Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25/11/2022, 21:14
Static task
static1
Behavioral task
behavioral1
Sample
cfc687aebe59a693842b94a0cb0b5cb5379af5c788d244c3eb8732e32fb1236d.exe
Resource
win7-20221111-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
cfc687aebe59a693842b94a0cb0b5cb5379af5c788d244c3eb8732e32fb1236d.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
cfc687aebe59a693842b94a0cb0b5cb5379af5c788d244c3eb8732e32fb1236d.exe
-
Size
51KB
-
MD5
891c372258b3d7805624bfd223c031e0
-
SHA1
acee2f99f13629206ac329813588712836489716
-
SHA256
cfc687aebe59a693842b94a0cb0b5cb5379af5c788d244c3eb8732e32fb1236d
-
SHA512
db0707d319b046b4d361688080a6ddbca29d234242c5931c2d96585b56062844607c66346976efd6179b35b55be22da76c3b1e3aae15fddeb6af7328a0fee4ac
-
SSDEEP
768:VXHiTAXDOfBhlqssF6zvGx0L0jOkrvsXixOJ0TEuXQcGtTEVZDw4Qy6u9b3zz/1Z:VSTBxgMvSpjOih40sEFTzB
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnfmgjka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pemomqcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhmofj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljbnfleo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilfodgeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blennh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckbemgcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klbnajqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmccchkn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnhdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkpbin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnipbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dajbaika.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhpelfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehailbaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfekbdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkjjdmaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbbhqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nojjcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdgglfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nclbpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djegekil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beeflhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghbbcd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgpgng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nahgoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbjoeojc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqhjggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diccgfpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbcedmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odljjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iknmla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbhmbdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kepelfam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igmagnkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddcebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cncndo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbllbibl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnfmbmbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpnakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncjdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgkbmdpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eplgeokq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klbnajqc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcnnllcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnaikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gigheh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokfja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phpfqmio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbnlaldg.exe -
Executes dropped EXE 64 IoCs
pid Process 4332 Pfanijdj.exe 1868 Qlcplq32.exe 5068 Agkqoilo.exe 4780 Amgeac32.exe 4968 Benjaceg.exe 4888 Bjlbhbkn.exe 4932 Cjqlca32.exe 1268 Cciplgni.exe 4468 Cckmaflf.exe 4380 Cpomkk32.exe 5052 Cncndo32.exe 2288 Dgkbmdpj.exe 4128 Dnekjogg.exe 3436 Dnhgoned.exe 3244 Djohdo32.exe 224 Dfeiip32.exe 3016 Dciibd32.exe 3592 Dmankjff.exe 760 Ejenen32.exe 4752 Ejjgpnak.exe 1076 Efaheo32.exe 1852 Fcgedbcf.exe 4600 Fcjbibac.exe 4704 Fmbgbhhd.exe 1456 Fgjgepeg.exe 1780 Fgldkp32.exe 1964 Gnfmgjka.exe 2128 Gmkihfpi.exe 1748 Gaibod32.exe 3256 Galodddm.exe 2760 Ganljdbj.exe 4360 Hjfpbi32.exe 2400 Hdaaao32.exe 3132 Haeajc32.exe 1816 Hhojgm32.exe 1460 Hmlbod32.exe 4344 Hajkebhm.exe 3252 Ijbpnhnn.exe 1840 Ialhkb32.exe 1996 Idonbmqi.exe 4072 Iacnlapb.exe 1632 Imjoqbef.exe 1056 Jgbcig32.exe 1188 Jhapcjcj.exe 1072 Jggmdgha.exe 3248 Jpancllp.exe 4376 Jglfpf32.exe 2028 Kpfgnk32.exe 2436 Kogglcpi.exe 2368 Lhgbeg32.exe 4480 Lhpelfhg.exe 3828 Mkcjca32.exe 4936 Mhldgd32.exe 4560 Mofmdofg.exe 2452 Nqifafjb.exe 4320 Nigdcc32.exe 1592 Ongiaiqa.exe 3936 Okkjjnok.exe 2916 Okmfpm32.exe 3904 Paohccgj.exe 3120 Phhqpn32.exe 2784 Plfiflen.exe 2572 Ppdbljkd.exe 2044 Phpfqmio.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gacjadad.exe Ghhhcomg.exe File created C:\Windows\SysWOW64\Gfchag32.dll Bfaigclq.exe File created C:\Windows\SysWOW64\Bfjllnnm.exe Process not Found File created C:\Windows\SysWOW64\Mdphmfph.dll Process not Found File created C:\Windows\SysWOW64\Bcnleb32.exe Process not Found File created C:\Windows\SysWOW64\Iekomapo.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kfanflne.exe Process not Found File created C:\Windows\SysWOW64\Eagdjbff.dll Process not Found File opened for modification C:\Windows\SysWOW64\Amgeac32.exe Agkqoilo.exe File opened for modification C:\Windows\SysWOW64\Indfca32.exe Ikejgf32.exe File created C:\Windows\SysWOW64\Lmdbooik.exe Process not Found File created C:\Windows\SysWOW64\Cpjljp32.dll Jaljgidl.exe File created C:\Windows\SysWOW64\Efbdhf32.dll Eachem32.exe File opened for modification C:\Windows\SysWOW64\Cadlbk32.exe Cmfclm32.exe File created C:\Windows\SysWOW64\Cfcjfk32.exe Coiaiakf.exe File created C:\Windows\SysWOW64\Bdnofdgl.dll Process not Found File created C:\Windows\SysWOW64\Ldfhgn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Okkjjnok.exe Ongiaiqa.exe File created C:\Windows\SysWOW64\Lmjcppnj.dll Aihfanhg.exe File created C:\Windows\SysWOW64\Lgjglg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Iabodcnj.exe Process not Found File created C:\Windows\SysWOW64\Nclbpf32.exe Nqmfdj32.exe File opened for modification C:\Windows\SysWOW64\Dnljkk32.exe Dgbanq32.exe File created C:\Windows\SysWOW64\Bmapeg32.dll Jaemilci.exe File opened for modification C:\Windows\SysWOW64\Bifkcioc.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fdogjk32.exe Process not Found File created C:\Windows\SysWOW64\Oqfdnhfk.exe Ojllan32.exe File created C:\Windows\SysWOW64\Oloahhki.exe Odhifjkg.exe File opened for modification C:\Windows\SysWOW64\Ejbbmnnb.exe Ehcfaboo.exe File created C:\Windows\SysWOW64\Jehokgge.exe Jpgmha32.exe File opened for modification C:\Windows\SysWOW64\Fdccbl32.exe Fmikeaap.exe File created C:\Windows\SysWOW64\Kmqbkkce.dll Okolfj32.exe File opened for modification C:\Windows\SysWOW64\Hocjaj32.exe Process not Found File created C:\Windows\SysWOW64\Cpqnog32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bifbbllg.exe Aiolam32.exe File opened for modification C:\Windows\SysWOW64\Kpccnefa.exe Jiikak32.exe File created C:\Windows\SysWOW64\Bikeni32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mapgfk32.exe Process not Found File created C:\Windows\SysWOW64\Pdbbfadn.exe Process not Found File created C:\Windows\SysWOW64\Helbbkkj.dll Fgjhpcmo.exe File created C:\Windows\SysWOW64\Jlikkkhn.exe Jpbjfjci.exe File opened for modification C:\Windows\SysWOW64\Dgkbmdpj.exe Cncndo32.exe File created C:\Windows\SysWOW64\Anbpqqmm.dll Nobdbkhf.exe File created C:\Windows\SysWOW64\Dkpjdo32.exe Dcibca32.exe File opened for modification C:\Windows\SysWOW64\Lokdnjkg.exe Llmhaold.exe File created C:\Windows\SysWOW64\Mccokj32.exe Mlifnphl.exe File created C:\Windows\SysWOW64\Qeikficp.dll Process not Found File created C:\Windows\SysWOW64\Hfjjlc32.dll Efpomccg.exe File created C:\Windows\SysWOW64\Baaelkfn.dll Ffnknafg.exe File created C:\Windows\SysWOW64\Dfemdcba.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ikejgf32.exe Idkbkl32.exe File opened for modification C:\Windows\SysWOW64\Mbibfm32.exe Mokfja32.exe File created C:\Windows\SysWOW64\Mkjpnc32.dll Process not Found File created C:\Windows\SysWOW64\Fnaokmco.exe Fkcboack.exe File created C:\Windows\SysWOW64\Nabbod32.dll Ejflhm32.exe File created C:\Windows\SysWOW64\Ldbhiiol.dll Biiobo32.exe File opened for modification C:\Windows\SysWOW64\Egpnooan.exe Edaaccbj.exe File created C:\Windows\SysWOW64\Piolpj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fknbil32.exe Fdcjlb32.exe File opened for modification C:\Windows\SysWOW64\Pcegclgp.exe Pafkgphl.exe File opened for modification C:\Windows\SysWOW64\Lmdbooik.exe Process not Found File created C:\Windows\SysWOW64\Phpklp32.exe Process not Found File created C:\Windows\SysWOW64\Ldfakpfj.dll Aalmimfd.exe File opened for modification C:\Windows\SysWOW64\Nfiagd32.exe Ncjdki32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 10660 10592 Process not Found 1543 10708 10592 Process not Found 1543 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kopcbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeokal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hecjke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Encnaa32.dll" Maaekg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djklmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbjnik32.dll" Flinkojm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkdgfllg.dll" Bhnikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kongmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmkihfpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnidloo.dll" Bdickcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbalhp32.dll" Bkobmnka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfkqjmdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abfdpfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eafbac32.dll" Cienon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nabbod32.dll" Ejflhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghoqak32.dll" Oodcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgokfblh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgeph32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igpgak32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcnggo32.dll" Gaopfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmdfp32.dll" Dkekjdck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imihfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amjillkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcpojd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iahgad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijjhbli.dll" Cdkifmjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpomcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Higjaoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oidfpeba.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibmeoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngmnjok.dll" Qiiflaoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcbpne32.dll" Miaboe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kabcopmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djgdkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocmjhfjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnkd32.dll" Njnpppkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmqgabec.dll" Ddcqedkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnlgjdd.dll" Mpghkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gillppii.dll" Hhaggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcbfcigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fofilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpancllp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcleml32.dll" Jlhljhbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clomci32.dll" Jdgafjpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nadleilm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmejnpqp.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnekjogg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjhbgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjoqjkkb.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4976 wrote to memory of 4332 4976 cfc687aebe59a693842b94a0cb0b5cb5379af5c788d244c3eb8732e32fb1236d.exe 78 PID 4976 wrote to memory of 4332 4976 cfc687aebe59a693842b94a0cb0b5cb5379af5c788d244c3eb8732e32fb1236d.exe 78 PID 4976 wrote to memory of 4332 4976 cfc687aebe59a693842b94a0cb0b5cb5379af5c788d244c3eb8732e32fb1236d.exe 78 PID 4332 wrote to memory of 1868 4332 Pfanijdj.exe 79 PID 4332 wrote to memory of 1868 4332 Pfanijdj.exe 79 PID 4332 wrote to memory of 1868 4332 Pfanijdj.exe 79 PID 1868 wrote to memory of 5068 1868 Qlcplq32.exe 80 PID 1868 wrote to memory of 5068 1868 Qlcplq32.exe 80 PID 1868 wrote to memory of 5068 1868 Qlcplq32.exe 80 PID 5068 wrote to memory of 4780 5068 Agkqoilo.exe 81 PID 5068 wrote to memory of 4780 5068 Agkqoilo.exe 81 PID 5068 wrote to memory of 4780 5068 Agkqoilo.exe 81 PID 4780 wrote to memory of 4968 4780 Amgeac32.exe 82 PID 4780 wrote to memory of 4968 4780 Amgeac32.exe 82 PID 4780 wrote to memory of 4968 4780 Amgeac32.exe 82 PID 4968 wrote to memory of 4888 4968 Benjaceg.exe 83 PID 4968 wrote to memory of 4888 4968 Benjaceg.exe 83 PID 4968 wrote to memory of 4888 4968 Benjaceg.exe 83 PID 4888 wrote to memory of 4932 4888 Bjlbhbkn.exe 84 PID 4888 wrote to memory of 4932 4888 Bjlbhbkn.exe 84 PID 4888 wrote to memory of 4932 4888 Bjlbhbkn.exe 84 PID 4932 wrote to memory of 1268 4932 Cjqlca32.exe 85 PID 4932 wrote to memory of 1268 4932 Cjqlca32.exe 85 PID 4932 wrote to memory of 1268 4932 Cjqlca32.exe 85 PID 1268 wrote to memory of 4468 1268 Cciplgni.exe 86 PID 1268 wrote to memory of 4468 1268 Cciplgni.exe 86 PID 1268 wrote to memory of 4468 1268 Cciplgni.exe 86 PID 4468 wrote to memory of 4380 4468 Cckmaflf.exe 87 PID 4468 wrote to memory of 4380 4468 Cckmaflf.exe 87 PID 4468 wrote to memory of 4380 4468 Cckmaflf.exe 87 PID 4380 wrote to memory of 5052 4380 Cpomkk32.exe 88 PID 4380 wrote to memory of 5052 4380 Cpomkk32.exe 88 PID 4380 wrote to memory of 5052 4380 Cpomkk32.exe 88 PID 5052 wrote to memory of 2288 5052 Cncndo32.exe 89 PID 5052 wrote to memory of 2288 5052 Cncndo32.exe 89 PID 5052 wrote to memory of 2288 5052 Cncndo32.exe 89 PID 2288 wrote to memory of 4128 2288 Dgkbmdpj.exe 90 PID 2288 wrote to memory of 4128 2288 Dgkbmdpj.exe 90 PID 2288 wrote to memory of 4128 2288 Dgkbmdpj.exe 90 PID 4128 wrote to memory of 3436 4128 Dnekjogg.exe 91 PID 4128 wrote to memory of 3436 4128 Dnekjogg.exe 91 PID 4128 wrote to memory of 3436 4128 Dnekjogg.exe 91 PID 3436 wrote to memory of 3244 3436 Dnhgoned.exe 92 PID 3436 wrote to memory of 3244 3436 Dnhgoned.exe 92 PID 3436 wrote to memory of 3244 3436 Dnhgoned.exe 92 PID 3244 wrote to memory of 224 3244 Djohdo32.exe 93 PID 3244 wrote to memory of 224 3244 Djohdo32.exe 93 PID 3244 wrote to memory of 224 3244 Djohdo32.exe 93 PID 224 wrote to memory of 3016 224 Dfeiip32.exe 94 PID 224 wrote to memory of 3016 224 Dfeiip32.exe 94 PID 224 wrote to memory of 3016 224 Dfeiip32.exe 94 PID 3016 wrote to memory of 3592 3016 Dciibd32.exe 95 PID 3016 wrote to memory of 3592 3016 Dciibd32.exe 95 PID 3016 wrote to memory of 3592 3016 Dciibd32.exe 95 PID 3592 wrote to memory of 760 3592 Dmankjff.exe 96 PID 3592 wrote to memory of 760 3592 Dmankjff.exe 96 PID 3592 wrote to memory of 760 3592 Dmankjff.exe 96 PID 760 wrote to memory of 4752 760 Ejenen32.exe 97 PID 760 wrote to memory of 4752 760 Ejenen32.exe 97 PID 760 wrote to memory of 4752 760 Ejenen32.exe 97 PID 4752 wrote to memory of 1076 4752 Ejjgpnak.exe 98 PID 4752 wrote to memory of 1076 4752 Ejjgpnak.exe 98 PID 4752 wrote to memory of 1076 4752 Ejjgpnak.exe 98 PID 1076 wrote to memory of 1852 1076 Efaheo32.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfc687aebe59a693842b94a0cb0b5cb5379af5c788d244c3eb8732e32fb1236d.exe"C:\Users\Admin\AppData\Local\Temp\cfc687aebe59a693842b94a0cb0b5cb5379af5c788d244c3eb8732e32fb1236d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Pfanijdj.exeC:\Windows\system32\Pfanijdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\Qlcplq32.exeC:\Windows\system32\Qlcplq32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Agkqoilo.exeC:\Windows\system32\Agkqoilo.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Amgeac32.exeC:\Windows\system32\Amgeac32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Benjaceg.exeC:\Windows\system32\Benjaceg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Bjlbhbkn.exeC:\Windows\system32\Bjlbhbkn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Cjqlca32.exeC:\Windows\system32\Cjqlca32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\Cciplgni.exeC:\Windows\system32\Cciplgni.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Cckmaflf.exeC:\Windows\system32\Cckmaflf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\Cpomkk32.exeC:\Windows\system32\Cpomkk32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\Cncndo32.exeC:\Windows\system32\Cncndo32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Dgkbmdpj.exeC:\Windows\system32\Dgkbmdpj.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Dnekjogg.exeC:\Windows\system32\Dnekjogg.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\Dnhgoned.exeC:\Windows\system32\Dnhgoned.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\Djohdo32.exeC:\Windows\system32\Djohdo32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\Dfeiip32.exeC:\Windows\system32\Dfeiip32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Dciibd32.exeC:\Windows\system32\Dciibd32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Dmankjff.exeC:\Windows\system32\Dmankjff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\Ejenen32.exeC:\Windows\system32\Ejenen32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Ejjgpnak.exeC:\Windows\system32\Ejjgpnak.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Efaheo32.exeC:\Windows\system32\Efaheo32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Fcgedbcf.exeC:\Windows\system32\Fcgedbcf.exe23⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Fcjbibac.exeC:\Windows\system32\Fcjbibac.exe24⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Fmbgbhhd.exeC:\Windows\system32\Fmbgbhhd.exe25⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Fgjgepeg.exeC:\Windows\system32\Fgjgepeg.exe26⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Fgldkp32.exeC:\Windows\system32\Fgldkp32.exe27⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Gnfmgjka.exeC:\Windows\system32\Gnfmgjka.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Gmkihfpi.exeC:\Windows\system32\Gmkihfpi.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Gaibod32.exeC:\Windows\system32\Gaibod32.exe30⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Galodddm.exeC:\Windows\system32\Galodddm.exe31⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Ganljdbj.exeC:\Windows\system32\Ganljdbj.exe32⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Hjfpbi32.exeC:\Windows\system32\Hjfpbi32.exe33⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Hdaaao32.exeC:\Windows\system32\Hdaaao32.exe34⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Haeajc32.exeC:\Windows\system32\Haeajc32.exe35⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Hhojgm32.exeC:\Windows\system32\Hhojgm32.exe36⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Hmlbod32.exeC:\Windows\system32\Hmlbod32.exe37⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Hajkebhm.exeC:\Windows\system32\Hajkebhm.exe38⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Ijbpnhnn.exeC:\Windows\system32\Ijbpnhnn.exe39⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Ialhkb32.exeC:\Windows\system32\Ialhkb32.exe40⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Idonbmqi.exeC:\Windows\system32\Idonbmqi.exe41⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Iacnlapb.exeC:\Windows\system32\Iacnlapb.exe42⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Imjoqbef.exeC:\Windows\system32\Imjoqbef.exe43⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Jgbcig32.exeC:\Windows\system32\Jgbcig32.exe44⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Jhapcjcj.exeC:\Windows\system32\Jhapcjcj.exe45⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Jggmdgha.exeC:\Windows\system32\Jggmdgha.exe46⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Jpancllp.exeC:\Windows\system32\Jpancllp.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:3248 -
C:\Windows\SysWOW64\Jglfpf32.exeC:\Windows\system32\Jglfpf32.exe48⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Kpfgnk32.exeC:\Windows\system32\Kpfgnk32.exe49⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Kogglcpi.exeC:\Windows\system32\Kogglcpi.exe50⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Lhgbeg32.exeC:\Windows\system32\Lhgbeg32.exe51⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Lhpelfhg.exeC:\Windows\system32\Lhpelfhg.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Mkcjca32.exeC:\Windows\system32\Mkcjca32.exe53⤵
- Executes dropped EXE
PID:3828 -
C:\Windows\SysWOW64\Mhldgd32.exeC:\Windows\system32\Mhldgd32.exe54⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Mofmdofg.exeC:\Windows\system32\Mofmdofg.exe55⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Nqifafjb.exeC:\Windows\system32\Nqifafjb.exe56⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Nigdcc32.exeC:\Windows\system32\Nigdcc32.exe57⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Ongiaiqa.exeC:\Windows\system32\Ongiaiqa.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Okkjjnok.exeC:\Windows\system32\Okkjjnok.exe59⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Okmfpm32.exeC:\Windows\system32\Okmfpm32.exe60⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Paohccgj.exeC:\Windows\system32\Paohccgj.exe61⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\SysWOW64\Phhqpn32.exeC:\Windows\system32\Phhqpn32.exe62⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Plfiflen.exeC:\Windows\system32\Plfiflen.exe63⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Ppdbljkd.exeC:\Windows\system32\Ppdbljkd.exe64⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Phpfqmio.exeC:\Windows\system32\Phpfqmio.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Qiappono.exeC:\Windows\system32\Qiappono.exe66⤵PID:2084
-
C:\Windows\SysWOW64\Qlpllkmc.exeC:\Windows\system32\Qlpllkmc.exe67⤵PID:3552
-
C:\Windows\SysWOW64\Qnnhhflf.exeC:\Windows\system32\Qnnhhflf.exe68⤵PID:3276
-
C:\Windows\SysWOW64\Apndbici.exeC:\Windows\system32\Apndbici.exe69⤵PID:2252
-
C:\Windows\SysWOW64\Aihfanhg.exeC:\Windows\system32\Aihfanhg.exe70⤵
- Drops file in System32 directory
PID:4092 -
C:\Windows\SysWOW64\Aojhdd32.exeC:\Windows\system32\Aojhdd32.exe71⤵PID:1528
-
C:\Windows\SysWOW64\Aiolam32.exeC:\Windows\system32\Aiolam32.exe72⤵
- Drops file in System32 directory
PID:4984 -
C:\Windows\SysWOW64\Bifbbllg.exeC:\Windows\system32\Bifbbllg.exe73⤵PID:4904
-
C:\Windows\SysWOW64\Blennh32.exeC:\Windows\system32\Blennh32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4924 -
C:\Windows\SysWOW64\Bockjc32.exeC:\Windows\system32\Bockjc32.exe75⤵PID:1720
-
C:\Windows\SysWOW64\Bpcgdfaa.exeC:\Windows\system32\Bpcgdfaa.exe76⤵PID:3356
-
C:\Windows\SysWOW64\Cpgqpe32.exeC:\Windows\system32\Cpgqpe32.exe77⤵PID:4220
-
C:\Windows\SysWOW64\Caimgncj.exeC:\Windows\system32\Caimgncj.exe78⤵PID:1132
-
C:\Windows\SysWOW64\Cpjmee32.exeC:\Windows\system32\Cpjmee32.exe79⤵PID:4812
-
C:\Windows\SysWOW64\Dpacfd32.exeC:\Windows\system32\Dpacfd32.exe80⤵PID:208
-
C:\Windows\SysWOW64\Dcopbp32.exeC:\Windows\system32\Dcopbp32.exe81⤵PID:320
-
C:\Windows\SysWOW64\Diihojkb.exeC:\Windows\system32\Diihojkb.exe82⤵PID:1972
-
C:\Windows\SysWOW64\Dpemacql.exeC:\Windows\system32\Dpemacql.exe83⤵PID:1512
-
C:\Windows\SysWOW64\Dllmfd32.exeC:\Windows\system32\Dllmfd32.exe84⤵PID:3988
-
C:\Windows\SysWOW64\Dcfebonm.exeC:\Windows\system32\Dcfebonm.exe85⤵PID:3984
-
C:\Windows\SysWOW64\Domfgpca.exeC:\Windows\system32\Domfgpca.exe86⤵PID:968
-
C:\Windows\SysWOW64\Eckonn32.exeC:\Windows\system32\Eckonn32.exe87⤵PID:1360
-
C:\Windows\SysWOW64\Elhmablc.exeC:\Windows\system32\Elhmablc.exe88⤵PID:1652
-
C:\Windows\SysWOW64\Ffekegon.exeC:\Windows\system32\Ffekegon.exe89⤵PID:1936
-
C:\Windows\SysWOW64\Fcnejk32.exeC:\Windows\system32\Fcnejk32.exe90⤵PID:2584
-
C:\Windows\SysWOW64\Fjhmgeao.exeC:\Windows\system32\Fjhmgeao.exe91⤵PID:1624
-
C:\Windows\SysWOW64\Fmficqpc.exeC:\Windows\system32\Fmficqpc.exe92⤵PID:1316
-
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe93⤵PID:1296
-
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe94⤵PID:4396
-
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe95⤵PID:2544
-
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe96⤵PID:4604
-
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe97⤵PID:3644
-
C:\Windows\SysWOW64\Hjjbcbqj.exeC:\Windows\system32\Hjjbcbqj.exe98⤵PID:2968
-
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe99⤵PID:4136
-
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe100⤵PID:1788
-
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe101⤵PID:3200
-
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe102⤵PID:4928
-
C:\Windows\SysWOW64\Ijhodq32.exeC:\Windows\system32\Ijhodq32.exe103⤵PID:3804
-
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe104⤵
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe105⤵
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe106⤵PID:1576
-
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe107⤵PID:2384
-
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe108⤵
- Drops file in System32 directory
PID:4616 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe109⤵PID:4012
-
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe110⤵PID:4676
-
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe111⤵PID:5040
-
C:\Windows\SysWOW64\Kacphh32.exeC:\Windows\system32\Kacphh32.exe112⤵PID:1524
-
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe113⤵PID:3472
-
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe114⤵PID:1844
-
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe115⤵PID:3916
-
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe116⤵PID:1968
-
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe117⤵PID:748
-
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe118⤵PID:4124
-
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe119⤵PID:1156
-
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4892 -
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe121⤵PID:5136
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-