeC:\Windows\system32\Kmncif32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Kfkamk32.exeC:\Windows\system32\Kfkamk32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Ldanloba.exeC:\Windows\system32\Ldanloba.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Lmqiec32.exeC:\Windows\system32\Lmqiec32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\Mgbpdgap.exeC:\Windows\system32\Mgbpdgap.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Nahdapae.exeC:\Windows\system32\Nahdapae.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Noqofdlj.exeC:\Windows\system32\Noqofdlj.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Ndpcdjho.exeC:\Windows\system32\Ndpcdjho.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\Qnpgdmjd.exeC:\Windows\system32\Qnpgdmjd.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Agmehamp.exeC:\Windows\system32\Agmehamp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\Afpbkicl.exeC:\Windows\system32\Afpbkicl.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\Afdkfh32.exeC:\Windows\system32\Afdkfh32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\Bijncb32.exeC:\Windows\system32\Bijncb32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Ciaddaaj.exeC:\Windows\system32\Ciaddaaj.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\Cnnllhpa.exeC:\Windows\system32\Cnnllhpa.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Dlnlak32.exeC:\Windows\system32\Dlnlak32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Doqbifpl.exeC:\Windows\system32\Doqbifpl.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Epbkhhel.exeC:\Windows\system32\Epbkhhel.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Efampahd.exeC:\Windows\system32\Efampahd.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Fhefmjlp.exeC:\Windows\system32\Fhefmjlp.exe24⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Foonjd32.exeC:\Windows\system32\Foonjd32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:3948 -
C:\Windows\SysWOW64\Fpqgjf32.exeC:\Windows\system32\Fpqgjf32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Gebimmco.exeC:\Windows\system32\Gebimmco.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Glnnofhi.exeC:\Windows\system32\Glnnofhi.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4232 -
C:\Windows\SysWOW64\Ggfobofl.exeC:\Windows\system32\Ggfobofl.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Hfniikha.exeC:\Windows\system32\Hfniikha.exe30⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Hgpbhmna.exeC:\Windows\system32\Hgpbhmna.exe31⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Hfeoijbi.exeC:\Windows\system32\Hfeoijbi.exe32⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Hhehkepj.exeC:\Windows\system32\Hhehkepj.exe33⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Icklhnop.exeC:\Windows\system32\Icklhnop.exe34⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Ifihdi32.exeC:\Windows\system32\Ifihdi32.exe35⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Jjemle32.exeC:\Windows\system32\Jjemle32.exe36⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Kgcqlh32.exeC:\Windows\system32\Kgcqlh32.exe37⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Glpdjpbj.exeC:\Windows\system32\Glpdjpbj.exe38⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Gammbfqa.exeC:\Windows\system32\Gammbfqa.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4796 -
C:\Windows\SysWOW64\Ghgeoq32.exeC:\Windows\system32\Ghgeoq32.exe40⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Hkjjfkcm.exeC:\Windows\system32\Hkjjfkcm.exe41⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Hllcfnhm.exeC:\Windows\system32\Hllcfnhm.exe42⤵
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Ihgnfnjl.exeC:\Windows\system32\Ihgnfnjl.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:4352 -
C:\Windows\SysWOW64\Iljpgl32.exeC:\Windows\system32\Iljpgl32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Jbghpc32.exeC:\Windows\system32\Jbghpc32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:3988 -
C:\Windows\SysWOW64\Jcknee32.exeC:\Windows\system32\Jcknee32.exe46⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Limioiia.exeC:\Windows\system32\Limioiia.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Lmmokgne.exeC:\Windows\system32\Lmmokgne.exe48⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Npgjbabk.exeC:\Windows\system32\Npgjbabk.exe49⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Omnqhbap.exeC:\Windows\system32\Omnqhbap.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\Ppafpm32.exeC:\Windows\system32\Ppafpm32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:400 -
C:\Windows\SysWOW64\Pilgnb32.exeC:\Windows\system32\Pilgnb32.exe52⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Pindcboi.exeC:\Windows\system32\Pindcboi.exe53⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Aiejda32.exeC:\Windows\system32\Aiejda32.exe54⤵
- Executes dropped EXE
PID:3732 -
C:\Windows\SysWOW64\Alfcflfb.exeC:\Windows\system32\Alfcflfb.exe55⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Agkgceeh.exeC:\Windows\system32\Agkgceeh.exe56⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Aneppo32.exeC:\Windows\system32\Aneppo32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Almifk32.exeC:\Windows\system32\Almifk32.exe58⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Bgbmdd32.exeC:\Windows\system32\Bgbmdd32.exe59⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Bnlfqngm.exeC:\Windows\system32\Bnlfqngm.exe60⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Bcinie32.exeC:\Windows\system32\Bcinie32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Bkepeaaa.exeC:\Windows\system32\Bkepeaaa.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3800 -
C:\Windows\SysWOW64\Bqahmhpi.exeC:\Windows\system32\Bqahmhpi.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Bqdechnf.exeC:\Windows\system32\Bqdechnf.exe64⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Cmpoch32.exeC:\Windows\system32\Cmpoch32.exe65⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Cgecpa32.exeC:\Windows\system32\Cgecpa32.exe66⤵PID:448
-
C:\Windows\SysWOW64\Ccldebeo.exeC:\Windows\system32\Ccldebeo.exe67⤵PID:1044
-
C:\Windows\SysWOW64\Dcqmpa32.exeC:\Windows\system32\Dcqmpa32.exe68⤵
- Modifies registry class
PID:4972 -
C:\Windows\SysWOW64\Ejdhcjpl.exeC:\Windows\system32\Ejdhcjpl.exe69⤵PID:3332
-
C:\Windows\SysWOW64\Emdaee32.exeC:\Windows\system32\Emdaee32.exe70⤵PID:1748
-
C:\Windows\SysWOW64\Eaegqc32.exeC:\Windows\system32\Eaegqc32.exe71⤵PID:1604
-
C:\Windows\SysWOW64\Eljknl32.exeC:\Windows\system32\Eljknl32.exe72⤵PID:5152
-
C:\Windows\SysWOW64\Fagcfc32.exeC:\Windows\system32\Fagcfc32.exe73⤵PID:5196
-
C:\Windows\SysWOW64\Falmabki.exeC:\Windows\system32\Falmabki.exe74⤵PID:5244
-
C:\Windows\SysWOW64\Gaccbaeq.exeC:\Windows\system32\Gaccbaeq.exe75⤵PID:5288
-
C:\Windows\SysWOW64\Glmqjj32.exeC:\Windows\system32\Glmqjj32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5340 -
C:\Windows\SysWOW64\Hoglbc32.exeC:\Windows\system32\Hoglbc32.exe77⤵PID:5392
-
C:\Windows\SysWOW64\Hlmiagbo.exeC:\Windows\system32\Hlmiagbo.exe78⤵
- Modifies registry class
PID:5436 -
C:\Windows\SysWOW64\Ihicah32.exeC:\Windows\system32\Ihicah32.exe79⤵
- Drops file in System32 directory
PID:5476 -
C:\Windows\SysWOW64\Iacepmik.exeC:\Windows\system32\Iacepmik.exe80⤵PID:5520
-
C:\Windows\SysWOW64\Jeanfkob.exeC:\Windows\system32\Jeanfkob.exe81⤵PID:5560
-
C:\Windows\SysWOW64\Jookjpam.exeC:\Windows\system32\Jookjpam.exe82⤵PID:5608
-
C:\Windows\SysWOW64\Kdpmmf32.exeC:\Windows\system32\Kdpmmf32.exe83⤵PID:5652
-
C:\Windows\SysWOW64\Kdbjbfjl.exeC:\Windows\system32\Kdbjbfjl.exe84⤵PID:5716
-
C:\Windows\SysWOW64\Kkooep32.exeC:\Windows\system32\Kkooep32.exe85⤵PID:5768
-
C:\Windows\SysWOW64\Khbpndnp.exeC:\Windows\system32\Khbpndnp.exe86⤵PID:5884
-
C:\Windows\SysWOW64\Loaafnah.exeC:\Windows\system32\Loaafnah.exe87⤵
- Modifies registry class
PID:5936 -
C:\Windows\SysWOW64\Ldqfddml.exeC:\Windows\system32\Ldqfddml.exe88⤵PID:5984
-
C:\Windows\SysWOW64\Lkjoqnei.exeC:\Windows\system32\Lkjoqnei.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6044 -
C:\Windows\SysWOW64\Mkdagm32.exeC:\Windows\system32\Mkdagm32.exe90⤵PID:6100
-
C:\Windows\SysWOW64\Nfnooe32.exeC:\Windows\system32\Nfnooe32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5184 -
C:\Windows\SysWOW64\Oimdbnip.exeC:\Windows\system32\Oimdbnip.exe92⤵PID:5236
-
C:\Windows\SysWOW64\Obeikc32.exeC:\Windows\system32\Obeikc32.exe93⤵PID:5324
-
C:\Windows\SysWOW64\Ppblkffp.exeC:\Windows\system32\Ppblkffp.exe94⤵PID:5384
-
C:\Windows\SysWOW64\Peodcmeg.exeC:\Windows\system32\Peodcmeg.exe95⤵PID:2272
-
C:\Windows\SysWOW64\Qolbgbgb.exeC:\Windows\system32\Qolbgbgb.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5428 -
C:\Windows\SysWOW64\Qibfdkgh.exeC:\Windows\system32\Qibfdkgh.exe97⤵PID:5528
-
C:\Windows\SysWOW64\Aidcjk32.exeC:\Windows\system32\Aidcjk32.exe98⤵PID:5592
-
C:\Windows\SysWOW64\Aoalba32.exeC:\Windows\system32\Aoalba32.exe99⤵PID:5636
-
C:\Windows\SysWOW64\Aochga32.exeC:\Windows\system32\Aochga32.exe100⤵
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Aemqdk32.exeC:\Windows\system32\Aemqdk32.exe101⤵
- Modifies registry class
PID:5744 -
C:\Windows\SysWOW64\Algiaepd.exeC:\Windows\system32\Algiaepd.exe102⤵
- Modifies registry class
PID:5840 -
C:\Windows\SysWOW64\Accnco32.exeC:\Windows\system32\Accnco32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5892 -
C:\Windows\SysWOW64\Bpgnmcdh.exeC:\Windows\system32\Bpgnmcdh.exe104⤵PID:5948
-
C:\Windows\SysWOW64\Bodano32.exeC:\Windows\system32\Bodano32.exe105⤵
- Drops file in System32 directory
PID:3256 -
C:\Windows\SysWOW64\Comddn32.exeC:\Windows\system32\Comddn32.exe106⤵PID:2276
-
C:\Windows\SysWOW64\Dlcaca32.exeC:\Windows\system32\Dlcaca32.exe107⤵PID:1412
-
C:\Windows\SysWOW64\Dgkbfjeg.exeC:\Windows\system32\Dgkbfjeg.exe108⤵
- Modifies registry class
PID:5176 -
C:\Windows\SysWOW64\Dcglfjgf.exeC:\Windows\system32\Dcglfjgf.exe109⤵
- Drops file in System32 directory
PID:5232 -
C:\Windows\SysWOW64\Enomic32.exeC:\Windows\system32\Enomic32.exe110⤵PID:4512
-
C:\Windows\SysWOW64\Eggbbhkj.exeC:\Windows\system32\Eggbbhkj.exe111⤵PID:5376
-
C:\Windows\SysWOW64\Emdjjo32.exeC:\Windows\system32\Emdjjo32.exe112⤵PID:5460
-
C:\Windows\SysWOW64\Egiohh32.exeC:\Windows\system32\Egiohh32.exe113⤵PID:3972
-
C:\Windows\SysWOW64\Encgdbqd.exeC:\Windows\system32\Encgdbqd.exe114⤵
- Modifies registry class
PID:4580 -
C:\Windows\SysWOW64\Enfcjb32.exeC:\Windows\system32\Enfcjb32.exe115⤵PID:5516
-
C:\Windows\SysWOW64\Ecblbi32.exeC:\Windows\system32\Ecblbi32.exe116⤵PID:5776
-
C:\Windows\SysWOW64\Fnhppa32.exeC:\Windows\system32\Fnhppa32.exe117⤵
- Drops file in System32 directory
PID:688 -
C:\Windows\SysWOW64\Fnjmea32.exeC:\Windows\system32\Fnjmea32.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:3496 -
C:\Windows\SysWOW64\Fplimi32.exeC:\Windows\system32\Fplimi32.exe119⤵PID:6028
-
C:\Windows\SysWOW64\Fapobl32.exeC:\Windows\system32\Fapobl32.exe120⤵PID:1624
-
C:\Windows\SysWOW64\Gpjfng32.exeC:\Windows\system32\Gpjfng32.exe121⤵PID:2804
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-