Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
54s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05/03/2024, 21:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986.exe
-
Size
2.2MB
-
MD5
30f3d19e239f2b6ec4ea19f51804628f
-
SHA1
20fc6a5ebd778024a56553f52a8415557835f136
-
SHA256
646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986
-
SHA512
2f62bf3ef94196f3a6cd32386c7c2c9b41aeccef004d6c054bd79b19475d51a22fbc7d2fa33a61197aad3c2fb7aedf40dcffc2da2dcd043f2f3f85c3a86a1f50
-
SSDEEP
24576:Pf6X1q5h3q5hkntq5hU6X1q5h3q5h52q5h3q5hL6X1q5h3q5hM5Dg7:X6Gn9646KW
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imnjbhaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhppik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfkpiled.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfcelml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jicdlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djegekil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egknji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffpcbchm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekimjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfoegm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hohjgpmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpepbgbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhfbog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geklckkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnljkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejagaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkgcea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keimof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiopca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcikejg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aplaoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijbbfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeolckne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfcinq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcehdod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddkbmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhgkgijg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eohhie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfepdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdffah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqkhda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oggbfdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfkbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccblbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baadiiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiopca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afappe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abhqefpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijlgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fofdkcmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nconfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egkddo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obidcdfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lechkaga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhnichde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dodjjimm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpeiie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amikgpcc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpoaom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjmjgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khfdlnab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddgplado.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klggli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbalaoda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abmjqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcgjhega.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghddp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppnenlka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdapehop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkdibjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lehhqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbjjkble.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alkijdci.exe -
Executes dropped EXE 64 IoCs
pid Process 4880 Poimpapp.exe 1440 Palbgl32.exe 1868 Pkgcea32.exe 2816 Alkijdci.exe 1212 Alpbecod.exe 1564 Baadiiif.exe 1484 Badanigc.exe 916 Bheplb32.exe 4588 Cdnmfclj.exe 3800 Ckjbhmad.exe 1312 Ckmonl32.exe 5016 Ddgplado.exe 2276 Dodjjimm.exe 4324 Eokqkh32.exe 2896 Epmmqheb.exe 1576 Fflohaij.exe 2308 Ffceip32.exe 2432 Gemkelcd.exe 1572 Geohklaa.exe 3384 Gbeejp32.exe 3848 Hefnkkkj.exe 5012 Iepaaico.exe 3792 Iebngial.exe 2516 Igdgglfl.exe 4348 Ieidhh32.exe 1016 Jcmdaljn.exe 3468 Jngbjd32.exe 3732 Jllokajf.exe 2876 Jlolpq32.exe 1352 Klahfp32.exe 5152 Keimof32.exe 5208 Koaagkcb.exe 5272 Lpfgmnfp.exe 5316 Lqhdbm32.exe 5356 Lnldla32.exe 5404 Mnjqmpgg.exe 5448 Nfaemp32.exe 5492 Oanokhdb.exe 5536 Ondljl32.exe 5572 Pjmjdm32.exe 5616 Pffgom32.exe 5684 Phfcipoo.exe 5740 Qfkqjmdg.exe 5780 Qdoacabq.exe 5820 Ahmjjoig.exe 5864 Adcjop32.exe 5904 Ahaceo32.exe 5944 Adhdjpjf.exe 5984 Apodoq32.exe 6040 Amcehdod.exe 6100 Bobabg32.exe 6140 Boenhgdd.exe 5268 Bklomh32.exe 5236 Bknlbhhe.exe 4024 Bhblllfo.exe 4384 Cpmapodj.exe 5560 Ckbemgcp.exe 5672 Chfegk32.exe 5772 Cpdgqmnb.exe 4856 Cacckp32.exe 5856 Dpiplm32.exe 5796 Dojqjdbl.exe 5976 Ddgibkpc.exe 6048 Dakikoom.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Alkijdci.exe Pkgcea32.exe File created C:\Windows\SysWOW64\Ddklbd32.exe Djegekil.exe File created C:\Windows\SysWOW64\Enjfli32.exe Edaaccbj.exe File opened for modification C:\Windows\SysWOW64\Mojopk32.exe Mebkge32.exe File created C:\Windows\SysWOW64\Lahjag32.dll Jgedjjki.exe File created C:\Windows\SysWOW64\Kioghlbd.dll Qdoacabq.exe File created C:\Windows\SysWOW64\Fpmfmgnc.dll Ekajec32.exe File created C:\Windows\SysWOW64\Hodlgn32.dll Feenjgfq.exe File created C:\Windows\SysWOW64\Ilphdlqh.exe Ibgdlg32.exe File opened for modification C:\Windows\SysWOW64\Egkddo32.exe Dncpkjoc.exe File created C:\Windows\SysWOW64\Apocmn32.dll Gqkhda32.exe File opened for modification C:\Windows\SysWOW64\Cpqlfa32.exe Cekhihig.exe File created C:\Windows\SysWOW64\Mhppik32.exe Moglpedd.exe File created C:\Windows\SysWOW64\Dlhlck32.dll Fhnichde.exe File created C:\Windows\SysWOW64\Caecnh32.dll Mledmg32.exe File opened for modification C:\Windows\SysWOW64\Ifmldo32.exe Iqpclh32.exe File created C:\Windows\SysWOW64\Gpaaneok.dll Igqbiacj.exe File opened for modification C:\Windows\SysWOW64\Kjmjgk32.exe Jmijnfgd.exe File opened for modification C:\Windows\SysWOW64\Igdgglfl.exe Iebngial.exe File opened for modification C:\Windows\SysWOW64\Bhblllfo.exe Bknlbhhe.exe File created C:\Windows\SysWOW64\Gkalbj32.exe Gqkhda32.exe File created C:\Windows\SysWOW64\Dkheoa32.dll Memalfcb.exe File created C:\Windows\SysWOW64\Piolkm32.exe Pofhbgmn.exe File created C:\Windows\SysWOW64\Doljemai.dll Jfmekm32.exe File opened for modification C:\Windows\SysWOW64\Lhmjlm32.exe Lndfchdj.exe File opened for modification C:\Windows\SysWOW64\Bpaikm32.exe Bghddp32.exe File created C:\Windows\SysWOW64\Fcqlqnpo.dll Cfgace32.exe File created C:\Windows\SysWOW64\Gimngjie.dll Ebifmm32.exe File created C:\Windows\SysWOW64\Ojnfihmo.exe Ooibkpmi.exe File opened for modification C:\Windows\SysWOW64\Gedfblql.exe Gllajf32.exe File opened for modification C:\Windows\SysWOW64\Jobfdl32.exe Jfjakgpa.exe File created C:\Windows\SysWOW64\Igdgglfl.exe Iebngial.exe File opened for modification C:\Windows\SysWOW64\Jngbjd32.exe Jcmdaljn.exe File created C:\Windows\SysWOW64\Ahaceo32.exe Adcjop32.exe File created C:\Windows\SysWOW64\Ibmlia32.dll Cpmapodj.exe File opened for modification C:\Windows\SysWOW64\Oflmnh32.exe Omdieb32.exe File created C:\Windows\SysWOW64\Abmjqe32.exe Aidehpea.exe File opened for modification C:\Windows\SysWOW64\Ijbbfc32.exe Ieeimlep.exe File created C:\Windows\SysWOW64\Nfknmd32.exe Nlcidopb.exe File created C:\Windows\SysWOW64\Kpmmhc32.dll Nfpghccm.exe File opened for modification C:\Windows\SysWOW64\Pomncfge.exe Pehjfm32.exe File opened for modification C:\Windows\SysWOW64\Kceoppmo.exe Kjmjgk32.exe File created C:\Windows\SysWOW64\Adkcem32.dll Bpfcelml.exe File created C:\Windows\SysWOW64\Iedanb32.dll Doqbifpl.exe File created C:\Windows\SysWOW64\Hlkfbocp.exe Gngeik32.exe File opened for modification C:\Windows\SysWOW64\Johggfha.exe Jikoopij.exe File created C:\Windows\SysWOW64\Oifppdpd.exe Ocihgnam.exe File created C:\Windows\SysWOW64\Mkfbmfbn.dll Cekhihig.exe File opened for modification C:\Windows\SysWOW64\Eokqkh32.exe Dodjjimm.exe File created C:\Windows\SysWOW64\Gngeik32.exe Gacepg32.exe File created C:\Windows\SysWOW64\Jikoopij.exe Jlgoek32.exe File created C:\Windows\SysWOW64\Bcejdp32.dll Mjnnbk32.exe File created C:\Windows\SysWOW64\Kjmjgk32.exe Jmijnfgd.exe File created C:\Windows\SysWOW64\Kenognbk.dll Dfqdid32.exe File created C:\Windows\SysWOW64\Ddgplado.exe Ckmonl32.exe File opened for modification C:\Windows\SysWOW64\Hnnljj32.exe Heegad32.exe File created C:\Windows\SysWOW64\Jjfaml32.dll Mkepineo.exe File opened for modification C:\Windows\SysWOW64\Ljncnhhk.exe Leqkeajd.exe File created C:\Windows\SysWOW64\Apodoq32.exe Adhdjpjf.exe File created C:\Windows\SysWOW64\Dllfqd32.dll Dpiplm32.exe File created C:\Windows\SysWOW64\Fkhpfbce.exe Fbplml32.exe File created C:\Windows\SysWOW64\Egopbhnc.dll Lhcali32.exe File created C:\Windows\SysWOW64\Qikbaaml.exe Pjcikejg.exe File opened for modification C:\Windows\SysWOW64\Jldkeeig.exe Jblflp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5428 5716 Process not Found 1593 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeilne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epmmqheb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iebngial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbgdmb32.dll" Dndgfpbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbojlfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipbmd32.dll" Nmfmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkdpbpih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbfdjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibbcfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egkddo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jldkeeig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okfbgiij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bemlhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcpkph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckbemgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leeigm32.dll" Pjcikejg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edaaccbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhppik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epiflfbm.dll" Pfbfjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piolkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ielfgmnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aofbkbfe.dll" Pmeoqlpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpbpopl.dll" Lhmjlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffceip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kghfphob.dll" Ieidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biepfnpi.dll" Iiopca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qikbaaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdmfbplf.dll" Gndbie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diamko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieidhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmnlpcel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeqgecof.dll" Oolnabal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgmnooom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egcaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebifmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hccggl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epiaig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhiljk32.dll" Hcfcmnce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dodjjimm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbeejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbigo32.dll" Dncpkjoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ledoegkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgnlmdcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mledmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjmjgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmamba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kidfkild.dll" Fnnimbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cajnpjce.dll" Ifmldo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pldnki32.dll" Jffokn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hebqnm32.dll" Iepaaico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlpihhpj.dll" Hlkfbocp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klggli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dncpkjoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igmoih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeilne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkhbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Halaloif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bldgoeog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kceoppmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpmapodj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojnfihmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nohjfifo.dll" Paihlpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokmd32.dll" Cacmpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcgqag32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1032 wrote to memory of 4880 1032 646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986.exe 97 PID 1032 wrote to memory of 4880 1032 646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986.exe 97 PID 1032 wrote to memory of 4880 1032 646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986.exe 97 PID 4880 wrote to memory of 1440 4880 Poimpapp.exe 386 PID 4880 wrote to memory of 1440 4880 Poimpapp.exe 386 PID 4880 wrote to memory of 1440 4880 Poimpapp.exe 386 PID 1440 wrote to memory of 1868 1440 Palbgl32.exe 387 PID 1440 wrote to memory of 1868 1440 Palbgl32.exe 387 PID 1440 wrote to memory of 1868 1440 Palbgl32.exe 387 PID 1868 wrote to memory of 2816 1868 Pkgcea32.exe 100 PID 1868 wrote to memory of 2816 1868 Pkgcea32.exe 100 PID 1868 wrote to memory of 2816 1868 Pkgcea32.exe 100 PID 2816 wrote to memory of 1212 2816 Alkijdci.exe 394 PID 2816 wrote to memory of 1212 2816 Alkijdci.exe 394 PID 2816 wrote to memory of 1212 2816 Alkijdci.exe 394 PID 1212 wrote to memory of 1564 1212 Alpbecod.exe 399 PID 1212 wrote to memory of 1564 1212 Alpbecod.exe 399 PID 1212 wrote to memory of 1564 1212 Alpbecod.exe 399 PID 1564 wrote to memory of 1484 1564 Baadiiif.exe 103 PID 1564 wrote to memory of 1484 1564 Baadiiif.exe 103 PID 1564 wrote to memory of 1484 1564 Baadiiif.exe 103 PID 1484 wrote to memory of 916 1484 Badanigc.exe 104 PID 1484 wrote to memory of 916 1484 Badanigc.exe 104 PID 1484 wrote to memory of 916 1484 Badanigc.exe 104 PID 916 wrote to memory of 4588 916 Bheplb32.exe 105 PID 916 wrote to memory of 4588 916 Bheplb32.exe 105 PID 916 wrote to memory of 4588 916 Bheplb32.exe 105 PID 4588 wrote to memory of 3800 4588 Cdnmfclj.exe 106 PID 4588 wrote to memory of 3800 4588 Cdnmfclj.exe 106 PID 4588 wrote to memory of 3800 4588 Cdnmfclj.exe 106 PID 3800 wrote to memory of 1312 3800 Ckjbhmad.exe 107 PID 3800 wrote to memory of 1312 3800 Ckjbhmad.exe 107 PID 3800 wrote to memory of 1312 3800 Ckjbhmad.exe 107 PID 1312 wrote to memory of 5016 1312 Ckmonl32.exe 108 PID 1312 wrote to memory of 5016 1312 Ckmonl32.exe 108 PID 1312 wrote to memory of 5016 1312 Ckmonl32.exe 108 PID 5016 wrote to memory of 2276 5016 Ddgplado.exe 109 PID 5016 wrote to memory of 2276 5016 Ddgplado.exe 109 PID 5016 wrote to memory of 2276 5016 Ddgplado.exe 109 PID 2276 wrote to memory of 4324 2276 Dodjjimm.exe 110 PID 2276 wrote to memory of 4324 2276 Dodjjimm.exe 110 PID 2276 wrote to memory of 4324 2276 Dodjjimm.exe 110 PID 4324 wrote to memory of 2896 4324 Eokqkh32.exe 111 PID 4324 wrote to memory of 2896 4324 Eokqkh32.exe 111 PID 4324 wrote to memory of 2896 4324 Eokqkh32.exe 111 PID 2896 wrote to memory of 1576 2896 Epmmqheb.exe 112 PID 2896 wrote to memory of 1576 2896 Epmmqheb.exe 112 PID 2896 wrote to memory of 1576 2896 Epmmqheb.exe 112 PID 1576 wrote to memory of 2308 1576 Fflohaij.exe 113 PID 1576 wrote to memory of 2308 1576 Fflohaij.exe 113 PID 1576 wrote to memory of 2308 1576 Fflohaij.exe 113 PID 2308 wrote to memory of 2432 2308 Ffceip32.exe 114 PID 2308 wrote to memory of 2432 2308 Ffceip32.exe 114 PID 2308 wrote to memory of 2432 2308 Ffceip32.exe 114 PID 2432 wrote to memory of 1572 2432 Gemkelcd.exe 115 PID 2432 wrote to memory of 1572 2432 Gemkelcd.exe 115 PID 2432 wrote to memory of 1572 2432 Gemkelcd.exe 115 PID 1572 wrote to memory of 3384 1572 Geohklaa.exe 116 PID 1572 wrote to memory of 3384 1572 Geohklaa.exe 116 PID 1572 wrote to memory of 3384 1572 Geohklaa.exe 116 PID 3384 wrote to memory of 3848 3384 Gbeejp32.exe 117 PID 3384 wrote to memory of 3848 3384 Gbeejp32.exe 117 PID 3384 wrote to memory of 3848 3384 Gbeejp32.exe 117 PID 3848 wrote to memory of 5012 3848 Hefnkkkj.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986.exe"C:\Users\Admin\AppData\Local\Temp\646514ed0609fac5781710a9cb008a1eacd3e034d7cc69129b53f9151c716986.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Poimpapp.exeC:\Windows\system32\Poimpapp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Palbgl32.exeC:\Windows\system32\Palbgl32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Pkgcea32.exeC:\Windows\system32\Pkgcea32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Alkijdci.exeC:\Windows\system32\Alkijdci.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Alpbecod.exeC:\Windows\system32\Alpbecod.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Baadiiif.exeC:\Windows\system32\Baadiiif.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Badanigc.exeC:\Windows\system32\Badanigc.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Bheplb32.exeC:\Windows\system32\Bheplb32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Cdnmfclj.exeC:\Windows\system32\Cdnmfclj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Ckjbhmad.exeC:\Windows\system32\Ckjbhmad.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Ckmonl32.exeC:\Windows\system32\Ckmonl32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Ddgplado.exeC:\Windows\system32\Ddgplado.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Dodjjimm.exeC:\Windows\system32\Dodjjimm.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Eokqkh32.exeC:\Windows\system32\Eokqkh32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\Epmmqheb.exeC:\Windows\system32\Epmmqheb.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Fflohaij.exeC:\Windows\system32\Fflohaij.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Ffceip32.exeC:\Windows\system32\Ffceip32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Gemkelcd.exeC:\Windows\system32\Gemkelcd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Geohklaa.exeC:\Windows\system32\Geohklaa.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Gbeejp32.exeC:\Windows\system32\Gbeejp32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\Hefnkkkj.exeC:\Windows\system32\Hefnkkkj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\Iepaaico.exeC:\Windows\system32\Iepaaico.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:5012 -
C:\Windows\SysWOW64\Iebngial.exeC:\Windows\system32\Iebngial.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3792 -
C:\Windows\SysWOW64\Igdgglfl.exeC:\Windows\system32\Igdgglfl.exe25⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Ieidhh32.exeC:\Windows\system32\Ieidhh32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:4348 -
C:\Windows\SysWOW64\Jcmdaljn.exeC:\Windows\system32\Jcmdaljn.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1016 -
C:\Windows\SysWOW64\Jngbjd32.exeC:\Windows\system32\Jngbjd32.exe28⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Jllokajf.exeC:\Windows\system32\Jllokajf.exe29⤵
- Executes dropped EXE
PID:3732 -
C:\Windows\SysWOW64\Jlolpq32.exeC:\Windows\system32\Jlolpq32.exe30⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Klahfp32.exeC:\Windows\system32\Klahfp32.exe31⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Keimof32.exeC:\Windows\system32\Keimof32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5152 -
C:\Windows\SysWOW64\Koaagkcb.exeC:\Windows\system32\Koaagkcb.exe33⤵
- Executes dropped EXE
PID:5208 -
C:\Windows\SysWOW64\Lpfgmnfp.exeC:\Windows\system32\Lpfgmnfp.exe34⤵
- Executes dropped EXE
PID:5272 -
C:\Windows\SysWOW64\Lqhdbm32.exeC:\Windows\system32\Lqhdbm32.exe35⤵
- Executes dropped EXE
PID:5316 -
C:\Windows\SysWOW64\Lnldla32.exeC:\Windows\system32\Lnldla32.exe36⤵
- Executes dropped EXE
PID:5356 -
C:\Windows\SysWOW64\Mnjqmpgg.exeC:\Windows\system32\Mnjqmpgg.exe37⤵
- Executes dropped EXE
PID:5404 -
C:\Windows\SysWOW64\Nfaemp32.exeC:\Windows\system32\Nfaemp32.exe38⤵
- Executes dropped EXE
PID:5448 -
C:\Windows\SysWOW64\Oanokhdb.exeC:\Windows\system32\Oanokhdb.exe39⤵
- Executes dropped EXE
PID:5492 -
C:\Windows\SysWOW64\Ondljl32.exeC:\Windows\system32\Ondljl32.exe40⤵
- Executes dropped EXE
PID:5536 -
C:\Windows\SysWOW64\Pjmjdm32.exeC:\Windows\system32\Pjmjdm32.exe41⤵
- Executes dropped EXE
PID:5572 -
C:\Windows\SysWOW64\Pffgom32.exeC:\Windows\system32\Pffgom32.exe42⤵
- Executes dropped EXE
PID:5616 -
C:\Windows\SysWOW64\Phfcipoo.exeC:\Windows\system32\Phfcipoo.exe43⤵
- Executes dropped EXE
PID:5684 -
C:\Windows\SysWOW64\Qfkqjmdg.exeC:\Windows\system32\Qfkqjmdg.exe44⤵
- Executes dropped EXE
PID:5740 -
C:\Windows\SysWOW64\Qdoacabq.exeC:\Windows\system32\Qdoacabq.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5780 -
C:\Windows\SysWOW64\Ahmjjoig.exeC:\Windows\system32\Ahmjjoig.exe46⤵
- Executes dropped EXE
PID:5820 -
C:\Windows\SysWOW64\Adcjop32.exeC:\Windows\system32\Adcjop32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5864 -
C:\Windows\SysWOW64\Ahaceo32.exeC:\Windows\system32\Ahaceo32.exe48⤵
- Executes dropped EXE
PID:5904 -
C:\Windows\SysWOW64\Adhdjpjf.exeC:\Windows\system32\Adhdjpjf.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5944 -
C:\Windows\SysWOW64\Apodoq32.exeC:\Windows\system32\Apodoq32.exe50⤵
- Executes dropped EXE
PID:5984 -
C:\Windows\SysWOW64\Amcehdod.exeC:\Windows\system32\Amcehdod.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:6040 -
C:\Windows\SysWOW64\Bobabg32.exeC:\Windows\system32\Bobabg32.exe52⤵
- Executes dropped EXE
PID:6100 -
C:\Windows\SysWOW64\Boenhgdd.exeC:\Windows\system32\Boenhgdd.exe53⤵
- Executes dropped EXE
PID:6140 -
C:\Windows\SysWOW64\Bklomh32.exeC:\Windows\system32\Bklomh32.exe54⤵
- Executes dropped EXE
PID:5268 -
C:\Windows\SysWOW64\Bknlbhhe.exeC:\Windows\system32\Bknlbhhe.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5236 -
C:\Windows\SysWOW64\Bhblllfo.exeC:\Windows\system32\Bhblllfo.exe56⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Cpmapodj.exeC:\Windows\system32\Cpmapodj.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4384 -
C:\Windows\SysWOW64\Ckbemgcp.exeC:\Windows\system32\Ckbemgcp.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:5560 -
C:\Windows\SysWOW64\Chfegk32.exeC:\Windows\system32\Chfegk32.exe59⤵
- Executes dropped EXE
PID:5672 -
C:\Windows\SysWOW64\Cpdgqmnb.exeC:\Windows\system32\Cpdgqmnb.exe60⤵
- Executes dropped EXE
PID:5772 -
C:\Windows\SysWOW64\Cacckp32.exeC:\Windows\system32\Cacckp32.exe61⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Dpiplm32.exeC:\Windows\system32\Dpiplm32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5856 -
C:\Windows\SysWOW64\Dojqjdbl.exeC:\Windows\system32\Dojqjdbl.exe63⤵
- Executes dropped EXE
PID:5796 -
C:\Windows\SysWOW64\Ddgibkpc.exeC:\Windows\system32\Ddgibkpc.exe64⤵
- Executes dropped EXE
PID:5976 -
C:\Windows\SysWOW64\Dakikoom.exeC:\Windows\system32\Dakikoom.exe65⤵
- Executes dropped EXE
PID:6048 -
C:\Windows\SysWOW64\Doojec32.exeC:\Windows\system32\Doojec32.exe66⤵PID:6124
-
C:\Windows\SysWOW64\Ddkbmj32.exeC:\Windows\system32\Ddkbmj32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5224 -
C:\Windows\SysWOW64\Dndgfpbo.exeC:\Windows\system32\Dndgfpbo.exe68⤵
- Modifies registry class
PID:5472 -
C:\Windows\SysWOW64\Dkhgod32.exeC:\Windows\system32\Dkhgod32.exe69⤵PID:5636
-
C:\Windows\SysWOW64\Eqdpgk32.exeC:\Windows\system32\Eqdpgk32.exe70⤵PID:3976
-
C:\Windows\SysWOW64\Eqgmmk32.exeC:\Windows\system32\Eqgmmk32.exe71⤵PID:1964
-
C:\Windows\SysWOW64\Egcaod32.exeC:\Windows\system32\Egcaod32.exe72⤵
- Modifies registry class
PID:5652 -
C:\Windows\SysWOW64\Ebifmm32.exeC:\Windows\system32\Ebifmm32.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:5876 -
C:\Windows\SysWOW64\Ekajec32.exeC:\Windows\system32\Ekajec32.exe74⤵
- Drops file in System32 directory
PID:6120 -
C:\Windows\SysWOW64\Eqncnj32.exeC:\Windows\system32\Eqncnj32.exe75⤵PID:5372
-
C:\Windows\SysWOW64\Fooclapd.exeC:\Windows\system32\Fooclapd.exe76⤵PID:5528
-
C:\Windows\SysWOW64\Fgjhpcmo.exeC:\Windows\system32\Fgjhpcmo.exe77⤵PID:4356
-
C:\Windows\SysWOW64\Fbplml32.exeC:\Windows\system32\Fbplml32.exe78⤵
- Drops file in System32 directory
PID:5840 -
C:\Windows\SysWOW64\Fkhpfbce.exeC:\Windows\system32\Fkhpfbce.exe79⤵PID:6032
-
C:\Windows\SysWOW64\Fqeioiam.exeC:\Windows\system32\Fqeioiam.exe80⤵PID:5348
-
C:\Windows\SysWOW64\Fniihmpf.exeC:\Windows\system32\Fniihmpf.exe81⤵PID:5228
-
C:\Windows\SysWOW64\Fganqbgg.exeC:\Windows\system32\Fganqbgg.exe82⤵PID:5752
-
C:\Windows\SysWOW64\Feenjgfq.exeC:\Windows\system32\Feenjgfq.exe83⤵
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Galoohke.exeC:\Windows\system32\Galoohke.exe84⤵PID:3780
-
C:\Windows\SysWOW64\Gbkkik32.exeC:\Windows\system32\Gbkkik32.exe85⤵PID:5304
-
C:\Windows\SysWOW64\Gkdpbpih.exeC:\Windows\system32\Gkdpbpih.exe86⤵
- Modifies registry class
PID:5852 -
C:\Windows\SysWOW64\Gihpkd32.exeC:\Windows\system32\Gihpkd32.exe87⤵PID:5808
-
C:\Windows\SysWOW64\Gacepg32.exeC:\Windows\system32\Gacepg32.exe88⤵
- Drops file in System32 directory
PID:5936 -
C:\Windows\SysWOW64\Gngeik32.exeC:\Windows\system32\Gngeik32.exe89⤵
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Hlkfbocp.exeC:\Windows\system32\Hlkfbocp.exe90⤵
- Modifies registry class
PID:6132 -
C:\Windows\SysWOW64\Hhaggp32.exeC:\Windows\system32\Hhaggp32.exe91⤵PID:4648
-
C:\Windows\SysWOW64\Heegad32.exeC:\Windows\system32\Heegad32.exe92⤵
- Drops file in System32 directory
PID:4412 -
C:\Windows\SysWOW64\Hnnljj32.exeC:\Windows\system32\Hnnljj32.exe93⤵PID:5972
-
C:\Windows\SysWOW64\Hpmhdmea.exeC:\Windows\system32\Hpmhdmea.exe94⤵PID:6184
-
C:\Windows\SysWOW64\Hifmmb32.exeC:\Windows\system32\Hifmmb32.exe95⤵PID:6228
-
C:\Windows\SysWOW64\Hihibbjo.exeC:\Windows\system32\Hihibbjo.exe96⤵PID:6268
-
C:\Windows\SysWOW64\Inebjihf.exeC:\Windows\system32\Inebjihf.exe97⤵PID:6324
-
C:\Windows\SysWOW64\Ihmfco32.exeC:\Windows\system32\Ihmfco32.exe98⤵PID:6372
-
C:\Windows\SysWOW64\Iafkld32.exeC:\Windows\system32\Iafkld32.exe99⤵PID:6416
-
C:\Windows\SysWOW64\Ipgkjlmg.exeC:\Windows\system32\Ipgkjlmg.exe100⤵PID:6472
-
C:\Windows\SysWOW64\Iiopca32.exeC:\Windows\system32\Iiopca32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6520 -
C:\Windows\SysWOW64\Ibgdlg32.exeC:\Windows\system32\Ibgdlg32.exe102⤵
- Drops file in System32 directory
PID:6572 -
C:\Windows\SysWOW64\Ilphdlqh.exeC:\Windows\system32\Ilphdlqh.exe103⤵PID:6616
-
C:\Windows\SysWOW64\Iehmmb32.exeC:\Windows\system32\Iehmmb32.exe104⤵PID:6656
-
C:\Windows\SysWOW64\Joqafgni.exeC:\Windows\system32\Joqafgni.exe105⤵PID:6704
-
C:\Windows\SysWOW64\Jhifomdj.exeC:\Windows\system32\Jhifomdj.exe106⤵PID:6740
-
C:\Windows\SysWOW64\Jbojlfdp.exeC:\Windows\system32\Jbojlfdp.exe107⤵
- Modifies registry class
PID:6788 -
C:\Windows\SysWOW64\Jlgoek32.exeC:\Windows\system32\Jlgoek32.exe108⤵
- Drops file in System32 directory
PID:6836 -
C:\Windows\SysWOW64\Jikoopij.exeC:\Windows\system32\Jikoopij.exe109⤵
- Drops file in System32 directory
PID:6876 -
C:\Windows\SysWOW64\Johggfha.exeC:\Windows\system32\Johggfha.exe110⤵PID:6924
-
C:\Windows\SysWOW64\Jllhpkfk.exeC:\Windows\system32\Jllhpkfk.exe111⤵PID:6968
-
C:\Windows\SysWOW64\Kedlip32.exeC:\Windows\system32\Kedlip32.exe112⤵PID:7008
-
C:\Windows\SysWOW64\Kbhmbdle.exeC:\Windows\system32\Kbhmbdle.exe113⤵PID:7052
-
C:\Windows\SysWOW64\Klpakj32.exeC:\Windows\system32\Klpakj32.exe114⤵PID:7096
-
C:\Windows\SysWOW64\Keifdpif.exeC:\Windows\system32\Keifdpif.exe115⤵PID:7144
-
C:\Windows\SysWOW64\Koajmepf.exeC:\Windows\system32\Koajmepf.exe116⤵PID:6168
-
C:\Windows\SysWOW64\Kifojnol.exeC:\Windows\system32\Kifojnol.exe117⤵PID:6224
-
C:\Windows\SysWOW64\Kcoccc32.exeC:\Windows\system32\Kcoccc32.exe118⤵PID:6304
-
C:\Windows\SysWOW64\Klggli32.exeC:\Windows\system32\Klggli32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6364 -
C:\Windows\SysWOW64\Kadpdp32.exeC:\Windows\system32\Kadpdp32.exe120⤵PID:3124
-
C:\Windows\SysWOW64\Lpepbgbd.exeC:\Windows\system32\Lpepbgbd.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6528
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-