Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 23:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cc5ae2d0d9d8391ea894d573a1fa2c87.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
cc5ae2d0d9d8391ea894d573a1fa2c87.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
cc5ae2d0d9d8391ea894d573a1fa2c87.exe
-
Size
156KB
-
MD5
cc5ae2d0d9d8391ea894d573a1fa2c87
-
SHA1
6553664282783ba301e5df59edcd6860e6ac1cc2
-
SHA256
08e8bfe8772160972b5e954db82ffa90b3a21c4f4cc14feb81dec40765bff116
-
SHA512
d86a93c90bac8ebb1c12774e9da296de15589ef569b0b4665df2df1761a86a83072ae277506fafc13ad89338d13a8d05a3af5b0db0af006e2fc2d095fa0ab41a
-
SSDEEP
3072:O3jPEtaEDCwhskxZJ9IDlRxyhTbhgu+tAcrbFAJc+RsUiM:ajPEtaEDjhsk/sDshsrtMsC
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djlddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fflaff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gidphq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgphpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdiklqhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efikji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cccpfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doccaall.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jangmibi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppphak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbfiep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jigollag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdmcidam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhajlc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfofbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijhodq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pecgja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaanpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elccfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fifdgblo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbgkfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqkhjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjjmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iidipnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnapdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giacca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbanme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccjfgphj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmkbnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqmhbpba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjfihc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aojhdd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoapbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqdbiofi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjfihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maaepd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haggelfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfcpncdk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkihknfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gidphq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkepnjng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kipabjil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dabpnlkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoifcnid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fobiilai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdaldd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppgobjia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baojaoke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfljmdjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iakaql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbahlip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjmpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cafpanem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmmocpjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaoaja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkgdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmapha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpenfjad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paaeiceg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dofpgqji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dohmlp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dagiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cojqkbdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjeddggd.exe -
Executes dropped EXE 64 IoCs
pid Process 1216 Phhqpn32.exe 3648 Ppphak32.exe 3796 Pbndmf32.exe 728 Paaeiceg.exe 2856 Pihmjqfj.exe 2132 Phkmem32.exe 3572 Ppbegkmg.exe 3656 Pneebg32.exe 3532 Pacaoc32.exe 4448 Peonoaln.exe 2488 Plifll32.exe 4072 Pngbhg32.exe 4300 Pbbnhfjh.exe 4936 Peajdajk.exe 4600 Pimfep32.exe 3024 Plkbak32.exe 2060 Ppgobjia.exe 1564 Pbekne32.exe 4368 Pecgja32.exe 2156 Piockppb.exe 4888 Plmogkoe.exe 1832 Qpikgj32.exe 2184 Qbggce32.exe 4032 Qefdpq32.exe 1700 Qhdpll32.exe 2668 Qlpllkmc.exe 4500 Qbjdiedp.exe 3036 Qehqepcc.exe 4412 Qhfmalbg.exe 4804 Apndbici.exe 3840 Aaoaja32.exe 232 Aifiko32.exe 2648 Aldegj32.exe 1900 Aocace32.exe 3808 Aaanpa32.exe 2340 Aemjpp32.exe 3960 Ahkflk32.exe 864 Algbmjgk.exe 3396 Apbnnh32.exe 5004 Aoeniefo.exe 2520 Aackeqeb.exe 3872 Aeoffo32.exe 3524 Ahncbk32.exe 2456 Apekch32.exe 4960 Aogkoedl.exe 2040 Abcgoc32.exe 2584 Aeacko32.exe 812 Aimoln32.exe 4000 Ahppgjjl.exe 3032 Apggihko.exe 1080 Aojhdd32.exe 4040 Abedecjb.exe 4956 Aahdqp32.exe 388 Aiolam32.exe 3408 Ahblmjhj.exe 4624 Blnhni32.exe 2884 Bpidngil.exe 1680 Bbhqjchp.exe 4496 Befmfngc.exe 2384 Bhdibj32.exe 2808 Blpechop.exe 1692 Bbjmpb32.exe 760 Behiln32.exe 4656 Bhgehi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mahbje32.exe Mjqjih32.exe File created C:\Windows\SysWOW64\Mjeddggd.exe Mkbchk32.exe File created C:\Windows\SysWOW64\Ndidbn32.exe Nqmhbpba.exe File created C:\Windows\SysWOW64\Mkomif32.dll Cpedjf32.exe File created C:\Windows\SysWOW64\Chphoh32.exe Cimhckeo.exe File created C:\Windows\SysWOW64\Ejjqeg32.exe Eodlho32.exe File created C:\Windows\SysWOW64\Kkpnlm32.exe Kgdbkohf.exe File created C:\Windows\SysWOW64\Fmclmabe.exe Fjepaecb.exe File created C:\Windows\SysWOW64\Hfofbd32.exe Hbckbepg.exe File created C:\Windows\SysWOW64\Iffmccbi.exe Ibjqcd32.exe File opened for modification C:\Windows\SysWOW64\Ipckgh32.exe Iapjlk32.exe File opened for modification C:\Windows\SysWOW64\Pneebg32.exe Ppbegkmg.exe File opened for modification C:\Windows\SysWOW64\Baaggo32.exe Bbofkbbh.exe File created C:\Windows\SysWOW64\Akonjjdb.dll Chnlihnl.exe File created C:\Windows\SysWOW64\Dcdimopp.exe Dohmlp32.exe File created C:\Windows\SysWOW64\Mjcgohig.exe Mdfofakp.exe File opened for modification C:\Windows\SysWOW64\Paaeiceg.exe Pbndmf32.exe File opened for modification C:\Windows\SysWOW64\Dphifcoi.exe Dllmfd32.exe File opened for modification C:\Windows\SysWOW64\Mgidml32.exe Mdkhapfj.exe File created C:\Windows\SysWOW64\Gdkdqfii.dll Dcopbp32.exe File created C:\Windows\SysWOW64\Lfmona32.dll Ejbkehcg.exe File created C:\Windows\SysWOW64\Ijdeiaio.exe Ibmmhdhm.exe File opened for modification C:\Windows\SysWOW64\Iiibkn32.exe Ijfboafl.exe File created C:\Windows\SysWOW64\Kagichjo.exe Kipabjil.exe File opened for modification C:\Windows\SysWOW64\Maohkd32.exe Mjhqjg32.exe File opened for modification C:\Windows\SysWOW64\Lalcng32.exe Liekmj32.exe File created C:\Windows\SysWOW64\Lkgdml32.exe Lcpllo32.exe File created C:\Windows\SysWOW64\Laalifad.exe Lijdhiaa.exe File created C:\Windows\SysWOW64\Phnelk32.dll Pbbnhfjh.exe File created C:\Windows\SysWOW64\Aifkpk32.dll Qbggce32.exe File created C:\Windows\SysWOW64\Dagiil32.exe Dcdimopp.exe File opened for modification C:\Windows\SysWOW64\Kmgdgjek.exe Kkihknfg.exe File created C:\Windows\SysWOW64\Hjhfnccl.exe Hfljmdjc.exe File opened for modification C:\Windows\SysWOW64\Iiffen32.exe Ijdeiaio.exe File opened for modification C:\Windows\SysWOW64\Jiphkm32.exe Jfaloa32.exe File created C:\Windows\SysWOW64\Eeecjqkd.dll Kgdbkohf.exe File created C:\Windows\SysWOW64\Admoco32.dll Bhdibj32.exe File created C:\Windows\SysWOW64\Knceql32.dll Dllmfd32.exe File opened for modification C:\Windows\SysWOW64\Epmcab32.exe Elagacbk.exe File created C:\Windows\SysWOW64\Gfedle32.exe Gbjhlfhb.exe File created C:\Windows\SysWOW64\Ccjfgphj.exe Cefemliq.exe File created C:\Windows\SysWOW64\Pfjbmk32.dll Qhdpll32.exe File opened for modification C:\Windows\SysWOW64\Ejlmkgkl.exe Ecbenm32.exe File created C:\Windows\SysWOW64\Fifdgblo.exe Fjcclf32.exe File created C:\Windows\SysWOW64\Odegmceb.dll Mamleegg.exe File opened for modification C:\Windows\SysWOW64\Gimjhafg.exe Gjjjle32.exe File opened for modification C:\Windows\SysWOW64\Ijkljp32.exe Ifopiajn.exe File created C:\Windows\SysWOW64\Kgdbkohf.exe Kcifkp32.exe File opened for modification C:\Windows\SysWOW64\Cpedjf32.exe Clihig32.exe File opened for modification C:\Windows\SysWOW64\Dcdimopp.exe Dohmlp32.exe File created C:\Windows\SysWOW64\Dcfebonm.exe Dphifcoi.exe File opened for modification C:\Windows\SysWOW64\Gbcakg32.exe Gcpapkgp.exe File created C:\Windows\SysWOW64\Mnapdf32.exe Mjeddggd.exe File created C:\Windows\SysWOW64\Mglack32.exe Mcpebmkb.exe File opened for modification C:\Windows\SysWOW64\Mnfipekh.exe Mjjmog32.exe File created C:\Windows\SysWOW64\Mpdelajl.exe Maaepd32.exe File created C:\Windows\SysWOW64\Nigpemda.dll Clnadfbp.exe File created C:\Windows\SysWOW64\Lcglnp32.dll Fqaeco32.exe File created C:\Windows\SysWOW64\Peeafpaf.dll Gbenqg32.exe File created C:\Windows\SysWOW64\Ghiqbiae.dll Kdffocib.exe File created C:\Windows\SysWOW64\Gmoliohh.exe Gidphq32.exe File created C:\Windows\SysWOW64\Enbofg32.dll Kgmlkp32.exe File created C:\Windows\SysWOW64\Offdjb32.dll Ldkojb32.exe File created C:\Windows\SysWOW64\Mamleegg.exe Mnapdf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10980 10900 WerFault.exe 504 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjhmgeao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbplof32.dll" Gqkhjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aiolam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knceql32.dll" Dllmfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dllmfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mepgghma.dll" Gqdbiofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmioonpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll" Ipckgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaedgjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll" Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qehqepcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlegeemh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhgehi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nigpemda.dll" Clnadfbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll" Jbhmdbnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niecpdnn.dll" Pihmjqfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Behiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahkflk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpjqhgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kinemkko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcbahlip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Commqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hippdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijdeiaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll" Nbhkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kogbodfe.dll" Ahkflk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcbnejem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Impepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll" Mnapdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 cc5ae2d0d9d8391ea894d573a1fa2c87.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampkqqjm.dll" Ecmlcmhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doccaall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cafpanem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpjmee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efikji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eleplc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjnjqfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmclmabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehabgbnk.dll" Blpechop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdqdffoc.dll" Beppmmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll" Ngpjnkpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll" Njcpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icjmmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll" Mahbje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iapjlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll" Lcbiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbllkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fckhdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eflhoigi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbgkfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nccpjnam.dll" Aeoffo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcopbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqkocpod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iikopmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaljgidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll" Mcklgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qefdpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cipehkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjlfbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibagcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baojaoke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhjkdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll" Hjmoibog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibjqcd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 8 wrote to memory of 1216 8 cc5ae2d0d9d8391ea894d573a1fa2c87.exe 86 PID 8 wrote to memory of 1216 8 cc5ae2d0d9d8391ea894d573a1fa2c87.exe 86 PID 8 wrote to memory of 1216 8 cc5ae2d0d9d8391ea894d573a1fa2c87.exe 86 PID 1216 wrote to memory of 3648 1216 Phhqpn32.exe 87 PID 1216 wrote to memory of 3648 1216 Phhqpn32.exe 87 PID 1216 wrote to memory of 3648 1216 Phhqpn32.exe 87 PID 3648 wrote to memory of 3796 3648 Ppphak32.exe 88 PID 3648 wrote to memory of 3796 3648 Ppphak32.exe 88 PID 3648 wrote to memory of 3796 3648 Ppphak32.exe 88 PID 3796 wrote to memory of 728 3796 Pbndmf32.exe 89 PID 3796 wrote to memory of 728 3796 Pbndmf32.exe 89 PID 3796 wrote to memory of 728 3796 Pbndmf32.exe 89 PID 728 wrote to memory of 2856 728 Paaeiceg.exe 90 PID 728 wrote to memory of 2856 728 Paaeiceg.exe 90 PID 728 wrote to memory of 2856 728 Paaeiceg.exe 90 PID 2856 wrote to memory of 2132 2856 Pihmjqfj.exe 91 PID 2856 wrote to memory of 2132 2856 Pihmjqfj.exe 91 PID 2856 wrote to memory of 2132 2856 Pihmjqfj.exe 91 PID 2132 wrote to memory of 3572 2132 Phkmem32.exe 92 PID 2132 wrote to memory of 3572 2132 Phkmem32.exe 92 PID 2132 wrote to memory of 3572 2132 Phkmem32.exe 92 PID 3572 wrote to memory of 3656 3572 Ppbegkmg.exe 93 PID 3572 wrote to memory of 3656 3572 Ppbegkmg.exe 93 PID 3572 wrote to memory of 3656 3572 Ppbegkmg.exe 93 PID 3656 wrote to memory of 3532 3656 Pneebg32.exe 95 PID 3656 wrote to memory of 3532 3656 Pneebg32.exe 95 PID 3656 wrote to memory of 3532 3656 Pneebg32.exe 95 PID 3532 wrote to memory of 4448 3532 Pacaoc32.exe 96 PID 3532 wrote to memory of 4448 3532 Pacaoc32.exe 96 PID 3532 wrote to memory of 4448 3532 Pacaoc32.exe 96 PID 4448 wrote to memory of 2488 4448 Peonoaln.exe 98 PID 4448 wrote to memory of 2488 4448 Peonoaln.exe 98 PID 4448 wrote to memory of 2488 4448 Peonoaln.exe 98 PID 2488 wrote to memory of 4072 2488 Plifll32.exe 99 PID 2488 wrote to memory of 4072 2488 Plifll32.exe 99 PID 2488 wrote to memory of 4072 2488 Plifll32.exe 99 PID 4072 wrote to memory of 4300 4072 Pngbhg32.exe 100 PID 4072 wrote to memory of 4300 4072 Pngbhg32.exe 100 PID 4072 wrote to memory of 4300 4072 Pngbhg32.exe 100 PID 4300 wrote to memory of 4936 4300 Pbbnhfjh.exe 101 PID 4300 wrote to memory of 4936 4300 Pbbnhfjh.exe 101 PID 4300 wrote to memory of 4936 4300 Pbbnhfjh.exe 101 PID 4936 wrote to memory of 4600 4936 Peajdajk.exe 102 PID 4936 wrote to memory of 4600 4936 Peajdajk.exe 102 PID 4936 wrote to memory of 4600 4936 Peajdajk.exe 102 PID 4600 wrote to memory of 3024 4600 Pimfep32.exe 104 PID 4600 wrote to memory of 3024 4600 Pimfep32.exe 104 PID 4600 wrote to memory of 3024 4600 Pimfep32.exe 104 PID 3024 wrote to memory of 2060 3024 Plkbak32.exe 105 PID 3024 wrote to memory of 2060 3024 Plkbak32.exe 105 PID 3024 wrote to memory of 2060 3024 Plkbak32.exe 105 PID 2060 wrote to memory of 1564 2060 Ppgobjia.exe 106 PID 2060 wrote to memory of 1564 2060 Ppgobjia.exe 106 PID 2060 wrote to memory of 1564 2060 Ppgobjia.exe 106 PID 1564 wrote to memory of 4368 1564 Pbekne32.exe 107 PID 1564 wrote to memory of 4368 1564 Pbekne32.exe 107 PID 1564 wrote to memory of 4368 1564 Pbekne32.exe 107 PID 4368 wrote to memory of 2156 4368 Pecgja32.exe 108 PID 4368 wrote to memory of 2156 4368 Pecgja32.exe 108 PID 4368 wrote to memory of 2156 4368 Pecgja32.exe 108 PID 2156 wrote to memory of 4888 2156 Piockppb.exe 109 PID 2156 wrote to memory of 4888 2156 Piockppb.exe 109 PID 2156 wrote to memory of 4888 2156 Piockppb.exe 109 PID 4888 wrote to memory of 1832 4888 Plmogkoe.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc5ae2d0d9d8391ea894d573a1fa2c87.exe"C:\Users\Admin\AppData\Local\Temp\cc5ae2d0d9d8391ea894d573a1fa2c87.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\Phhqpn32.exeC:\Windows\system32\Phhqpn32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Ppphak32.exeC:\Windows\system32\Ppphak32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\Pbndmf32.exeC:\Windows\system32\Pbndmf32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\Paaeiceg.exeC:\Windows\system32\Paaeiceg.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\SysWOW64\Pihmjqfj.exeC:\Windows\system32\Pihmjqfj.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Phkmem32.exeC:\Windows\system32\Phkmem32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Ppbegkmg.exeC:\Windows\system32\Ppbegkmg.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\Pneebg32.exeC:\Windows\system32\Pneebg32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Pacaoc32.exeC:\Windows\system32\Pacaoc32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Peonoaln.exeC:\Windows\system32\Peonoaln.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\Plifll32.exeC:\Windows\system32\Plifll32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Pngbhg32.exeC:\Windows\system32\Pngbhg32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\Pbbnhfjh.exeC:\Windows\system32\Pbbnhfjh.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\Peajdajk.exeC:\Windows\system32\Peajdajk.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\Pimfep32.exeC:\Windows\system32\Pimfep32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Plkbak32.exeC:\Windows\system32\Plkbak32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Ppgobjia.exeC:\Windows\system32\Ppgobjia.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Pbekne32.exeC:\Windows\system32\Pbekne32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Pecgja32.exeC:\Windows\system32\Pecgja32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\Piockppb.exeC:\Windows\system32\Piockppb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Plmogkoe.exeC:\Windows\system32\Plmogkoe.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Qpikgj32.exeC:\Windows\system32\Qpikgj32.exe23⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Qbggce32.exeC:\Windows\system32\Qbggce32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Qefdpq32.exeC:\Windows\system32\Qefdpq32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4032 -
C:\Windows\SysWOW64\Qhdpll32.exeC:\Windows\system32\Qhdpll32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1700 -
C:\Windows\SysWOW64\Qlpllkmc.exeC:\Windows\system32\Qlpllkmc.exe27⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Qbjdiedp.exeC:\Windows\system32\Qbjdiedp.exe28⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Qehqepcc.exeC:\Windows\system32\Qehqepcc.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Qhfmalbg.exeC:\Windows\system32\Qhfmalbg.exe30⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Apndbici.exeC:\Windows\system32\Apndbici.exe31⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Aaoaja32.exeC:\Windows\system32\Aaoaja32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Aifiko32.exeC:\Windows\system32\Aifiko32.exe33⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Aldegj32.exeC:\Windows\system32\Aldegj32.exe34⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Aocace32.exeC:\Windows\system32\Aocace32.exe35⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Aaanpa32.exeC:\Windows\system32\Aaanpa32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Aemjpp32.exeC:\Windows\system32\Aemjpp32.exe37⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Ahkflk32.exeC:\Windows\system32\Ahkflk32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3960 -
C:\Windows\SysWOW64\Algbmjgk.exeC:\Windows\system32\Algbmjgk.exe39⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Apbnnh32.exeC:\Windows\system32\Apbnnh32.exe40⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Aoeniefo.exeC:\Windows\system32\Aoeniefo.exe41⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Aackeqeb.exeC:\Windows\system32\Aackeqeb.exe42⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Aeoffo32.exeC:\Windows\system32\Aeoffo32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:3872 -
C:\Windows\SysWOW64\Ahncbk32.exeC:\Windows\system32\Ahncbk32.exe44⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Apekch32.exeC:\Windows\system32\Apekch32.exe45⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Aogkoedl.exeC:\Windows\system32\Aogkoedl.exe46⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Abcgoc32.exeC:\Windows\system32\Abcgoc32.exe47⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Aeacko32.exeC:\Windows\system32\Aeacko32.exe48⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Aimoln32.exeC:\Windows\system32\Aimoln32.exe49⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Ahppgjjl.exeC:\Windows\system32\Ahppgjjl.exe50⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Apggihko.exeC:\Windows\system32\Apggihko.exe51⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Aojhdd32.exeC:\Windows\system32\Aojhdd32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Abedecjb.exeC:\Windows\system32\Abedecjb.exe53⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Aahdqp32.exeC:\Windows\system32\Aahdqp32.exe54⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Aiolam32.exeC:\Windows\system32\Aiolam32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:388 -
C:\Windows\SysWOW64\Ahblmjhj.exeC:\Windows\system32\Ahblmjhj.exe56⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Blnhni32.exeC:\Windows\system32\Blnhni32.exe57⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Bpidngil.exeC:\Windows\system32\Bpidngil.exe58⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Bbhqjchp.exeC:\Windows\system32\Bbhqjchp.exe59⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Befmfngc.exeC:\Windows\system32\Befmfngc.exe60⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Bhdibj32.exeC:\Windows\system32\Bhdibj32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Blpechop.exeC:\Windows\system32\Blpechop.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Bbjmpb32.exeC:\Windows\system32\Bbjmpb32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Behiln32.exeC:\Windows\system32\Behiln32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Bhgehi32.exeC:\Windows\system32\Bhgehi32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:4656 -
C:\Windows\SysWOW64\Boanecla.exeC:\Windows\system32\Boanecla.exe66⤵PID:4172
-
C:\Windows\SysWOW64\Baojaoke.exeC:\Windows\system32\Baojaoke.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4536 -
C:\Windows\SysWOW64\Bifbbllg.exeC:\Windows\system32\Bifbbllg.exe68⤵PID:344
-
C:\Windows\SysWOW64\Blennh32.exeC:\Windows\system32\Blennh32.exe69⤵PID:1124
-
C:\Windows\SysWOW64\Bpqjofcd.exeC:\Windows\system32\Bpqjofcd.exe70⤵PID:2780
-
C:\Windows\SysWOW64\Bbofkbbh.exeC:\Windows\system32\Bbofkbbh.exe71⤵
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Baaggo32.exeC:\Windows\system32\Baaggo32.exe72⤵PID:4052
-
C:\Windows\SysWOW64\Biiohl32.exeC:\Windows\system32\Biiohl32.exe73⤵PID:3668
-
C:\Windows\SysWOW64\Bpcgdfaa.exeC:\Windows\system32\Bpcgdfaa.exe74⤵PID:644
-
C:\Windows\SysWOW64\Boegpc32.exeC:\Windows\system32\Boegpc32.exe75⤵PID:4016
-
C:\Windows\SysWOW64\Bbacqape.exeC:\Windows\system32\Bbacqape.exe76⤵PID:4400
-
C:\Windows\SysWOW64\Beppmmoi.exeC:\Windows\system32\Beppmmoi.exe77⤵
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Chnlihnl.exeC:\Windows\system32\Chnlihnl.exe78⤵
- Drops file in System32 directory
PID:1320 -
C:\Windows\SysWOW64\Clihig32.exeC:\Windows\system32\Clihig32.exe79⤵
- Drops file in System32 directory
PID:3584 -
C:\Windows\SysWOW64\Cpedjf32.exeC:\Windows\system32\Cpedjf32.exe80⤵
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Cccpfa32.exeC:\Windows\system32\Cccpfa32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4532 -
C:\Windows\SysWOW64\Cafpanem.exeC:\Windows\system32\Cafpanem.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3284 -
C:\Windows\SysWOW64\Cimhckeo.exeC:\Windows\system32\Cimhckeo.exe83⤵
- Drops file in System32 directory
PID:1224 -
C:\Windows\SysWOW64\Chphoh32.exeC:\Windows\system32\Chphoh32.exe84⤵PID:3904
-
C:\Windows\SysWOW64\Cpgqpe32.exeC:\Windows\system32\Cpgqpe32.exe85⤵PID:396
-
C:\Windows\SysWOW64\Cojqkbdf.exeC:\Windows\system32\Cojqkbdf.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5136 -
C:\Windows\SysWOW64\Caimgncj.exeC:\Windows\system32\Caimgncj.exe87⤵PID:5180
-
C:\Windows\SysWOW64\Cedihl32.exeC:\Windows\system32\Cedihl32.exe88⤵PID:5220
-
C:\Windows\SysWOW64\Cipehkcl.exeC:\Windows\system32\Cipehkcl.exe89⤵
- Modifies registry class
PID:5268 -
C:\Windows\SysWOW64\Clnadfbp.exeC:\Windows\system32\Clnadfbp.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:5312 -
C:\Windows\SysWOW64\Cpjmee32.exeC:\Windows\system32\Cpjmee32.exe91⤵
- Modifies registry class
PID:5352 -
C:\Windows\SysWOW64\Commqb32.exeC:\Windows\system32\Commqb32.exe92⤵
- Modifies registry class
PID:5400 -
C:\Windows\SysWOW64\Cakjmm32.exeC:\Windows\system32\Cakjmm32.exe93⤵PID:5440
-
C:\Windows\SysWOW64\Cefemliq.exeC:\Windows\system32\Cefemliq.exe94⤵
- Drops file in System32 directory
PID:5492 -
C:\Windows\SysWOW64\Ccjfgphj.exeC:\Windows\system32\Ccjfgphj.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5532 -
C:\Windows\SysWOW64\Camfbm32.exeC:\Windows\system32\Camfbm32.exe96⤵PID:5580
-
C:\Windows\SysWOW64\Ceibclgn.exeC:\Windows\system32\Ceibclgn.exe97⤵PID:5620
-
C:\Windows\SysWOW64\Chgoogfa.exeC:\Windows\system32\Chgoogfa.exe98⤵PID:5664
-
C:\Windows\SysWOW64\Clckpf32.exeC:\Windows\system32\Clckpf32.exe99⤵PID:5704
-
C:\Windows\SysWOW64\Cpofpdgd.exeC:\Windows\system32\Cpofpdgd.exe100⤵PID:5748
-
C:\Windows\SysWOW64\Ccmclp32.exeC:\Windows\system32\Ccmclp32.exe101⤵PID:5796
-
C:\Windows\SysWOW64\Capchmmb.exeC:\Windows\system32\Capchmmb.exe102⤵PID:5836
-
C:\Windows\SysWOW64\Digkijmd.exeC:\Windows\system32\Digkijmd.exe103⤵PID:5880
-
C:\Windows\SysWOW64\Dhjkdg32.exeC:\Windows\system32\Dhjkdg32.exe104⤵
- Modifies registry class
PID:5924 -
C:\Windows\SysWOW64\Dlegeemh.exeC:\Windows\system32\Dlegeemh.exe105⤵
- Modifies registry class
PID:5964 -
C:\Windows\SysWOW64\Doccaall.exeC:\Windows\system32\Doccaall.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6012 -
C:\Windows\SysWOW64\Dcopbp32.exeC:\Windows\system32\Dcopbp32.exe107⤵
- Drops file in System32 directory
- Modifies registry class
PID:6048 -
C:\Windows\SysWOW64\Dabpnlkp.exeC:\Windows\system32\Dabpnlkp.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6096 -
C:\Windows\SysWOW64\Denlnk32.exeC:\Windows\system32\Denlnk32.exe109⤵PID:6136
-
C:\Windows\SysWOW64\Dhlhjf32.exeC:\Windows\system32\Dhlhjf32.exe110⤵PID:5156
-
C:\Windows\SysWOW64\Dlgdkeje.exeC:\Windows\system32\Dlgdkeje.exe111⤵PID:4544
-
C:\Windows\SysWOW64\Dpcpkc32.exeC:\Windows\system32\Dpcpkc32.exe112⤵PID:5280
-
C:\Windows\SysWOW64\Dofpgqji.exeC:\Windows\system32\Dofpgqji.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5336 -
C:\Windows\SysWOW64\Dcalgo32.exeC:\Windows\system32\Dcalgo32.exe114⤵PID:5408
-
C:\Windows\SysWOW64\Dephckaf.exeC:\Windows\system32\Dephckaf.exe115⤵PID:3492
-
C:\Windows\SysWOW64\Djlddi32.exeC:\Windows\system32\Djlddi32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5516 -
C:\Windows\SysWOW64\Dhnepfpj.exeC:\Windows\system32\Dhnepfpj.exe117⤵PID:5616
-
C:\Windows\SysWOW64\Dljqpd32.exeC:\Windows\system32\Dljqpd32.exe118⤵PID:324
-
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5744 -
C:\Windows\SysWOW64\Dcdimopp.exeC:\Windows\system32\Dcdimopp.exe120⤵
- Drops file in System32 directory
PID:5804 -
C:\Windows\SysWOW64\Dagiil32.exeC:\Windows\system32\Dagiil32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-