Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 20:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f445a689c706cf24bd918f26d2f2cdef.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
f445a689c706cf24bd918f26d2f2cdef.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
f445a689c706cf24bd918f26d2f2cdef.exe
-
Size
128KB
-
MD5
f445a689c706cf24bd918f26d2f2cdef
-
SHA1
46813c02460f51937ea916b93caee41af876a1a1
-
SHA256
98a01848f970d6df4b29c7ac5b8cf012e6885412210288b6bfb5dae10acc45b3
-
SHA512
f1d690f1ece6d3bf7a8018a975868f9e2d23c75aeea56ba74f62a0ce5896f45fa74e8f04d555b47db8cf08334ddc1d7f45872f9817e5d293c873c439ff1255b6
-
SSDEEP
3072:uFTwnP83PxMeEvPOdgujv6NLPfFFrKP9:swnP83JML3OdgawrFZKP
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojkkah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Haclio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hoglbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mflbjejb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kobnji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kefbdjgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iobmmoed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mankaked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcaoahio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqkmpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcqhcgqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfpcada.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmefiakh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akgcdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkokbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opkfjgmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekeacmel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejono32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pohilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aploae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aochga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnmnengg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qipqibmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obgeqcnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpibke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdkffi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpkehi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcqgahoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gechnpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofalfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqfmlm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbibeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lklnconj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gegchl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhbdko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojhnlh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifipmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgdjicmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acaanp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Begcjjql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnekcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeigilml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngekmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icqmncof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahpdcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djipbbne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flfjjkgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkjhfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igjbci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jflgfpkc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkooep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pohilc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfcnka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igjbci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhdocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akgcdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgencf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npighq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldccid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppnbpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nieggill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pojjcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Didjqoae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpjelibg.exe -
Executes dropped EXE 64 IoCs
pid Process 1136 Djgdkk32.exe 2316 Fdpnda32.exe 2764 Ggepalof.exe 4284 Gbpnjdkg.exe 3800 Hnkhjdle.exe 4348 Igjbci32.exe 3592 Iecmhlhb.exe 3512 Koimbpbc.exe 4664 Kefbdjgm.exe 3192 Kaaldjil.exe 4596 Lklnconj.exe 5100 Loopdmpk.exe 3452 Nbbnbemf.exe 2756 Pijcpmhc.exe 4496 Qbngeadf.exe 312 Aeffgkkp.exe 2628 Cefoni32.exe 1364 Cifdjg32.exe 1284 Cdnelpod.exe 2672 Debnjgcp.exe 1824 Eennefib.exe 4700 Fjgfgbek.exe 1312 Fjjcmbci.exe 4768 Gjnlha32.exe 1020 Gfemmb32.exe 3432 Gdkffi32.exe 2148 Hnmnengg.exe 2592 Icqmncof.exe 4716 Iedbcebd.exe 4952 Jegohe32.exe 3092 Jjdgal32.exe 2076 Jnfjbj32.exe 1556 Kjdqhjpf.exe 2304 Leedqa32.exe 3732 Mmjlkb32.exe 2428 Noqofdlj.exe 3632 Oolnabal.exe 4632 Oggbfdog.exe 4976 Pnfdnnbo.exe 1496 Pgaelcgm.exe 1260 Pojjcp32.exe 4292 Qfilkj32.exe 1028 Akjnnpcf.exe 1988 Aokcjngj.exe 548 Cbihmg32.exe 4492 Dhpdkm32.exe 2536 Dpkehi32.exe 2940 Didjqoae.exe 4556 Eldbbjof.exe 4640 Efjgpc32.exe 4888 Epbkhhel.exe 2132 Ehpmbj32.exe 2668 Flpbnh32.exe 2360 Fidbgm32.exe 2324 Fhllni32.exe 3020 Fcaqka32.exe 4344 Fepmgm32.exe 4872 Gpjjpe32.exe 4964 Gckcap32.exe 2088 Glchjedc.exe 2612 Gcmpgpkp.exe 2160 Gjghdj32.exe 864 Hpaqqdjj.exe 572 Hcommoin.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Egleni32.dll Lnbdlkje.exe File opened for modification C:\Windows\SysWOW64\Fanigb32.exe Eglbhnkp.exe File opened for modification C:\Windows\SysWOW64\Alfcflfb.exe Apobakpn.exe File created C:\Windows\SysWOW64\Ekeacmel.exe Eapmedef.exe File created C:\Windows\SysWOW64\Mcolikbl.dll Ldqfddml.exe File created C:\Windows\SysWOW64\Flebpn32.dll Nfgbec32.exe File created C:\Windows\SysWOW64\Ckegholn.dll Albpff32.exe File created C:\Windows\SysWOW64\Kgbljkca.exe Kdpfbp32.exe File opened for modification C:\Windows\SysWOW64\Iecmhlhb.exe Igjbci32.exe File created C:\Windows\SysWOW64\Flbldfbp.dll Ggepalof.exe File opened for modification C:\Windows\SysWOW64\Apcllk32.exe Akgcdc32.exe File created C:\Windows\SysWOW64\Ialhdh32.exe Ijpcbn32.exe File created C:\Windows\SysWOW64\Gbpnjdkg.exe Ggepalof.exe File opened for modification C:\Windows\SysWOW64\Gdkffi32.exe Gfemmb32.exe File created C:\Windows\SysWOW64\Jjdgal32.exe Jegohe32.exe File created C:\Windows\SysWOW64\Glinjqhb.exe Facjlhil.exe File created C:\Windows\SysWOW64\Ljjicl32.exe Ljglnmdi.exe File opened for modification C:\Windows\SysWOW64\Jdfcla32.exe Jmlkpgia.exe File created C:\Windows\SysWOW64\Fdpnda32.exe Djgdkk32.exe File created C:\Windows\SysWOW64\Ikinag32.dll Midoph32.exe File opened for modification C:\Windows\SysWOW64\Qpjifl32.exe Qipqibmf.exe File created C:\Windows\SysWOW64\Ogmapb32.dll Cjofambd.exe File created C:\Windows\SysWOW64\Hekpnp32.dll Eakdje32.exe File opened for modification C:\Windows\SysWOW64\Nfaijand.exe Mpedgghj.exe File created C:\Windows\SysWOW64\Fbpbbl32.dll Ljjicl32.exe File created C:\Windows\SysWOW64\Qpjifl32.exe Qipqibmf.exe File opened for modification C:\Windows\SysWOW64\Ggoaje32.exe Gnfmapqo.exe File created C:\Windows\SysWOW64\Gpjjpe32.exe Fepmgm32.exe File created C:\Windows\SysWOW64\Odighm32.dll Ialhdh32.exe File opened for modification C:\Windows\SysWOW64\Ikgicmpe.exe Ipaeedpp.exe File opened for modification C:\Windows\SysWOW64\Ilgcblnp.exe Hhbdko32.exe File created C:\Windows\SysWOW64\Nlphmafm.exe Npighq32.exe File opened for modification C:\Windows\SysWOW64\Ofalfi32.exe Ojkkah32.exe File opened for modification C:\Windows\SysWOW64\Gechnpid.exe Goipae32.exe File created C:\Windows\SysWOW64\Gdkbdllj.exe Gmqjga32.exe File created C:\Windows\SysWOW64\Gddcofoh.dll Iolfmcbb.exe File created C:\Windows\SysWOW64\Bplhhc32.exe Begcjjql.exe File created C:\Windows\SysWOW64\Lapopm32.exe Kmpido32.exe File created C:\Windows\SysWOW64\Gcodgf32.dll Ofalfi32.exe File created C:\Windows\SysWOW64\Dboljifq.dll Ladpcb32.exe File created C:\Windows\SysWOW64\Mpenmadn.exe Midoph32.exe File created C:\Windows\SysWOW64\Eglbhnkp.exe Ekeacmel.exe File created C:\Windows\SysWOW64\Bdjnmobg.dll Cpcnhbjj.exe File created C:\Windows\SysWOW64\Bejceb32.dll Djgdkk32.exe File created C:\Windows\SysWOW64\Fgpijd32.dll Flfjjkgi.exe File created C:\Windows\SysWOW64\Lciokqqf.dll Jacnegep.exe File created C:\Windows\SysWOW64\Laofhbmp.exe Lgibjj32.exe File created C:\Windows\SysWOW64\Flgadake.exe Fbnmkk32.exe File created C:\Windows\SysWOW64\Cfpfqiha.exe Cpcnhbjj.exe File opened for modification C:\Windows\SysWOW64\Npcaie32.exe Nieoal32.exe File created C:\Windows\SysWOW64\Acngqpog.dll Pcaoahio.exe File opened for modification C:\Windows\SysWOW64\Eqbcqnph.exe Eqpfknbj.exe File created C:\Windows\SysWOW64\Eielej32.dll Eqpfknbj.exe File created C:\Windows\SysWOW64\Donklfgn.dll Pdmikb32.exe File opened for modification C:\Windows\SysWOW64\Pmiijjcf.exe Pohilc32.exe File opened for modification C:\Windows\SysWOW64\Habeni32.exe Hhjqec32.exe File created C:\Windows\SysWOW64\Eekcho32.dll Jhocgqjj.exe File created C:\Windows\SysWOW64\Kdipce32.exe Kkaljpmd.exe File opened for modification C:\Windows\SysWOW64\Pnfdnnbo.exe Oggbfdog.exe File created C:\Windows\SysWOW64\Jikjmbmb.exe Jgbhdkml.exe File opened for modification C:\Windows\SysWOW64\Bjhpqn32.exe Bcngddao.exe File created C:\Windows\SysWOW64\Opkfjgmh.exe Obgeqcnn.exe File created C:\Windows\SysWOW64\Kjdqhjpf.exe Jnfjbj32.exe File opened for modification C:\Windows\SysWOW64\Gnfmapqo.exe Gcqhcgqi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7332 5528 WerFault.exe 418 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmgmmdep.dll" Ilgcblnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flcndk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihicah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lamjbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnfpcada.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dendok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdffjckl.dll" Glinjqhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcdlepj.dll" Haclio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldccid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Facjlhil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efjgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhiinbdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpoafbfi.dll" Obeikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hchbkneg.dll" Aemqdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjjcmbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joalnp32.dll" Npipnjmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qfcjhphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbbnbemf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qipqibmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbnehdll.dll" Aekdolkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnekcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijpcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oplmdnpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aokcjngj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bijfpm32.dll" Npcaie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anclekni.dll" Nlphmafm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aemqdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nghjle32.dll" Ikgicmpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pijcpmhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cecnce32.dll" Oggbfdog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcommoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhmepaa.dll" Hcommoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dendok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imabnofj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnekcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cifdjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gckcap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dqigee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbghhkmq.dll" Niadfpcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opkfjgmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aochga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeeibmnq.dll" Lklnconj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flbhia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdipce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Begcjjql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgencf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oacmchcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojkkah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qpjifl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihdjfhhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acaanp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgencf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhjnik32.dll" Kpkqbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhiinbdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohecgli.dll" Helkdnaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejaecdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiebieom.dll" Nieggill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Goipae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmbhlfil.dll" Pmiijjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Debnjgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icnmcc32.dll" Flcndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfemmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgpdg32.dll" Fepmgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncpbfhhi.dll" Hfpenj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 848 wrote to memory of 1136 848 f445a689c706cf24bd918f26d2f2cdef.exe 95 PID 848 wrote to memory of 1136 848 f445a689c706cf24bd918f26d2f2cdef.exe 95 PID 848 wrote to memory of 1136 848 f445a689c706cf24bd918f26d2f2cdef.exe 95 PID 1136 wrote to memory of 2316 1136 Djgdkk32.exe 96 PID 1136 wrote to memory of 2316 1136 Djgdkk32.exe 96 PID 1136 wrote to memory of 2316 1136 Djgdkk32.exe 96 PID 2316 wrote to memory of 2764 2316 Fdpnda32.exe 97 PID 2316 wrote to memory of 2764 2316 Fdpnda32.exe 97 PID 2316 wrote to memory of 2764 2316 Fdpnda32.exe 97 PID 2764 wrote to memory of 4284 2764 Ggepalof.exe 98 PID 2764 wrote to memory of 4284 2764 Ggepalof.exe 98 PID 2764 wrote to memory of 4284 2764 Ggepalof.exe 98 PID 4284 wrote to memory of 3800 4284 Gbpnjdkg.exe 99 PID 4284 wrote to memory of 3800 4284 Gbpnjdkg.exe 99 PID 4284 wrote to memory of 3800 4284 Gbpnjdkg.exe 99 PID 3800 wrote to memory of 4348 3800 Hnkhjdle.exe 100 PID 3800 wrote to memory of 4348 3800 Hnkhjdle.exe 100 PID 3800 wrote to memory of 4348 3800 Hnkhjdle.exe 100 PID 4348 wrote to memory of 3592 4348 Igjbci32.exe 101 PID 4348 wrote to memory of 3592 4348 Igjbci32.exe 101 PID 4348 wrote to memory of 3592 4348 Igjbci32.exe 101 PID 3592 wrote to memory of 3512 3592 Iecmhlhb.exe 102 PID 3592 wrote to memory of 3512 3592 Iecmhlhb.exe 102 PID 3592 wrote to memory of 3512 3592 Iecmhlhb.exe 102 PID 3512 wrote to memory of 4664 3512 Koimbpbc.exe 103 PID 3512 wrote to memory of 4664 3512 Koimbpbc.exe 103 PID 3512 wrote to memory of 4664 3512 Koimbpbc.exe 103 PID 4664 wrote to memory of 3192 4664 Kefbdjgm.exe 104 PID 4664 wrote to memory of 3192 4664 Kefbdjgm.exe 104 PID 4664 wrote to memory of 3192 4664 Kefbdjgm.exe 104 PID 3192 wrote to memory of 4596 3192 Kaaldjil.exe 105 PID 3192 wrote to memory of 4596 3192 Kaaldjil.exe 105 PID 3192 wrote to memory of 4596 3192 Kaaldjil.exe 105 PID 4596 wrote to memory of 5100 4596 Lklnconj.exe 106 PID 4596 wrote to memory of 5100 4596 Lklnconj.exe 106 PID 4596 wrote to memory of 5100 4596 Lklnconj.exe 106 PID 5100 wrote to memory of 3452 5100 Loopdmpk.exe 107 PID 5100 wrote to memory of 3452 5100 Loopdmpk.exe 107 PID 5100 wrote to memory of 3452 5100 Loopdmpk.exe 107 PID 3452 wrote to memory of 2756 3452 Nbbnbemf.exe 108 PID 3452 wrote to memory of 2756 3452 Nbbnbemf.exe 108 PID 3452 wrote to memory of 2756 3452 Nbbnbemf.exe 108 PID 2756 wrote to memory of 4496 2756 Pijcpmhc.exe 109 PID 2756 wrote to memory of 4496 2756 Pijcpmhc.exe 109 PID 2756 wrote to memory of 4496 2756 Pijcpmhc.exe 109 PID 4496 wrote to memory of 312 4496 Qbngeadf.exe 110 PID 4496 wrote to memory of 312 4496 Qbngeadf.exe 110 PID 4496 wrote to memory of 312 4496 Qbngeadf.exe 110 PID 312 wrote to memory of 2628 312 Aeffgkkp.exe 111 PID 312 wrote to memory of 2628 312 Aeffgkkp.exe 111 PID 312 wrote to memory of 2628 312 Aeffgkkp.exe 111 PID 2628 wrote to memory of 1364 2628 Cefoni32.exe 112 PID 2628 wrote to memory of 1364 2628 Cefoni32.exe 112 PID 2628 wrote to memory of 1364 2628 Cefoni32.exe 112 PID 1364 wrote to memory of 1284 1364 Cifdjg32.exe 113 PID 1364 wrote to memory of 1284 1364 Cifdjg32.exe 113 PID 1364 wrote to memory of 1284 1364 Cifdjg32.exe 113 PID 1284 wrote to memory of 2672 1284 Cdnelpod.exe 114 PID 1284 wrote to memory of 2672 1284 Cdnelpod.exe 114 PID 1284 wrote to memory of 2672 1284 Cdnelpod.exe 114 PID 2672 wrote to memory of 1824 2672 Debnjgcp.exe 115 PID 2672 wrote to memory of 1824 2672 Debnjgcp.exe 115 PID 2672 wrote to memory of 1824 2672 Debnjgcp.exe 115 PID 1824 wrote to memory of 4700 1824 Eennefib.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\f445a689c706cf24bd918f26d2f2cdef.exe"C:\Users\Admin\AppData\Local\Temp\f445a689c706cf24bd918f26d2f2cdef.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Djgdkk32.exeC:\Windows\system32\Djgdkk32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Fdpnda32.exeC:\Windows\system32\Fdpnda32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Ggepalof.exeC:\Windows\system32\Ggepalof.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Gbpnjdkg.exeC:\Windows\system32\Gbpnjdkg.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\Hnkhjdle.exeC:\Windows\system32\Hnkhjdle.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Igjbci32.exeC:\Windows\system32\Igjbci32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Iecmhlhb.exeC:\Windows\system32\Iecmhlhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\Koimbpbc.exeC:\Windows\system32\Koimbpbc.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Kefbdjgm.exeC:\Windows\system32\Kefbdjgm.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Kaaldjil.exeC:\Windows\system32\Kaaldjil.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\Lklnconj.exeC:\Windows\system32\Lklnconj.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Loopdmpk.exeC:\Windows\system32\Loopdmpk.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Nbbnbemf.exeC:\Windows\system32\Nbbnbemf.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Pijcpmhc.exeC:\Windows\system32\Pijcpmhc.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Qbngeadf.exeC:\Windows\system32\Qbngeadf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\Aeffgkkp.exeC:\Windows\system32\Aeffgkkp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Windows\SysWOW64\Cefoni32.exeC:\Windows\system32\Cefoni32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Cifdjg32.exeC:\Windows\system32\Cifdjg32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Cdnelpod.exeC:\Windows\system32\Cdnelpod.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Debnjgcp.exeC:\Windows\system32\Debnjgcp.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Eennefib.exeC:\Windows\system32\Eennefib.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Fjgfgbek.exeC:\Windows\system32\Fjgfgbek.exe23⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Fjjcmbci.exeC:\Windows\system32\Fjjcmbci.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Gjnlha32.exeC:\Windows\system32\Gjnlha32.exe25⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Gfemmb32.exeC:\Windows\system32\Gfemmb32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Gdkffi32.exeC:\Windows\system32\Gdkffi32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Hnmnengg.exeC:\Windows\system32\Hnmnengg.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Icqmncof.exeC:\Windows\system32\Icqmncof.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Iedbcebd.exeC:\Windows\system32\Iedbcebd.exe30⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Jegohe32.exeC:\Windows\system32\Jegohe32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4952 -
C:\Windows\SysWOW64\Jjdgal32.exeC:\Windows\system32\Jjdgal32.exe32⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Jnfjbj32.exeC:\Windows\system32\Jnfjbj32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Kjdqhjpf.exeC:\Windows\system32\Kjdqhjpf.exe34⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Leedqa32.exeC:\Windows\system32\Leedqa32.exe35⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Mmjlkb32.exeC:\Windows\system32\Mmjlkb32.exe36⤵
- Executes dropped EXE
PID:3732 -
C:\Windows\SysWOW64\Noqofdlj.exeC:\Windows\system32\Noqofdlj.exe37⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Oolnabal.exeC:\Windows\system32\Oolnabal.exe38⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Oggbfdog.exeC:\Windows\system32\Oggbfdog.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4632 -
C:\Windows\SysWOW64\Pnfdnnbo.exeC:\Windows\system32\Pnfdnnbo.exe40⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Pgaelcgm.exeC:\Windows\system32\Pgaelcgm.exe41⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Pojjcp32.exeC:\Windows\system32\Pojjcp32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Qfilkj32.exeC:\Windows\system32\Qfilkj32.exe43⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Akjnnpcf.exeC:\Windows\system32\Akjnnpcf.exe44⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Aokcjngj.exeC:\Windows\system32\Aokcjngj.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Cbihmg32.exeC:\Windows\system32\Cbihmg32.exe46⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Dhpdkm32.exeC:\Windows\system32\Dhpdkm32.exe47⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Dpkehi32.exeC:\Windows\system32\Dpkehi32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Didjqoae.exeC:\Windows\system32\Didjqoae.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Eldbbjof.exeC:\Windows\system32\Eldbbjof.exe50⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Efjgpc32.exeC:\Windows\system32\Efjgpc32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:4640 -
C:\Windows\SysWOW64\Epbkhhel.exeC:\Windows\system32\Epbkhhel.exe52⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Ehpmbj32.exeC:\Windows\system32\Ehpmbj32.exe53⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Flpbnh32.exeC:\Windows\system32\Flpbnh32.exe54⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Fidbgm32.exeC:\Windows\system32\Fidbgm32.exe55⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Fhllni32.exeC:\Windows\system32\Fhllni32.exe56⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Fcaqka32.exeC:\Windows\system32\Fcaqka32.exe57⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Fepmgm32.exeC:\Windows\system32\Fepmgm32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4344 -
C:\Windows\SysWOW64\Gpjjpe32.exeC:\Windows\system32\Gpjjpe32.exe59⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Gegchl32.exeC:\Windows\system32\Gegchl32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:636 -
C:\Windows\SysWOW64\Gckcap32.exeC:\Windows\system32\Gckcap32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:4964 -
C:\Windows\SysWOW64\Glchjedc.exeC:\Windows\system32\Glchjedc.exe62⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Gcmpgpkp.exeC:\Windows\system32\Gcmpgpkp.exe63⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Gjghdj32.exeC:\Windows\system32\Gjghdj32.exe64⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Hpaqqdjj.exeC:\Windows\system32\Hpaqqdjj.exe65⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Hcommoin.exeC:\Windows\system32\Hcommoin.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:572 -
C:\Windows\SysWOW64\Hjieii32.exeC:\Windows\system32\Hjieii32.exe67⤵PID:3532
-
C:\Windows\SysWOW64\Hofmaq32.exeC:\Windows\system32\Hofmaq32.exe68⤵PID:2348
-
C:\Windows\SysWOW64\Hfpenj32.exeC:\Windows\system32\Hfpenj32.exe69⤵
- Modifies registry class
PID:3792 -
C:\Windows\SysWOW64\Hhobjf32.exeC:\Windows\system32\Hhobjf32.exe70⤵PID:5132
-
C:\Windows\SysWOW64\Iqmplbpl.exeC:\Windows\system32\Iqmplbpl.exe71⤵PID:5176
-
C:\Windows\SysWOW64\Iobmmoed.exeC:\Windows\system32\Iobmmoed.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5216 -
C:\Windows\SysWOW64\Ifleji32.exeC:\Windows\system32\Ifleji32.exe73⤵PID:5264
-
C:\Windows\SysWOW64\Icdoolge.exeC:\Windows\system32\Icdoolge.exe74⤵PID:5304
-
C:\Windows\SysWOW64\Iiaggc32.exeC:\Windows\system32\Iiaggc32.exe75⤵PID:5340
-
C:\Windows\SysWOW64\Jgbhdkml.exeC:\Windows\system32\Jgbhdkml.exe76⤵
- Drops file in System32 directory
PID:5396 -
C:\Windows\SysWOW64\Jikjmbmb.exeC:\Windows\system32\Jikjmbmb.exe77⤵PID:5440
-
C:\Windows\SysWOW64\Jqbbno32.exeC:\Windows\system32\Jqbbno32.exe78⤵PID:5484
-
C:\Windows\SysWOW64\Jglkkiea.exeC:\Windows\system32\Jglkkiea.exe79⤵PID:5528
-
C:\Windows\SysWOW64\Kmkpipaf.exeC:\Windows\system32\Kmkpipaf.exe80⤵PID:5572
-
C:\Windows\SysWOW64\Kmpido32.exeC:\Windows\system32\Kmpido32.exe81⤵
- Drops file in System32 directory
PID:5616 -
C:\Windows\SysWOW64\Lapopm32.exeC:\Windows\system32\Lapopm32.exe82⤵PID:5656
-
C:\Windows\SysWOW64\Lcqgahoe.exeC:\Windows\system32\Lcqgahoe.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5704 -
C:\Windows\SysWOW64\Lccdghmc.exeC:\Windows\system32\Lccdghmc.exe84⤵PID:5748
-
C:\Windows\SysWOW64\Lpjelibg.exeC:\Windows\system32\Lpjelibg.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5788 -
C:\Windows\SysWOW64\Mankaked.exeC:\Windows\system32\Mankaked.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5832 -
C:\Windows\SysWOW64\Mpedgghj.exeC:\Windows\system32\Mpedgghj.exe87⤵
- Drops file in System32 directory
PID:5876 -
C:\Windows\SysWOW64\Nfaijand.exeC:\Windows\system32\Nfaijand.exe88⤵PID:5924
-
C:\Windows\SysWOW64\Nhafcd32.exeC:\Windows\system32\Nhafcd32.exe89⤵PID:5964
-
C:\Windows\SysWOW64\Nieoal32.exeC:\Windows\system32\Nieoal32.exe90⤵
- Drops file in System32 directory
PID:6012 -
C:\Windows\SysWOW64\Npcaie32.exeC:\Windows\system32\Npcaie32.exe91⤵
- Modifies registry class
PID:6052 -
C:\Windows\SysWOW64\Oacmchcl.exeC:\Windows\system32\Oacmchcl.exe92⤵
- Modifies registry class
PID:6096 -
C:\Windows\SysWOW64\Ohmepbki.exeC:\Windows\system32\Ohmepbki.exe93⤵PID:6136
-
C:\Windows\SysWOW64\Ohobebig.exeC:\Windows\system32\Ohobebig.exe94⤵PID:5184
-
C:\Windows\SysWOW64\Pdmikb32.exeC:\Windows\system32\Pdmikb32.exe95⤵
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Abflfc32.exeC:\Windows\system32\Abflfc32.exe96⤵PID:5388
-
C:\Windows\SysWOW64\Ahpdcn32.exeC:\Windows\system32\Ahpdcn32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5448 -
C:\Windows\SysWOW64\Bbhhlccb.exeC:\Windows\system32\Bbhhlccb.exe98⤵PID:5524
-
C:\Windows\SysWOW64\Biigildg.exeC:\Windows\system32\Biigildg.exe99⤵PID:5536
-
C:\Windows\SysWOW64\Ciefek32.exeC:\Windows\system32\Ciefek32.exe100⤵PID:3964
-
C:\Windows\SysWOW64\Djipbbne.exeC:\Windows\system32\Djipbbne.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5640 -
C:\Windows\SysWOW64\Dendok32.exeC:\Windows\system32\Dendok32.exe102⤵
- Modifies registry class
PID:5740 -
C:\Windows\SysWOW64\Daeddlco.exeC:\Windows\system32\Daeddlco.exe103⤵PID:5796
-
C:\Windows\SysWOW64\Dhfcae32.exeC:\Windows\system32\Dhfcae32.exe104⤵PID:5840
-
C:\Windows\SysWOW64\Eeomfioh.exeC:\Windows\system32\Eeomfioh.exe105⤵PID:5916
-
C:\Windows\SysWOW64\Eahjqicj.exeC:\Windows\system32\Eahjqicj.exe106⤵PID:5948
-
C:\Windows\SysWOW64\Flmonbbp.exeC:\Windows\system32\Flmonbbp.exe107⤵PID:1724
-
C:\Windows\SysWOW64\Fajgfiag.exeC:\Windows\system32\Fajgfiag.exe108⤵PID:6064
-
C:\Windows\SysWOW64\Fhdocc32.exeC:\Windows\system32\Fhdocc32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6120 -
C:\Windows\SysWOW64\Fongpm32.exeC:\Windows\system32\Fongpm32.exe110⤵PID:4612
-
C:\Windows\SysWOW64\Fehplggn.exeC:\Windows\system32\Fehplggn.exe111⤵PID:5332
-
C:\Windows\SysWOW64\Flbhia32.exeC:\Windows\system32\Flbhia32.exe112⤵
- Modifies registry class
PID:5436 -
C:\Windows\SysWOW64\Fblpflfg.exeC:\Windows\system32\Fblpflfg.exe113⤵PID:5504
-
C:\Windows\SysWOW64\Fhiinbdo.exeC:\Windows\system32\Fhiinbdo.exe114⤵
- Modifies registry class
PID:5596 -
C:\Windows\SysWOW64\Fbnmkk32.exeC:\Windows\system32\Fbnmkk32.exe115⤵
- Drops file in System32 directory
PID:5684 -
C:\Windows\SysWOW64\Flgadake.exeC:\Windows\system32\Flgadake.exe116⤵PID:5820
-
C:\Windows\SysWOW64\Facjlhil.exeC:\Windows\system32\Facjlhil.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:5884 -
C:\Windows\SysWOW64\Glinjqhb.exeC:\Windows\system32\Glinjqhb.exe118⤵
- Modifies registry class
PID:4484 -
C:\Windows\SysWOW64\Gaffbg32.exeC:\Windows\system32\Gaffbg32.exe119⤵PID:6060
-
C:\Windows\SysWOW64\Hhlnjpdi.exeC:\Windows\system32\Hhlnjpdi.exe120⤵PID:5160
-
C:\Windows\SysWOW64\Hhbdko32.exeC:\Windows\system32\Hhbdko32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-