Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/04/2024, 00:07
Static task
static1
Behavioral task
behavioral1
Sample
a7ec50b2270729e85a965f8271898643dc915aaf3e1d9f311dcfa650968fee21.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a7ec50b2270729e85a965f8271898643dc915aaf3e1d9f311dcfa650968fee21.exe
Resource
win10v2004-20240226-en
General
-
Target
a7ec50b2270729e85a965f8271898643dc915aaf3e1d9f311dcfa650968fee21.exe
-
Size
270KB
-
MD5
27eb334dc77a18c002e3675f01b7b1fb
-
SHA1
205791331f39949effdaafe0a8103b117c05d43c
-
SHA256
a7ec50b2270729e85a965f8271898643dc915aaf3e1d9f311dcfa650968fee21
-
SHA512
171cfad63c9fe6dc08d67462307eb5593f94d095e25b0729f341981ad86b19b4236765775bda15bc1588a955707e79eab23d722151b451432a59d956ac3895a9
-
SSDEEP
6144:l+7p6Gl/p6QWGKa4gXWG6hRNjpck4MetpS+f2uXLO+AGb+oPri2O3py69mNoRqzM:l+J6hb2XtpD2ub7A2Vri730697qy5oNK
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcifkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijdhiaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcpebmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffekegon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpnhekgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqiogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpihai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibmmhdhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkepnjng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpojcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnfipekh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkjjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecbenm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckhdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpenfjad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfdida32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdaldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngpjnkpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcgohig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fckhdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjepaecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqfooodg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiffen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmccchkn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mahbje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hikfip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjolnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdjfcecp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgmlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkbkamnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgekbljc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kibnhjgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgbnmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emjjgbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmocba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpenfjad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfhbppbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdaldd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kknafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gifmnpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjjbcbqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haggelfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkdggmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lijdhiaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lklnhlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmmhjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifhiib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdemhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnhfee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkgmcjld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjepaecb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmficqpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgdbkohf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgkhlnbn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkiqbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcpebmkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiffen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipqnahgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idofhfmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpdelajl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnnhk32.exe -
Executes dropped EXE 64 IoCs
pid Process 1432 Ecbenm32.exe 3524 Ejlmkgkl.exe 736 Emjjgbjp.exe 4628 Eoifcnid.exe 2780 Fbgbpihg.exe 4116 Ffbnph32.exe 3256 Fmmfmbhn.exe 4368 Fcgoilpj.exe 1188 Ffekegon.exe 4520 Fmocba32.exe 376 Fcikolnh.exe 2368 Ffggkgmk.exe 3884 Fifdgblo.exe 4232 Fckhdk32.exe 1496 Fjepaecb.exe 2932 Fqohnp32.exe 4960 Fcnejk32.exe 2212 Fjhmgeao.exe 1636 Fmficqpc.exe 5040 Fodeolof.exe 2616 Gjjjle32.exe 624 Gqdbiofi.exe 3692 Gcbnejem.exe 4264 Giofnacd.exe 620 Gqfooodg.exe 2720 Gcekkjcj.exe 4032 Gjocgdkg.exe 908 Gpklpkio.exe 1196 Gpnhekgl.exe 936 Gifmnpnl.exe 1004 Gppekj32.exe 3388 Hapaemll.exe 3136 Hikfip32.exe 764 Hmfbjnbp.exe 3936 Hpenfjad.exe 4144 Hbckbepg.exe 3516 Hjjbcbqj.exe 1416 Hmioonpn.exe 2684 Hpgkkioa.exe 216 Hbeghene.exe 4804 Hfachc32.exe 2264 Haggelfd.exe 1732 Hpihai32.exe 4152 Hfcpncdk.exe 3544 Hjolnb32.exe 4780 Hmmhjm32.exe 1112 Ipldfi32.exe 804 Ibjqcd32.exe 4936 Ijaida32.exe 3336 Impepm32.exe 2252 Iakaql32.exe 4376 Ibmmhdhm.exe 1080 Ifhiib32.exe 3600 Iiffen32.exe 2928 Ipqnahgf.exe 2536 Ibojncfj.exe 2508 Ijfboafl.exe 4528 Iapjlk32.exe 4336 Idofhfmm.exe 5032 Ifmcdblq.exe 4440 Imgkql32.exe 3784 Idacmfkj.exe 4468 Ijkljp32.exe 3088 Jpgdbg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ejlmkgkl.exe Ecbenm32.exe File opened for modification C:\Windows\SysWOW64\Ibjqcd32.exe Ipldfi32.exe File created C:\Windows\SysWOW64\Kacphh32.exe Kkihknfg.exe File opened for modification C:\Windows\SysWOW64\Laciofpa.exe Lnhmng32.exe File created C:\Windows\SysWOW64\Bbgkjl32.dll Ldaeka32.exe File created C:\Windows\SysWOW64\Cfjbmnlq.dll Fjepaecb.exe File created C:\Windows\SysWOW64\Ggcjqj32.dll Jiphkm32.exe File opened for modification C:\Windows\SysWOW64\Kinemkko.exe Kbdmpqcb.exe File created C:\Windows\SysWOW64\Gbbkdl32.dll Mnfipekh.exe File created C:\Windows\SysWOW64\Mkepnjng.exe Mnapdf32.exe File created C:\Windows\SysWOW64\Fmmfmbhn.exe Ffbnph32.exe File created C:\Windows\SysWOW64\Mbfppi32.dll Fcgoilpj.exe File opened for modification C:\Windows\SysWOW64\Jdcpcf32.exe Jpgdbg32.exe File created C:\Windows\SysWOW64\Jdkind32.dll Jfaloa32.exe File created C:\Windows\SysWOW64\Kdaldd32.exe Kacphh32.exe File created C:\Windows\SysWOW64\Ihaoimoh.dll Kdcijcke.exe File created C:\Windows\SysWOW64\Bheenp32.dll Lgpagm32.exe File created C:\Windows\SysWOW64\Ijkljp32.exe Idacmfkj.exe File opened for modification C:\Windows\SysWOW64\Jjpeepnb.exe Jfdida32.exe File created C:\Windows\SysWOW64\Jkdnpo32.exe Jfhbppbc.exe File created C:\Windows\SysWOW64\Kinemkko.exe Kbdmpqcb.exe File created C:\Windows\SysWOW64\Kmlnbi32.exe Kknafn32.exe File opened for modification C:\Windows\SysWOW64\Jdjfcecp.exe Jpojcf32.exe File opened for modification C:\Windows\SysWOW64\Mgekbljc.exe Mdfofakp.exe File opened for modification C:\Windows\SysWOW64\Ffbnph32.exe Fbgbpihg.exe File created C:\Windows\SysWOW64\Lpacnb32.dll Gpklpkio.exe File created C:\Windows\SysWOW64\Bclgpkgk.dll Ifmcdblq.exe File created C:\Windows\SysWOW64\Idacmfkj.exe Imgkql32.exe File created C:\Windows\SysWOW64\Nphqml32.dll Jfkoeppq.exe File created C:\Windows\SysWOW64\Kaemnhla.exe Kinemkko.exe File created C:\Windows\SysWOW64\Fcdjjo32.dll Nqfbaq32.exe File created C:\Windows\SysWOW64\Ocdehlgh.dll Gjocgdkg.exe File created C:\Windows\SysWOW64\Mlmpolji.dll Hpihai32.exe File created C:\Windows\SysWOW64\Ijfboafl.exe Ibojncfj.exe File created C:\Windows\SysWOW64\Gkillp32.dll Ifhiib32.exe File created C:\Windows\SysWOW64\Ipqnahgf.exe Iiffen32.exe File opened for modification C:\Windows\SysWOW64\Mcpebmkb.exe Mncmjfmk.exe File created C:\Windows\SysWOW64\Bppheeep.dll Eoifcnid.exe File created C:\Windows\SysWOW64\Ckfliccm.dll Ffekegon.exe File opened for modification C:\Windows\SysWOW64\Kpmfddnf.exe Kmnjhioc.exe File created C:\Windows\SysWOW64\Gqffnmfa.dll Mgghhlhq.exe File opened for modification C:\Windows\SysWOW64\Nqfbaq32.exe Nacbfdao.exe File opened for modification C:\Windows\SysWOW64\Jfdida32.exe Jdemhe32.exe File created C:\Windows\SysWOW64\Gqdbiofi.exe Gjjjle32.exe File created C:\Windows\SysWOW64\Gpklpkio.exe Gjocgdkg.exe File created C:\Windows\SysWOW64\Hbeghene.exe Hpgkkioa.exe File created C:\Windows\SysWOW64\Ijaida32.exe Ibjqcd32.exe File opened for modification C:\Windows\SysWOW64\Fmmfmbhn.exe Ffbnph32.exe File opened for modification C:\Windows\SysWOW64\Ldkojb32.exe Kkbkamnl.exe File opened for modification C:\Windows\SysWOW64\Lgkhlnbn.exe Ldmlpbbj.exe File created C:\Windows\SysWOW64\Ejlmkgkl.exe Ecbenm32.exe File opened for modification C:\Windows\SysWOW64\Ffekegon.exe Fcgoilpj.exe File created C:\Windows\SysWOW64\Ldaeka32.exe Laciofpa.exe File opened for modification C:\Windows\SysWOW64\Ldaeka32.exe Laciofpa.exe File created C:\Windows\SysWOW64\Agbnmibj.dll Mpmokb32.exe File created C:\Windows\SysWOW64\Cknpkhch.dll Ndghmo32.exe File opened for modification C:\Windows\SysWOW64\Fmocba32.exe Ffekegon.exe File created C:\Windows\SysWOW64\Hmioonpn.exe Hjjbcbqj.exe File opened for modification C:\Windows\SysWOW64\Ijaida32.exe Ibjqcd32.exe File created C:\Windows\SysWOW64\Jfkoeppq.exe Jdmcidam.exe File opened for modification C:\Windows\SysWOW64\Kdaldd32.exe Kacphh32.exe File created C:\Windows\SysWOW64\Hlmobp32.dll Nkjjij32.exe File created C:\Windows\SysWOW64\Fcgoilpj.exe Fmmfmbhn.exe File created C:\Windows\SysWOW64\Nnjbke32.exe Ngpjnkpf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6316 6216 WerFault.exe 240 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmpolji.dll" Hpihai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll" Lnjjdgee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll" Nnolfdcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmmhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll" Ijfboafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngcgcjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmmhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kinemkko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpjjod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkgmcjld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdpalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmnlpfhd.dll" Fcikolnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahgndd32.dll" Fjhmgeao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiphkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkihknfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll" Ngpjnkpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqdbiofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmioonpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibmmhdhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lddbqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll" Kkbkamnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll" Ldkojb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbijmok.dll" Gqfooodg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpgkkioa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipldfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipqnahgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll" Jdjfcecp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnfipekh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppgjkamf.dll" Emjjgbjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqdbiofi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibojncfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfhbppbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngcgcjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbeghene.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibmmhdhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaemnhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaapo32.dll" Fodeolof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfdida32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehbccoaj.dll" Hpenfjad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpccnefa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlcankg.dll" Jagqlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll" Jfffjqdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmbklj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfkoeppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll" Kdaldd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibjqcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll" Jdcpcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkepnjng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiffen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll" Lgpagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpnhekgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpenfjad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll" Kgmlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laciofpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll" Ldaeka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjjjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll" Jiphkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll" Lnhmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll" Mjcgohig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mncmjfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqiogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfcpncdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkdggmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibadbaha.dll" Haggelfd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2108 wrote to memory of 1432 2108 a7ec50b2270729e85a965f8271898643dc915aaf3e1d9f311dcfa650968fee21.exe 85 PID 2108 wrote to memory of 1432 2108 a7ec50b2270729e85a965f8271898643dc915aaf3e1d9f311dcfa650968fee21.exe 85 PID 2108 wrote to memory of 1432 2108 a7ec50b2270729e85a965f8271898643dc915aaf3e1d9f311dcfa650968fee21.exe 85 PID 1432 wrote to memory of 3524 1432 Ecbenm32.exe 86 PID 1432 wrote to memory of 3524 1432 Ecbenm32.exe 86 PID 1432 wrote to memory of 3524 1432 Ecbenm32.exe 86 PID 3524 wrote to memory of 736 3524 Ejlmkgkl.exe 87 PID 3524 wrote to memory of 736 3524 Ejlmkgkl.exe 87 PID 3524 wrote to memory of 736 3524 Ejlmkgkl.exe 87 PID 736 wrote to memory of 4628 736 Emjjgbjp.exe 88 PID 736 wrote to memory of 4628 736 Emjjgbjp.exe 88 PID 736 wrote to memory of 4628 736 Emjjgbjp.exe 88 PID 4628 wrote to memory of 2780 4628 Eoifcnid.exe 89 PID 4628 wrote to memory of 2780 4628 Eoifcnid.exe 89 PID 4628 wrote to memory of 2780 4628 Eoifcnid.exe 89 PID 2780 wrote to memory of 4116 2780 Fbgbpihg.exe 90 PID 2780 wrote to memory of 4116 2780 Fbgbpihg.exe 90 PID 2780 wrote to memory of 4116 2780 Fbgbpihg.exe 90 PID 4116 wrote to memory of 3256 4116 Ffbnph32.exe 91 PID 4116 wrote to memory of 3256 4116 Ffbnph32.exe 91 PID 4116 wrote to memory of 3256 4116 Ffbnph32.exe 91 PID 3256 wrote to memory of 4368 3256 Fmmfmbhn.exe 92 PID 3256 wrote to memory of 4368 3256 Fmmfmbhn.exe 92 PID 3256 wrote to memory of 4368 3256 Fmmfmbhn.exe 92 PID 4368 wrote to memory of 1188 4368 Fcgoilpj.exe 93 PID 4368 wrote to memory of 1188 4368 Fcgoilpj.exe 93 PID 4368 wrote to memory of 1188 4368 Fcgoilpj.exe 93 PID 1188 wrote to memory of 4520 1188 Ffekegon.exe 94 PID 1188 wrote to memory of 4520 1188 Ffekegon.exe 94 PID 1188 wrote to memory of 4520 1188 Ffekegon.exe 94 PID 4520 wrote to memory of 376 4520 Fmocba32.exe 95 PID 4520 wrote to memory of 376 4520 Fmocba32.exe 95 PID 4520 wrote to memory of 376 4520 Fmocba32.exe 95 PID 376 wrote to memory of 2368 376 Fcikolnh.exe 96 PID 376 wrote to memory of 2368 376 Fcikolnh.exe 96 PID 376 wrote to memory of 2368 376 Fcikolnh.exe 96 PID 2368 wrote to memory of 3884 2368 Ffggkgmk.exe 97 PID 2368 wrote to memory of 3884 2368 Ffggkgmk.exe 97 PID 2368 wrote to memory of 3884 2368 Ffggkgmk.exe 97 PID 3884 wrote to memory of 4232 3884 Fifdgblo.exe 98 PID 3884 wrote to memory of 4232 3884 Fifdgblo.exe 98 PID 3884 wrote to memory of 4232 3884 Fifdgblo.exe 98 PID 4232 wrote to memory of 1496 4232 Fckhdk32.exe 99 PID 4232 wrote to memory of 1496 4232 Fckhdk32.exe 99 PID 4232 wrote to memory of 1496 4232 Fckhdk32.exe 99 PID 1496 wrote to memory of 2932 1496 Fjepaecb.exe 100 PID 1496 wrote to memory of 2932 1496 Fjepaecb.exe 100 PID 1496 wrote to memory of 2932 1496 Fjepaecb.exe 100 PID 2932 wrote to memory of 4960 2932 Fqohnp32.exe 101 PID 2932 wrote to memory of 4960 2932 Fqohnp32.exe 101 PID 2932 wrote to memory of 4960 2932 Fqohnp32.exe 101 PID 4960 wrote to memory of 2212 4960 Fcnejk32.exe 102 PID 4960 wrote to memory of 2212 4960 Fcnejk32.exe 102 PID 4960 wrote to memory of 2212 4960 Fcnejk32.exe 102 PID 2212 wrote to memory of 1636 2212 Fjhmgeao.exe 104 PID 2212 wrote to memory of 1636 2212 Fjhmgeao.exe 104 PID 2212 wrote to memory of 1636 2212 Fjhmgeao.exe 104 PID 1636 wrote to memory of 5040 1636 Fmficqpc.exe 105 PID 1636 wrote to memory of 5040 1636 Fmficqpc.exe 105 PID 1636 wrote to memory of 5040 1636 Fmficqpc.exe 105 PID 5040 wrote to memory of 2616 5040 Fodeolof.exe 106 PID 5040 wrote to memory of 2616 5040 Fodeolof.exe 106 PID 5040 wrote to memory of 2616 5040 Fodeolof.exe 106 PID 2616 wrote to memory of 624 2616 Gjjjle32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7ec50b2270729e85a965f8271898643dc915aaf3e1d9f311dcfa650968fee21.exe"C:\Users\Admin\AppData\Local\Temp\a7ec50b2270729e85a965f8271898643dc915aaf3e1d9f311dcfa650968fee21.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Ecbenm32.exeC:\Windows\system32\Ecbenm32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Ejlmkgkl.exeC:\Windows\system32\Ejlmkgkl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\Emjjgbjp.exeC:\Windows\system32\Emjjgbjp.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\Eoifcnid.exeC:\Windows\system32\Eoifcnid.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\Fmmfmbhn.exeC:\Windows\system32\Fmmfmbhn.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\Ffekegon.exeC:\Windows\system32\Ffekegon.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Fcikolnh.exeC:\Windows\system32\Fcikolnh.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\Fckhdk32.exeC:\Windows\system32\Fckhdk32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\Fjepaecb.exeC:\Windows\system32\Fjepaecb.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Fcnejk32.exeC:\Windows\system32\Fcnejk32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\Fjhmgeao.exeC:\Windows\system32\Fjhmgeao.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Fmficqpc.exeC:\Windows\system32\Fmficqpc.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:624 -
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe24⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Giofnacd.exeC:\Windows\system32\Giofnacd.exe25⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\Gqfooodg.exeC:\Windows\system32\Gqfooodg.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:620 -
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe27⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4032 -
C:\Windows\SysWOW64\Gpklpkio.exeC:\Windows\system32\Gpklpkio.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\Gpnhekgl.exeC:\Windows\system32\Gpnhekgl.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1196 -
C:\Windows\SysWOW64\Gifmnpnl.exeC:\Windows\system32\Gifmnpnl.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe32⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Hapaemll.exeC:\Windows\system32\Hapaemll.exe33⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Hmfbjnbp.exeC:\Windows\system32\Hmfbjnbp.exe35⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3936 -
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe37⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Hjjbcbqj.exeC:\Windows\system32\Hjjbcbqj.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3516 -
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1416 -
C:\Windows\SysWOW64\Hpgkkioa.exeC:\Windows\system32\Hpgkkioa.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Hbeghene.exeC:\Windows\system32\Hbeghene.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:216 -
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe42⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4152 -
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4780 -
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:804 -
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe50⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe51⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe52⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4376 -
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3600 -
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Ibojncfj.exeC:\Windows\system32\Ibojncfj.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe59⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5032 -
C:\Windows\SysWOW64\Imgkql32.exeC:\Windows\system32\Imgkql32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4440 -
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3784 -
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe64⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3088 -
C:\Windows\SysWOW64\Jdcpcf32.exeC:\Windows\system32\Jdcpcf32.exe66⤵
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe67⤵
- Drops file in System32 directory
PID:1028 -
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Jagqlj32.exeC:\Windows\system32\Jagqlj32.exe69⤵
- Modifies registry class
PID:1400 -
C:\Windows\SysWOW64\Jdemhe32.exeC:\Windows\system32\Jdemhe32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3792 -
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:456 -
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe72⤵PID:3780
-
C:\Windows\SysWOW64\Jaimbj32.exeC:\Windows\system32\Jaimbj32.exe73⤵PID:3976
-
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe74⤵
- Modifies registry class
PID:3636 -
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4684 -
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Jfhbppbc.exeC:\Windows\system32\Jfhbppbc.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4372 -
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe78⤵PID:4084
-
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe79⤵
- Modifies registry class
PID:4864 -
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe80⤵
- Drops file in System32 directory
PID:4588 -
C:\Windows\SysWOW64\Jfkoeppq.exeC:\Windows\system32\Jfkoeppq.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:4024 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe82⤵
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Kacphh32.exeC:\Windows\system32\Kacphh32.exe85⤵
- Drops file in System32 directory
PID:4356 -
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4992 -
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe87⤵
- Drops file in System32 directory
PID:1160 -
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe89⤵
- Modifies registry class
PID:684 -
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe90⤵
- Drops file in System32 directory
PID:4016 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3384 -
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe92⤵PID:1484
-
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe93⤵
- Modifies registry class
PID:3324 -
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4808 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4240 -
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5128 -
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe97⤵
- Drops file in System32 directory
PID:5172 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe98⤵PID:5216
-
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5260 -
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe100⤵
- Modifies registry class
PID:5296 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe101⤵PID:5340
-
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5388 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5432 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe104⤵
- Drops file in System32 directory
PID:5472 -
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5520 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5564 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe107⤵PID:5612
-
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5656 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:5696 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:5748 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:5792 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:5832 -
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5872 -
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe114⤵
- Modifies registry class
PID:5908 -
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe115⤵
- Modifies registry class
PID:5960 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6008 -
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe117⤵PID:6052
-
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6112 -
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe119⤵
- Drops file in System32 directory
PID:1420 -
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5180 -
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5268 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe122⤵PID:5332
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-