Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
06/07/2024, 02:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c866a89e146bea84ebced862e4bff899499a477f9306dd0f067e8db6aaad9ca1.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
c866a89e146bea84ebced862e4bff899499a477f9306dd0f067e8db6aaad9ca1.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
c866a89e146bea84ebced862e4bff899499a477f9306dd0f067e8db6aaad9ca1.exe
-
Size
136KB
-
MD5
4115fb29d4aa3ee25c2e9aec708ea24f
-
SHA1
e5e71110df695dbdc67b865e87bc1162ef769dc1
-
SHA256
c866a89e146bea84ebced862e4bff899499a477f9306dd0f067e8db6aaad9ca1
-
SHA512
c8e11f5333e29819e7d493c72c31a7a8d7572f5a15a83b7c8c4a54b215aa59ee621194f405fb1da6c026ea7ad380c69f5fd0163475ac13b6191d151c18ef2637
-
SSDEEP
3072:xDAHfmNSFrBa9LsohLwdNbw+Y92xQuohLwdNbw5bxH0zVWccA:xDA/OSF89Lsohxd2Quohdbd0zscj
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqbncb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iggaah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilafiihp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njkkbehl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Addaif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joffnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkadoiip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odmbaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekaapi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcpcdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiihahme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljclki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maodigil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbgcih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idkbkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikcmbfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neclenfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgmgqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldipha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oileggkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fplpll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkobmnka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlbcnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmjaphek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hglaej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjbhmad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpchib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmbbhkjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgaokl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiildjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joffnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qljjjqlc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmaopfjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olanmgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phjenbhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Allpejfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lndagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paelfmaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dooaoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghklce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbiip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgghjjid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgnoki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klfjijgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bifmqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkadoiip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clchbqoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fonnop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mifljdjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcejco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klfaapbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiildjag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkmdkgob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fimodc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgobel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddligq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgflqkdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knkekn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdaaaeqg.exe -
Executes dropped EXE 64 IoCs
pid Process 3296 Fggfnc32.exe 2660 Fonnop32.exe 2468 Fehfljca.exe 3476 Fhgbhfbe.exe 468 Foqkdp32.exe 1152 Gekcaj32.exe 2620 Ghipne32.exe 1532 Gochjpho.exe 1344 Gempgj32.exe 3668 Ghklce32.exe 2892 Gnhdkl32.exe 224 Gepmlimi.exe 4920 Ghniielm.exe 1208 Gkleeplq.exe 4248 Gafmaj32.exe 760 Ghpendjj.exe 4628 Gkobjpin.exe 1456 Gfdfgiid.exe 2948 Ghbbcd32.exe 1592 Hnoklk32.exe 1524 Hdicienl.exe 4808 Hkckeo32.exe 552 Hfipbh32.exe 1064 Hgjljpkm.exe 4680 Hbpphi32.exe 4816 Hkhdqoac.exe 2652 Hbbmmi32.exe 4356 Hkjafn32.exe 3972 Hfpecg32.exe 2724 Iohjlmeg.exe 712 Idebdcdo.exe 2464 Inmgmijo.exe 3616 Iickkbje.exe 3880 Iomcgl32.exe 3692 Ibkpcg32.exe 1036 Iiehpahb.exe 4524 Ikcdlmgf.exe 3916 Inbqhhfj.exe 4316 Ibnligoc.exe 2336 Ieliebnf.exe 8 Iigdfa32.exe 432 Ikfabm32.exe 3836 Ibpiogmp.exe 5100 Ifleoe32.exe 4496 Igmagnkg.exe 4132 Jodjhkkj.exe 4000 Jfnbdecg.exe 2616 Jilnqqbj.exe 2072 Joffnk32.exe 3352 Jfpojead.exe 3472 Jecofa32.exe 5064 Jgakbm32.exe 2996 Joiccj32.exe 2828 Jbgoof32.exe 3660 Jbileede.exe 4032 Jicdap32.exe 1364 Jkaqnk32.exe 216 Jnpmjf32.exe 3528 Jejefqaf.exe 1008 Kppici32.exe 1868 Kbnepe32.exe 452 Kelalp32.exe 4112 Klfjijgq.exe 3040 Knefeffd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qfbobf32.exe Qcdbfk32.exe File created C:\Windows\SysWOW64\Edogedqq.dll Bjaqpbkh.exe File created C:\Windows\SysWOW64\Cadlbk32.exe Cimcan32.exe File opened for modification C:\Windows\SysWOW64\Mkhapk32.exe Mcqjon32.exe File created C:\Windows\SysWOW64\Legjmh32.exe Lbinam32.exe File created C:\Windows\SysWOW64\Hfcnpn32.exe Hlnjbedi.exe File created C:\Windows\SysWOW64\Aagkhd32.exe Process not Found File created C:\Windows\SysWOW64\Kajimagp.dll Process not Found File created C:\Windows\SysWOW64\Ecjbbo32.dll Dgejpd32.exe File created C:\Windows\SysWOW64\Appfnncn.dll Koodbl32.exe File created C:\Windows\SysWOW64\Kkkahahf.dll Nohehq32.exe File opened for modification C:\Windows\SysWOW64\Djdflp32.exe Dgejpd32.exe File created C:\Windows\SysWOW64\Ccmbmpbk.dll Oloahhki.exe File created C:\Windows\SysWOW64\Lfbped32.exe Lcdciiec.exe File created C:\Windows\SysWOW64\Paiogf32.exe Process not Found File created C:\Windows\SysWOW64\Bcghch32.exe Boklbi32.exe File opened for modification C:\Windows\SysWOW64\Cimcan32.exe Cfogeb32.exe File created C:\Windows\SysWOW64\Poimpapp.exe Plkpcfal.exe File created C:\Windows\SysWOW64\Ampillfk.dll Process not Found File created C:\Windows\SysWOW64\Ckpbnb32.exe Cjnffjkl.exe File created C:\Windows\SysWOW64\Gdjibj32.exe Gpnmbl32.exe File created C:\Windows\SysWOW64\Oilmjcon.dll Ljfhqh32.exe File opened for modification C:\Windows\SysWOW64\Jedccfqg.exe Jcfggkac.exe File created C:\Windows\SysWOW64\Lnmodnoo.dll Process not Found File opened for modification C:\Windows\SysWOW64\Opcqnb32.exe Ohlimd32.exe File created C:\Windows\SysWOW64\Nmiakk32.dll Dmbbhkjf.exe File opened for modification C:\Windows\SysWOW64\Ddcqedkk.exe Daediilg.exe File opened for modification C:\Windows\SysWOW64\Kqnbkl32.exe Jjdjoane.exe File created C:\Windows\SysWOW64\Klkfenfk.dll Gimqajgh.exe File created C:\Windows\SysWOW64\Ijikdfig.dll Process not Found File created C:\Windows\SysWOW64\Onmfimga.exe Process not Found File created C:\Windows\SysWOW64\Hmlgah32.dll Ngmpcn32.exe File opened for modification C:\Windows\SysWOW64\Ggbook32.exe Gphgbafl.exe File created C:\Windows\SysWOW64\Knflpoqf.exe Kjkpoq32.exe File created C:\Windows\SysWOW64\Pcleml32.dll Jcikgacl.exe File opened for modification C:\Windows\SysWOW64\Ljfhqh32.exe Lggldm32.exe File opened for modification C:\Windows\SysWOW64\Pahilmoc.exe Poimpapp.exe File created C:\Windows\SysWOW64\Mbnnhndk.dll Pdhbmh32.exe File created C:\Windows\SysWOW64\Biafno32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nlqomd32.exe Nibbqicm.exe File created C:\Windows\SysWOW64\Iqbbpm32.exe Indfca32.exe File created C:\Windows\SysWOW64\Fcgeilmb.dll Dlkbjqgm.exe File created C:\Windows\SysWOW64\Ejfeng32.exe Efjimhnh.exe File opened for modification C:\Windows\SysWOW64\Lopmii32.exe Lmaamn32.exe File created C:\Windows\SysWOW64\Hlhefcoo.dll Process not Found File created C:\Windows\SysWOW64\Hcdikecn.dll Olehhc32.exe File created C:\Windows\SysWOW64\Dmlijb32.dll Piijno32.exe File opened for modification C:\Windows\SysWOW64\Mqkiok32.exe Mmpmnl32.exe File opened for modification C:\Windows\SysWOW64\Jkaqnk32.exe Jicdap32.exe File created C:\Windows\SysWOW64\Mlkepaam.exe Milidebi.exe File created C:\Windows\SysWOW64\Cbbdjm32.exe Codhnb32.exe File opened for modification C:\Windows\SysWOW64\Lggldm32.exe Ldipha32.exe File created C:\Windows\SysWOW64\Gfjkjo32.exe Gppcmeem.exe File opened for modification C:\Windows\SysWOW64\Lhijijbg.exe Lfhnaa32.exe File created C:\Windows\SysWOW64\Hiilcp32.dll Poajkgnc.exe File created C:\Windows\SysWOW64\Lbopphio.dll Phfjcf32.exe File opened for modification C:\Windows\SysWOW64\Kcbfcigf.exe Kpcjgnhb.exe File created C:\Windows\SysWOW64\Ebadmmge.dll Ffpicn32.exe File opened for modification C:\Windows\SysWOW64\Qepkbpak.exe Qadoba32.exe File opened for modification C:\Windows\SysWOW64\Ikbfgppo.exe Iggjga32.exe File created C:\Windows\SysWOW64\Chiigadc.exe Cfkmkf32.exe File opened for modification C:\Windows\SysWOW64\Ckjbhmad.exe Cdpjlb32.exe File opened for modification C:\Windows\SysWOW64\Biadeoce.exe Bfchidda.exe File created C:\Windows\SysWOW64\Obcceg32.exe Oklkdi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3628 6872 Process not Found 1238 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdpbon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbekag32.dll" Bcahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbklgfdh.dll" Iliinc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oklkdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmmmfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hplbickp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpagaq32.dll" Hgjljpkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkhnpc32.dll" Nbgcih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpphjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mepfiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifdaage.dll" Mhilfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Palbgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbenoa32.dll" Cdpjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okogahgo.dll" Acgolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfedoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bciehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdinlh32.dll" Fbjmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmphblgf.dll" Dheibpje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khbdikip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omlokmha.dll" Fdhcgaic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjjnh32.dll" Nhmeapmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnkbcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifmqfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfkohq32.dll" Ikdcmpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqpdko32.dll" Cbdjeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhelik32.dll" Kjeiodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekamnhne.dll" Kcbfcigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkfcndce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iofeei32.dll" Jlhljhbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebdcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhabbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckmonl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlnipg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlfpdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kggcnoic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foqkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Foqkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iohjlmeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elgaeolp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajimagp.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facdchai.dll" Hglaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idfjphid.dll" Fdkpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olicnfco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aojefobm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dokgdkeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfhndpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpggamqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iomcgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccgjopal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgepom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfniqp32.dll" Olfghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caienjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdbdcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dafmjm32.dll" Ipgbdbqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knflpoqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgfapd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 c866a89e146bea84ebced862e4bff899499a477f9306dd0f067e8db6aaad9ca1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkobjpin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmkdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aljejh32.dll" Knfeeimj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmigoagp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1648 wrote to memory of 3296 1648 c866a89e146bea84ebced862e4bff899499a477f9306dd0f067e8db6aaad9ca1.exe 82 PID 1648 wrote to memory of 3296 1648 c866a89e146bea84ebced862e4bff899499a477f9306dd0f067e8db6aaad9ca1.exe 82 PID 1648 wrote to memory of 3296 1648 c866a89e146bea84ebced862e4bff899499a477f9306dd0f067e8db6aaad9ca1.exe 82 PID 3296 wrote to memory of 2660 3296 Fggfnc32.exe 84 PID 3296 wrote to memory of 2660 3296 Fggfnc32.exe 84 PID 3296 wrote to memory of 2660 3296 Fggfnc32.exe 84 PID 2660 wrote to memory of 2468 2660 Fonnop32.exe 85 PID 2660 wrote to memory of 2468 2660 Fonnop32.exe 85 PID 2660 wrote to memory of 2468 2660 Fonnop32.exe 85 PID 2468 wrote to memory of 3476 2468 Fehfljca.exe 86 PID 2468 wrote to memory of 3476 2468 Fehfljca.exe 86 PID 2468 wrote to memory of 3476 2468 Fehfljca.exe 86 PID 3476 wrote to memory of 468 3476 Fhgbhfbe.exe 87 PID 3476 wrote to memory of 468 3476 Fhgbhfbe.exe 87 PID 3476 wrote to memory of 468 3476 Fhgbhfbe.exe 87 PID 468 wrote to memory of 1152 468 Foqkdp32.exe 89 PID 468 wrote to memory of 1152 468 Foqkdp32.exe 89 PID 468 wrote to memory of 1152 468 Foqkdp32.exe 89 PID 1152 wrote to memory of 2620 1152 Gekcaj32.exe 90 PID 1152 wrote to memory of 2620 1152 Gekcaj32.exe 90 PID 1152 wrote to memory of 2620 1152 Gekcaj32.exe 90 PID 2620 wrote to memory of 1532 2620 Ghipne32.exe 91 PID 2620 wrote to memory of 1532 2620 Ghipne32.exe 91 PID 2620 wrote to memory of 1532 2620 Ghipne32.exe 91 PID 1532 wrote to memory of 1344 1532 Gochjpho.exe 92 PID 1532 wrote to memory of 1344 1532 Gochjpho.exe 92 PID 1532 wrote to memory of 1344 1532 Gochjpho.exe 92 PID 1344 wrote to memory of 3668 1344 Gempgj32.exe 93 PID 1344 wrote to memory of 3668 1344 Gempgj32.exe 93 PID 1344 wrote to memory of 3668 1344 Gempgj32.exe 93 PID 3668 wrote to memory of 2892 3668 Ghklce32.exe 94 PID 3668 wrote to memory of 2892 3668 Ghklce32.exe 94 PID 3668 wrote to memory of 2892 3668 Ghklce32.exe 94 PID 2892 wrote to memory of 224 2892 Gnhdkl32.exe 96 PID 2892 wrote to memory of 224 2892 Gnhdkl32.exe 96 PID 2892 wrote to memory of 224 2892 Gnhdkl32.exe 96 PID 224 wrote to memory of 4920 224 Gepmlimi.exe 97 PID 224 wrote to memory of 4920 224 Gepmlimi.exe 97 PID 224 wrote to memory of 4920 224 Gepmlimi.exe 97 PID 4920 wrote to memory of 1208 4920 Ghniielm.exe 98 PID 4920 wrote to memory of 1208 4920 Ghniielm.exe 98 PID 4920 wrote to memory of 1208 4920 Ghniielm.exe 98 PID 1208 wrote to memory of 4248 1208 Gkleeplq.exe 99 PID 1208 wrote to memory of 4248 1208 Gkleeplq.exe 99 PID 1208 wrote to memory of 4248 1208 Gkleeplq.exe 99 PID 4248 wrote to memory of 760 4248 Gafmaj32.exe 100 PID 4248 wrote to memory of 760 4248 Gafmaj32.exe 100 PID 4248 wrote to memory of 760 4248 Gafmaj32.exe 100 PID 760 wrote to memory of 4628 760 Ghpendjj.exe 101 PID 760 wrote to memory of 4628 760 Ghpendjj.exe 101 PID 760 wrote to memory of 4628 760 Ghpendjj.exe 101 PID 4628 wrote to memory of 1456 4628 Gkobjpin.exe 102 PID 4628 wrote to memory of 1456 4628 Gkobjpin.exe 102 PID 4628 wrote to memory of 1456 4628 Gkobjpin.exe 102 PID 1456 wrote to memory of 2948 1456 Gfdfgiid.exe 103 PID 1456 wrote to memory of 2948 1456 Gfdfgiid.exe 103 PID 1456 wrote to memory of 2948 1456 Gfdfgiid.exe 103 PID 2948 wrote to memory of 1592 2948 Ghbbcd32.exe 104 PID 2948 wrote to memory of 1592 2948 Ghbbcd32.exe 104 PID 2948 wrote to memory of 1592 2948 Ghbbcd32.exe 104 PID 1592 wrote to memory of 1524 1592 Hnoklk32.exe 105 PID 1592 wrote to memory of 1524 1592 Hnoklk32.exe 105 PID 1592 wrote to memory of 1524 1592 Hnoklk32.exe 105 PID 1524 wrote to memory of 4808 1524 Hdicienl.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\c866a89e146bea84ebced862e4bff899499a477f9306dd0f067e8db6aaad9ca1.exe"C:\Users\Admin\AppData\Local\Temp\c866a89e146bea84ebced862e4bff899499a477f9306dd0f067e8db6aaad9ca1.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Fggfnc32.exeC:\Windows\system32\Fggfnc32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\SysWOW64\Fonnop32.exeC:\Windows\system32\Fonnop32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Fehfljca.exeC:\Windows\system32\Fehfljca.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Fhgbhfbe.exeC:\Windows\system32\Fhgbhfbe.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\Foqkdp32.exeC:\Windows\system32\Foqkdp32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Gekcaj32.exeC:\Windows\system32\Gekcaj32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Gochjpho.exeC:\Windows\system32\Gochjpho.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Gempgj32.exeC:\Windows\system32\Gempgj32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Ghklce32.exeC:\Windows\system32\Ghklce32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Ghniielm.exeC:\Windows\system32\Ghniielm.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Gkobjpin.exeC:\Windows\system32\Gkobjpin.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Ghbbcd32.exeC:\Windows\system32\Ghbbcd32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Hnoklk32.exeC:\Windows\system32\Hnoklk32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Hdicienl.exeC:\Windows\system32\Hdicienl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Hkckeo32.exeC:\Windows\system32\Hkckeo32.exe23⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe24⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Hgjljpkm.exeC:\Windows\system32\Hgjljpkm.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe26⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Hkhdqoac.exeC:\Windows\system32\Hkhdqoac.exe27⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe28⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe29⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe30⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe32⤵
- Executes dropped EXE
PID:712 -
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe33⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe34⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:3880 -
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe36⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe37⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe38⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe39⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe40⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Ieliebnf.exeC:\Windows\system32\Ieliebnf.exe41⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe42⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Ikfabm32.exeC:\Windows\system32\Ikfabm32.exe43⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe44⤵
- Executes dropped EXE
PID:3836 -
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe45⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe46⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe47⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Jfnbdecg.exeC:\Windows\system32\Jfnbdecg.exe48⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe49⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe51⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe52⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Jgakbm32.exeC:\Windows\system32\Jgakbm32.exe53⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe54⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Jbgoof32.exeC:\Windows\system32\Jbgoof32.exe55⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Jbileede.exeC:\Windows\system32\Jbileede.exe56⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4032 -
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe58⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Jnpmjf32.exeC:\Windows\system32\Jnpmjf32.exe59⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe60⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe61⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe62⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe63⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Knefeffd.exeC:\Windows\system32\Knefeffd.exe65⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Keonap32.exeC:\Windows\system32\Keonap32.exe66⤵PID:1096
-
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe67⤵PID:2304
-
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe68⤵PID:4640
-
C:\Windows\SysWOW64\Keakgpko.exeC:\Windows\system32\Keakgpko.exe69⤵PID:4012
-
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe70⤵PID:3500
-
C:\Windows\SysWOW64\Kfqgab32.exeC:\Windows\system32\Kfqgab32.exe71⤵PID:532
-
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe72⤵
- Modifies registry class
PID:3536 -
C:\Windows\SysWOW64\Kbghfc32.exeC:\Windows\system32\Kbghfc32.exe73⤵PID:3732
-
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe74⤵PID:3932
-
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe75⤵PID:3628
-
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe76⤵PID:4836
-
C:\Windows\SysWOW64\Lfealaol.exeC:\Windows\system32\Lfealaol.exe77⤵PID:3876
-
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe78⤵PID:3688
-
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe79⤵PID:2984
-
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe80⤵
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe81⤵PID:3360
-
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe82⤵PID:3780
-
C:\Windows\SysWOW64\Lfjjga32.exeC:\Windows\system32\Lfjjga32.exe83⤵PID:2316
-
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe84⤵PID:4196
-
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe85⤵PID:4892
-
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe86⤵PID:5004
-
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe87⤵PID:1688
-
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe88⤵PID:5104
-
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe89⤵PID:1480
-
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe90⤵PID:1320
-
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe91⤵
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe92⤵PID:392
-
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe93⤵PID:4880
-
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe94⤵PID:5112
-
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe95⤵PID:1684
-
C:\Windows\SysWOW64\Mffjcopi.exeC:\Windows\system32\Mffjcopi.exe96⤵PID:1720
-
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe97⤵PID:3612
-
C:\Windows\SysWOW64\Mpnnle32.exeC:\Windows\system32\Mpnnle32.exe98⤵PID:4528
-
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe99⤵PID:4560
-
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe100⤵PID:1536
-
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe101⤵PID:2992
-
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe102⤵PID:3220
-
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe103⤵PID:5044
-
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe104⤵PID:2164
-
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe105⤵PID:5144
-
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe106⤵
- Drops file in System32 directory
PID:5188 -
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe107⤵PID:5232
-
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe108⤵PID:5272
-
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe109⤵
- Drops file in System32 directory
PID:5320 -
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe110⤵PID:5364
-
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe111⤵PID:5408
-
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe112⤵PID:5456
-
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe113⤵PID:5504
-
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe114⤵PID:5548
-
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe115⤵PID:5592
-
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe116⤵PID:5636
-
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe117⤵
- Drops file in System32 directory
PID:5680 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe118⤵PID:5724
-
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe119⤵PID:5768
-
C:\Windows\SysWOW64\Oeicejia.exeC:\Windows\system32\Oeicejia.exe120⤵PID:5812
-
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe121⤵PID:5852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-