Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05/07/2024, 07:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
414c93a60a98b66550c3ec0aa76440b563e7ee266d837d3976b39e431a210f6f.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
414c93a60a98b66550c3ec0aa76440b563e7ee266d837d3976b39e431a210f6f.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
414c93a60a98b66550c3ec0aa76440b563e7ee266d837d3976b39e431a210f6f.exe
-
Size
64KB
-
MD5
734868307cf7c864535b252e73adad50
-
SHA1
afcabd504f1c9d073b7fb1b5178ace0cff0ec9db
-
SHA256
414c93a60a98b66550c3ec0aa76440b563e7ee266d837d3976b39e431a210f6f
-
SHA512
19fbef23a76b0c2bd209ffc116eace6f45cf558b79307c66e4243bdaf92324b973b6593fad466d709007274fbd31d47da1ba9aa9572c9bf0adb71006f0c4ba2e
-
SSDEEP
1536:7wiZ1XzDTi2U2UnPnbSi8KHoi4vyUXruCHcpzt/Idn:kiHnTvDUnDSiH59pFwn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdhail32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkaobnio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjeiodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnjqmpgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdmmeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejqldci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidinqpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkbgjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oahnhncc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpmfpid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hedafk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnjocf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bggnijof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokiig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopkkdgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkmkkjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maaekg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdnelpod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhppik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiaqnagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kppbejka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beaohcmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbiado32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjillkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdciiec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdbac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfjeckpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijmapm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkeekk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geoapenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqdmghnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mopeofjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcgldl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifnkeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nenbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecoaijio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eennefib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiijfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghpooanf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbenho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibgmaqfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipmbjgpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgbjbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfhbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baegibae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpljehpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djbbhafj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eejcki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giokid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcpjnjii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dggbcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmeak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clpppmqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mapgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njmejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plbmokop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pddhbipj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefmgogl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjbhph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jidinqpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oflfdbip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjhjae32.exe -
Executes dropped EXE 64 IoCs
pid Process 4952 Plndcl32.exe 1172 Plbmokop.exe 4944 Plejdkmm.exe 2908 Qcaofebg.exe 4592 Qkmdkgob.exe 2472 Aaiimadl.exe 792 Aakebqbj.exe 3412 Afinioip.exe 2612 Aodogdmn.exe 436 Bfpdin32.exe 4112 Bbiado32.exe 5072 Bmabggdm.exe 1688 Cmcolgbj.exe 4732 Ccpdoqgd.exe 3476 Ejoomhmi.exe 752 Efjimhnh.exe 4360 Fcniglmb.exe 2508 Fdqfll32.exe 1720 Ffclcgfn.exe 3044 Fmpqfq32.exe 3672 Gfkbde32.exe 788 Gljgbllj.exe 4188 Hpjmnjqn.exe 5060 Hdhedh32.exe 4108 Hpofii32.exe 4460 Hiiggoaf.exe 2192 Ikkpgafg.exe 2236 Igbalblk.exe 1460 Ipmbjgpi.exe 4332 Jncoikmp.exe 4464 Jcbdgb32.exe 1676 Jgbjbp32.exe 3764 Kdigadjo.exe 696 Knalji32.exe 468 Kqbdldnq.exe 3364 Kkjeomld.exe 3240 Lqikmc32.exe 2044 Lnohlgep.exe 4512 Lkeekk32.exe 3464 Madjhb32.exe 2796 Mkmkkjko.exe 112 Mjahlgpf.exe 2452 Nlcalieg.exe 3868 Nenbjo32.exe 3120 Nlmdbh32.exe 5024 Odhifjkg.exe 1428 Oobfob32.exe 5092 Odalmibl.exe 4420 Pddhbipj.exe 4104 Phaahggp.exe 3360 Pefabkej.exe 1312 Phfjcf32.exe 1568 Qdphngfl.exe 1744 Qdbdcg32.exe 3060 Amjillkj.exe 4920 Adfnofpd.exe 4128 Aajohjon.exe 3936 Aamknj32.exe 2116 Aoalgn32.exe 2836 Bochmn32.exe 3296 Blgifbil.exe 1392 Bnkbcj32.exe 396 Bkaobnio.exe 1372 Blqllqqa.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fllhjc32.dll Ocnabm32.exe File opened for modification C:\Windows\SysWOW64\Kehojiej.exe Kefbdjgm.exe File created C:\Windows\SysWOW64\Khhmbdka.dll Pbimjb32.exe File created C:\Windows\SysWOW64\Hjcojo32.exe Hjabdo32.exe File created C:\Windows\SysWOW64\Nmlhaa32.exe Mhppik32.exe File created C:\Windows\SysWOW64\Acigfpbp.dll Qkmdkgob.exe File created C:\Windows\SysWOW64\Olieecnn.dll Jngbjd32.exe File opened for modification C:\Windows\SysWOW64\Filapfbo.exe Fndpmndl.exe File created C:\Windows\SysWOW64\Odbpij32.exe Ndpcdjho.exe File created C:\Windows\SysWOW64\Ojlnphpd.dll Flddoa32.exe File created C:\Windows\SysWOW64\Bgnffj32.exe Bdmmeo32.exe File created C:\Windows\SysWOW64\Igmoih32.exe Ilfodgeg.exe File created C:\Windows\SysWOW64\Decmjjie.exe Dnienqbi.exe File created C:\Windows\SysWOW64\Oepnld32.dll Fhnichde.exe File created C:\Windows\SysWOW64\Affgmbdd.dll Pdklebje.exe File created C:\Windows\SysWOW64\Jbagbebm.exe Jbojlfdp.exe File created C:\Windows\SysWOW64\Ciknefmk.exe Cfmahknh.exe File created C:\Windows\SysWOW64\Laiiombp.dll Dghadidj.exe File opened for modification C:\Windows\SysWOW64\Bikeni32.exe Bihhhi32.exe File created C:\Windows\SysWOW64\Gqnajlid.dll Kilphk32.exe File created C:\Windows\SysWOW64\Omabnq32.dll Mkicjgnn.exe File created C:\Windows\SysWOW64\Ogdofo32.exe Omlkmign.exe File opened for modification C:\Windows\SysWOW64\Jjbjlpga.exe Jomeoggk.exe File created C:\Windows\SysWOW64\Mcdeeq32.exe Mbdiknlb.exe File created C:\Windows\SysWOW64\Lcgagm32.dll Gjhfif32.exe File created C:\Windows\SysWOW64\Midbjmkg.dll Cbhbbn32.exe File created C:\Windows\SysWOW64\Cpljehpo.exe Bgdemb32.exe File created C:\Windows\SysWOW64\Lennjaej.dll Jegohe32.exe File created C:\Windows\SysWOW64\Ejglcq32.exe Ehhpge32.exe File created C:\Windows\SysWOW64\Ckbaokim.dll Hedafk32.exe File created C:\Windows\SysWOW64\Fajkijoe.dll Lbenho32.exe File created C:\Windows\SysWOW64\Amqhbe32.exe Aggpfkjj.exe File created C:\Windows\SysWOW64\Fnjocf32.exe Fcekfnkb.exe File created C:\Windows\SysWOW64\Ppdjpcng.exe Pdmikb32.exe File created C:\Windows\SysWOW64\Mkiongah.dll Fndpmndl.exe File created C:\Windows\SysWOW64\Bkkhbb32.exe Babcil32.exe File opened for modification C:\Windows\SysWOW64\Ijbbfc32.exe Ibgmaqfl.exe File created C:\Windows\SysWOW64\Lmiljn32.exe Labkempb.exe File created C:\Windows\SysWOW64\Pjgemi32.exe Pdklebje.exe File created C:\Windows\SysWOW64\Blqllqqa.exe Bkaobnio.exe File created C:\Windows\SysWOW64\Dgihjf32.dll Dhphmj32.exe File opened for modification C:\Windows\SysWOW64\Dhikci32.exe Dkekjdck.exe File opened for modification C:\Windows\SysWOW64\Kjamhd32.exe Kiaqnagj.exe File created C:\Windows\SysWOW64\Oidalg32.dll Dfiildio.exe File opened for modification C:\Windows\SysWOW64\Dkhnjk32.exe Dndnpf32.exe File opened for modification C:\Windows\SysWOW64\Gicgpelg.exe Fkofga32.exe File opened for modification C:\Windows\SysWOW64\Kjdqhjpf.exe Kallod32.exe File created C:\Windows\SysWOW64\Ofhcdlgg.exe Oakjnnap.exe File created C:\Windows\SysWOW64\Adkcem32.dll Beaohcmf.exe File created C:\Windows\SysWOW64\Hohcmjic.exe Hadcce32.exe File opened for modification C:\Windows\SysWOW64\Jddiegbm.exe Jaemilci.exe File created C:\Windows\SysWOW64\Nhgmcp32.exe Ncjdki32.exe File created C:\Windows\SysWOW64\Janpnfee.exe Jnocakfb.exe File created C:\Windows\SysWOW64\Jlqmgaad.dll Cbiabq32.exe File opened for modification C:\Windows\SysWOW64\Midoph32.exe Mcggga32.exe File created C:\Windows\SysWOW64\Ignlbcmf.dll Jinboekc.exe File created C:\Windows\SysWOW64\Gicgpelg.exe Fkofga32.exe File created C:\Windows\SysWOW64\Dcalgbgh.dll Adnilfnl.exe File created C:\Windows\SysWOW64\Ookhfigk.exe Ohqpjo32.exe File created C:\Windows\SysWOW64\Ndejcemn.exe Njmejp32.exe File opened for modification C:\Windows\SysWOW64\Fiaael32.exe Ffqhcq32.exe File created C:\Windows\SysWOW64\Bgnpek32.dll Lohqnd32.exe File created C:\Windows\SysWOW64\Fcekfnkb.exe Fqdbdbna.exe File created C:\Windows\SysWOW64\Mbdiknlb.exe Mlhqcgnk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9240 10128 WerFault.exe 772 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfhbga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgifbhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geoapenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehklmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngbjmd32.dll" Pddhbipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgqlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddlnnc32.dll" Hejqldci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hednfnpf.dll" Hjlaoioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndfbikc.dll" Blgifbil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnfkdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilibdmgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eejcki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfpdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokmqben.dll" Adfnofpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gflhoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffnglc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olhldm32.dll" Jncoikmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabfbmnl.dll" Mmkdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifnbph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kilphk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajepci32.dll" Ghpooanf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcpjnjii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pafkgphl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eddnic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igqceh32.dll" Apgqie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjmmjng.dll" Gnckooob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaqcnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dghadidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojfbof32.dll" Lobhqdec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmabggdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkodak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pafkgphl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbelak32.dll" Ciknefmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghgljg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpejlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhcbidcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fooclapd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkhceh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jomeoggk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclnjo32.dll" Ncpeaoih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihaidhgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbddobla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eljchpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daajam32.dll" Gchflq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeffgkkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehpmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlqmgaad.dll" Cbiabq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omlkmign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igdgglfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnlhncgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjoppf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldclhie.dll" Babcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdgckg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Camddhoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ialjan32.dll" Ekodjiol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgqlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pimdleea.dll" Bldgoeog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjhjae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpolbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paifdeda.dll" Gcjdam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elolco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oahnhncc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igghilhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igajal32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1148 wrote to memory of 4952 1148 414c93a60a98b66550c3ec0aa76440b563e7ee266d837d3976b39e431a210f6f.exe 83 PID 1148 wrote to memory of 4952 1148 414c93a60a98b66550c3ec0aa76440b563e7ee266d837d3976b39e431a210f6f.exe 83 PID 1148 wrote to memory of 4952 1148 414c93a60a98b66550c3ec0aa76440b563e7ee266d837d3976b39e431a210f6f.exe 83 PID 4952 wrote to memory of 1172 4952 Plndcl32.exe 84 PID 4952 wrote to memory of 1172 4952 Plndcl32.exe 84 PID 4952 wrote to memory of 1172 4952 Plndcl32.exe 84 PID 1172 wrote to memory of 4944 1172 Plbmokop.exe 85 PID 1172 wrote to memory of 4944 1172 Plbmokop.exe 85 PID 1172 wrote to memory of 4944 1172 Plbmokop.exe 85 PID 4944 wrote to memory of 2908 4944 Plejdkmm.exe 86 PID 4944 wrote to memory of 2908 4944 Plejdkmm.exe 86 PID 4944 wrote to memory of 2908 4944 Plejdkmm.exe 86 PID 2908 wrote to memory of 4592 2908 Qcaofebg.exe 87 PID 2908 wrote to memory of 4592 2908 Qcaofebg.exe 87 PID 2908 wrote to memory of 4592 2908 Qcaofebg.exe 87 PID 4592 wrote to memory of 2472 4592 Qkmdkgob.exe 88 PID 4592 wrote to memory of 2472 4592 Qkmdkgob.exe 88 PID 4592 wrote to memory of 2472 4592 Qkmdkgob.exe 88 PID 2472 wrote to memory of 792 2472 Aaiimadl.exe 89 PID 2472 wrote to memory of 792 2472 Aaiimadl.exe 89 PID 2472 wrote to memory of 792 2472 Aaiimadl.exe 89 PID 792 wrote to memory of 3412 792 Aakebqbj.exe 90 PID 792 wrote to memory of 3412 792 Aakebqbj.exe 90 PID 792 wrote to memory of 3412 792 Aakebqbj.exe 90 PID 3412 wrote to memory of 2612 3412 Afinioip.exe 91 PID 3412 wrote to memory of 2612 3412 Afinioip.exe 91 PID 3412 wrote to memory of 2612 3412 Afinioip.exe 91 PID 2612 wrote to memory of 436 2612 Aodogdmn.exe 92 PID 2612 wrote to memory of 436 2612 Aodogdmn.exe 92 PID 2612 wrote to memory of 436 2612 Aodogdmn.exe 92 PID 436 wrote to memory of 4112 436 Bfpdin32.exe 93 PID 436 wrote to memory of 4112 436 Bfpdin32.exe 93 PID 436 wrote to memory of 4112 436 Bfpdin32.exe 93 PID 4112 wrote to memory of 5072 4112 Bbiado32.exe 94 PID 4112 wrote to memory of 5072 4112 Bbiado32.exe 94 PID 4112 wrote to memory of 5072 4112 Bbiado32.exe 94 PID 5072 wrote to memory of 1688 5072 Bmabggdm.exe 95 PID 5072 wrote to memory of 1688 5072 Bmabggdm.exe 95 PID 5072 wrote to memory of 1688 5072 Bmabggdm.exe 95 PID 1688 wrote to memory of 4732 1688 Cmcolgbj.exe 96 PID 1688 wrote to memory of 4732 1688 Cmcolgbj.exe 96 PID 1688 wrote to memory of 4732 1688 Cmcolgbj.exe 96 PID 4732 wrote to memory of 3476 4732 Ccpdoqgd.exe 97 PID 4732 wrote to memory of 3476 4732 Ccpdoqgd.exe 97 PID 4732 wrote to memory of 3476 4732 Ccpdoqgd.exe 97 PID 3476 wrote to memory of 752 3476 Ejoomhmi.exe 98 PID 3476 wrote to memory of 752 3476 Ejoomhmi.exe 98 PID 3476 wrote to memory of 752 3476 Ejoomhmi.exe 98 PID 752 wrote to memory of 4360 752 Efjimhnh.exe 99 PID 752 wrote to memory of 4360 752 Efjimhnh.exe 99 PID 752 wrote to memory of 4360 752 Efjimhnh.exe 99 PID 4360 wrote to memory of 2508 4360 Fcniglmb.exe 100 PID 4360 wrote to memory of 2508 4360 Fcniglmb.exe 100 PID 4360 wrote to memory of 2508 4360 Fcniglmb.exe 100 PID 2508 wrote to memory of 1720 2508 Fdqfll32.exe 101 PID 2508 wrote to memory of 1720 2508 Fdqfll32.exe 101 PID 2508 wrote to memory of 1720 2508 Fdqfll32.exe 101 PID 1720 wrote to memory of 3044 1720 Ffclcgfn.exe 102 PID 1720 wrote to memory of 3044 1720 Ffclcgfn.exe 102 PID 1720 wrote to memory of 3044 1720 Ffclcgfn.exe 102 PID 3044 wrote to memory of 3672 3044 Fmpqfq32.exe 103 PID 3044 wrote to memory of 3672 3044 Fmpqfq32.exe 103 PID 3044 wrote to memory of 3672 3044 Fmpqfq32.exe 103 PID 3672 wrote to memory of 788 3672 Gfkbde32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\414c93a60a98b66550c3ec0aa76440b563e7ee266d837d3976b39e431a210f6f.exe"C:\Users\Admin\AppData\Local\Temp\414c93a60a98b66550c3ec0aa76440b563e7ee266d837d3976b39e431a210f6f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Plndcl32.exeC:\Windows\system32\Plndcl32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Plbmokop.exeC:\Windows\system32\Plbmokop.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Qcaofebg.exeC:\Windows\system32\Qcaofebg.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Qkmdkgob.exeC:\Windows\system32\Qkmdkgob.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\Afinioip.exeC:\Windows\system32\Afinioip.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\Aodogdmn.exeC:\Windows\system32\Aodogdmn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Bfpdin32.exeC:\Windows\system32\Bfpdin32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Bbiado32.exeC:\Windows\system32\Bbiado32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Cmcolgbj.exeC:\Windows\system32\Cmcolgbj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Ccpdoqgd.exeC:\Windows\system32\Ccpdoqgd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Ejoomhmi.exeC:\Windows\system32\Ejoomhmi.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\Efjimhnh.exeC:\Windows\system32\Efjimhnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\Fcniglmb.exeC:\Windows\system32\Fcniglmb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SysWOW64\Fdqfll32.exeC:\Windows\system32\Fdqfll32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Ffclcgfn.exeC:\Windows\system32\Ffclcgfn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Fmpqfq32.exeC:\Windows\system32\Fmpqfq32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Gfkbde32.exeC:\Windows\system32\Gfkbde32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Gljgbllj.exeC:\Windows\system32\Gljgbllj.exe23⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Hpjmnjqn.exeC:\Windows\system32\Hpjmnjqn.exe24⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Hdhedh32.exeC:\Windows\system32\Hdhedh32.exe25⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Hpofii32.exeC:\Windows\system32\Hpofii32.exe26⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Hiiggoaf.exeC:\Windows\system32\Hiiggoaf.exe27⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Ikkpgafg.exeC:\Windows\system32\Ikkpgafg.exe28⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Igbalblk.exeC:\Windows\system32\Igbalblk.exe29⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Ipmbjgpi.exeC:\Windows\system32\Ipmbjgpi.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Jncoikmp.exeC:\Windows\system32\Jncoikmp.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:4332 -
C:\Windows\SysWOW64\Jcbdgb32.exeC:\Windows\system32\Jcbdgb32.exe32⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Jgbjbp32.exeC:\Windows\system32\Jgbjbp32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Kdigadjo.exeC:\Windows\system32\Kdigadjo.exe34⤵
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Knalji32.exeC:\Windows\system32\Knalji32.exe35⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Kqbdldnq.exeC:\Windows\system32\Kqbdldnq.exe36⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Kkjeomld.exeC:\Windows\system32\Kkjeomld.exe37⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Lqikmc32.exeC:\Windows\system32\Lqikmc32.exe38⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Lnohlgep.exeC:\Windows\system32\Lnohlgep.exe39⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Lkeekk32.exeC:\Windows\system32\Lkeekk32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Madjhb32.exeC:\Windows\system32\Madjhb32.exe41⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Mkmkkjko.exeC:\Windows\system32\Mkmkkjko.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Mjahlgpf.exeC:\Windows\system32\Mjahlgpf.exe43⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Nlcalieg.exeC:\Windows\system32\Nlcalieg.exe44⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Nenbjo32.exeC:\Windows\system32\Nenbjo32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Nlmdbh32.exeC:\Windows\system32\Nlmdbh32.exe46⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Odhifjkg.exeC:\Windows\system32\Odhifjkg.exe47⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Oobfob32.exeC:\Windows\system32\Oobfob32.exe48⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Odalmibl.exeC:\Windows\system32\Odalmibl.exe49⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Pddhbipj.exeC:\Windows\system32\Pddhbipj.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4420 -
C:\Windows\SysWOW64\Phaahggp.exeC:\Windows\system32\Phaahggp.exe51⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Pefabkej.exeC:\Windows\system32\Pefabkej.exe52⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Phfjcf32.exeC:\Windows\system32\Phfjcf32.exe53⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Qdphngfl.exeC:\Windows\system32\Qdphngfl.exe54⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Qdbdcg32.exeC:\Windows\system32\Qdbdcg32.exe55⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Amjillkj.exeC:\Windows\system32\Amjillkj.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Adfnofpd.exeC:\Windows\system32\Adfnofpd.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:4920 -
C:\Windows\SysWOW64\Aajohjon.exeC:\Windows\system32\Aajohjon.exe58⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Aamknj32.exeC:\Windows\system32\Aamknj32.exe59⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Aoalgn32.exeC:\Windows\system32\Aoalgn32.exe60⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Bochmn32.exeC:\Windows\system32\Bochmn32.exe61⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Blgifbil.exeC:\Windows\system32\Blgifbil.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:3296 -
C:\Windows\SysWOW64\Bnkbcj32.exeC:\Windows\system32\Bnkbcj32.exe63⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Bkaobnio.exeC:\Windows\system32\Bkaobnio.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:396 -
C:\Windows\SysWOW64\Blqllqqa.exeC:\Windows\system32\Blqllqqa.exe65⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Camddhoi.exeC:\Windows\system32\Camddhoi.exe66⤵
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Cbpajgmf.exeC:\Windows\system32\Cbpajgmf.exe67⤵PID:536
-
C:\Windows\SysWOW64\Cfnjpfcl.exeC:\Windows\system32\Cfnjpfcl.exe68⤵PID:208
-
C:\Windows\SysWOW64\Cbfgkffn.exeC:\Windows\system32\Cbfgkffn.exe69⤵PID:4632
-
C:\Windows\SysWOW64\Dhclmp32.exeC:\Windows\system32\Dhclmp32.exe70⤵PID:4480
-
C:\Windows\SysWOW64\Dheibpje.exeC:\Windows\system32\Dheibpje.exe71⤵PID:2548
-
C:\Windows\SysWOW64\Dfiildio.exeC:\Windows\system32\Dfiildio.exe72⤵
- Drops file in System32 directory
PID:1352 -
C:\Windows\SysWOW64\Dndnpf32.exeC:\Windows\system32\Dndnpf32.exe73⤵
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Dkhnjk32.exeC:\Windows\system32\Dkhnjk32.exe74⤵PID:1624
-
C:\Windows\SysWOW64\Deqcbpld.exeC:\Windows\system32\Deqcbpld.exe75⤵PID:1412
-
C:\Windows\SysWOW64\Ebdcld32.exeC:\Windows\system32\Ebdcld32.exe76⤵PID:4168
-
C:\Windows\SysWOW64\Enkdaepb.exeC:\Windows\system32\Enkdaepb.exe77⤵PID:3772
-
C:\Windows\SysWOW64\Ekodjiol.exeC:\Windows\system32\Ekodjiol.exe78⤵
- Modifies registry class
PID:1220 -
C:\Windows\SysWOW64\Ekaapi32.exeC:\Windows\system32\Ekaapi32.exe79⤵PID:4588
-
C:\Windows\SysWOW64\Emanjldl.exeC:\Windows\system32\Emanjldl.exe80⤵PID:1020
-
C:\Windows\SysWOW64\Fneggdhg.exeC:\Windows\system32\Fneggdhg.exe81⤵PID:4828
-
C:\Windows\SysWOW64\Fpdcag32.exeC:\Windows\system32\Fpdcag32.exe82⤵PID:3940
-
C:\Windows\SysWOW64\Ffqhcq32.exeC:\Windows\system32\Ffqhcq32.exe83⤵
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Fiaael32.exeC:\Windows\system32\Fiaael32.exe84⤵PID:2072
-
C:\Windows\SysWOW64\Gfeaopqo.exeC:\Windows\system32\Gfeaopqo.exe85⤵PID:3424
-
C:\Windows\SysWOW64\Glbjggof.exeC:\Windows\system32\Glbjggof.exe86⤵PID:980
-
C:\Windows\SysWOW64\Gifkpknp.exeC:\Windows\system32\Gifkpknp.exe87⤵PID:1784
-
C:\Windows\SysWOW64\Gemkelcd.exeC:\Windows\system32\Gemkelcd.exe88⤵PID:1436
-
C:\Windows\SysWOW64\Gflhoo32.exeC:\Windows\system32\Gflhoo32.exe89⤵
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Goglcahb.exeC:\Windows\system32\Goglcahb.exe90⤵PID:1796
-
C:\Windows\SysWOW64\Gimqajgh.exeC:\Windows\system32\Gimqajgh.exe91⤵PID:3452
-
C:\Windows\SysWOW64\Hedafk32.exeC:\Windows\system32\Hedafk32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:608 -
C:\Windows\SysWOW64\Hpiecd32.exeC:\Windows\system32\Hpiecd32.exe93⤵PID:212
-
C:\Windows\SysWOW64\Hplbickp.exeC:\Windows\system32\Hplbickp.exe94⤵PID:4012
-
C:\Windows\SysWOW64\Hlbcnd32.exeC:\Windows\system32\Hlbcnd32.exe95⤵PID:4816
-
C:\Windows\SysWOW64\Hfjdqmng.exeC:\Windows\system32\Hfjdqmng.exe96⤵PID:1972
-
C:\Windows\SysWOW64\Ifmqfm32.exeC:\Windows\system32\Ifmqfm32.exe97⤵PID:5104
-
C:\Windows\SysWOW64\Ifomll32.exeC:\Windows\system32\Ifomll32.exe98⤵PID:4484
-
C:\Windows\SysWOW64\Imiehfao.exeC:\Windows\system32\Imiehfao.exe99⤵PID:1836
-
C:\Windows\SysWOW64\Igajal32.exeC:\Windows\system32\Igajal32.exe100⤵
- Modifies registry class
PID:4008 -
C:\Windows\SysWOW64\Igdgglfl.exeC:\Windows\system32\Igdgglfl.exe101⤵
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Ioolkncg.exeC:\Windows\system32\Ioolkncg.exe102⤵PID:4280
-
C:\Windows\SysWOW64\Joahqn32.exeC:\Windows\system32\Joahqn32.exe103⤵PID:2320
-
C:\Windows\SysWOW64\Jcoaglhk.exeC:\Windows\system32\Jcoaglhk.exe104⤵PID:3616
-
C:\Windows\SysWOW64\Jofalmmp.exeC:\Windows\system32\Jofalmmp.exe105⤵PID:2760
-
C:\Windows\SysWOW64\Jngbjd32.exeC:\Windows\system32\Jngbjd32.exe106⤵
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Jinboekc.exeC:\Windows\system32\Jinboekc.exe107⤵
- Drops file in System32 directory
PID:4724 -
C:\Windows\SysWOW64\Jjpode32.exeC:\Windows\system32\Jjpode32.exe108⤵PID:4536
-
C:\Windows\SysWOW64\Klahfp32.exeC:\Windows\system32\Klahfp32.exe109⤵PID:2560
-
C:\Windows\SysWOW64\Kjeiodek.exeC:\Windows\system32\Kjeiodek.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4784 -
C:\Windows\SysWOW64\Kflide32.exeC:\Windows\system32\Kflide32.exe111⤵PID:1448
-
C:\Windows\SysWOW64\Kcpjnjii.exeC:\Windows\system32\Kcpjnjii.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4700 -
C:\Windows\SysWOW64\Kjlopc32.exeC:\Windows\system32\Kjlopc32.exe113⤵PID:976
-
C:\Windows\SysWOW64\Lcdciiec.exeC:\Windows\system32\Lcdciiec.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1992 -
C:\Windows\SysWOW64\Lqhdbm32.exeC:\Windows\system32\Lqhdbm32.exe115⤵PID:5160
-
C:\Windows\SysWOW64\Lqkqhm32.exeC:\Windows\system32\Lqkqhm32.exe116⤵PID:5208
-
C:\Windows\SysWOW64\Lqmmmmph.exeC:\Windows\system32\Lqmmmmph.exe117⤵PID:5252
-
C:\Windows\SysWOW64\Lnangaoa.exeC:\Windows\system32\Lnangaoa.exe118⤵PID:5296
-
C:\Windows\SysWOW64\Lflbkcll.exeC:\Windows\system32\Lflbkcll.exe119⤵PID:5340
-
C:\Windows\SysWOW64\Mqdcnl32.exeC:\Windows\system32\Mqdcnl32.exe120⤵PID:5384
-
C:\Windows\SysWOW64\Mmkdcm32.exeC:\Windows\system32\Mmkdcm32.exe121⤵
- Modifies registry class
PID:5428
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-