Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 19:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
virussign.com_d47c623ce911a4a02b262ff4b0842130.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
virussign.com_d47c623ce911a4a02b262ff4b0842130.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
virussign.com_d47c623ce911a4a02b262ff4b0842130.exe
-
Size
400KB
-
MD5
d47c623ce911a4a02b262ff4b0842130
-
SHA1
a7b7399f6bf3e12ccb494282def25158cef6a5e9
-
SHA256
df1d472c27e2c4c7999762013fd158a4f5efd0362dd9265986998a4082aee947
-
SHA512
13eb899ba6eb703686f9cbb7cca8e707f9a07a337223d9eeb366dd10fe982e0c743b2577f0c5aa7059b54c321cd879f2b2bd2722de414ba2f0d6abbb1b36558e
-
SSDEEP
6144:asJmfawUqLKdLAY/Xr4Br3CbArLAZ26RQ8sY6CbArLAY/9bPk6Cbv:a0Gah/Rrgryg426RQagrkj
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfcicmqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njfmke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odednmpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klgqcqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifjodl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcmom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdqejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idacmfkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clbceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agoabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpijnqkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpablkhc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgefeajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dafbne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfoiokfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jplmmfmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nngokoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgmngglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qqfmde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beihma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Calhnpgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhocqigp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqkdcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faihkbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfjcgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jimekgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dedkdcie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mncmjfmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cajcbgml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hadkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnocof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdgdgnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbabgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fflaff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmoliohh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceehho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkhoae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faihkbci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmhbpba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqppkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chpada32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lenamdem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgcbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjdilcla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgciaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcjapi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dadeieea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fohoigfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nebdoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocpgod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbmelbid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqdoboli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alabgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndfqbhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceqnmpfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjjjle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmfbjnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aanjpk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfpcgpae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfnphn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mglack32.exe -
Executes dropped EXE 64 IoCs
pid Process 3196 Fbllkh32.exe 100 Fmapha32.exe 552 Fbnhphbp.exe 2920 Ffjdqg32.exe 208 Fcnejk32.exe 712 Fflaff32.exe 212 Fqaeco32.exe 1728 Gbcakg32.exe 3360 Gjjjle32.exe 2684 Gbgkfg32.exe 4272 Gfcgge32.exe 1224 Gmmocpjk.exe 4636 Gcggpj32.exe 2548 Gfedle32.exe 4244 Gmoliohh.exe 3960 Gfhqbe32.exe 624 Gifmnpnl.exe 1032 Hpbaqj32.exe 1300 Hbanme32.exe 1672 Hjhfnccl.exe 3972 Hmfbjnbp.exe 2616 Hjjbcbqj.exe 1052 Hadkpm32.exe 2140 Hccglh32.exe 1092 Hmklen32.exe 4176 Hibljoco.exe 620 Ipldfi32.exe 3696 Ibjqcd32.exe 1748 Iidipnal.exe 2564 Iakaql32.exe 2420 Ibmmhdhm.exe 1916 Iannfk32.exe 1240 Ipqnahgf.exe 4180 Ifjfnb32.exe 2468 Iapjlk32.exe 1948 Imgkql32.exe 3976 Iabgaklg.exe 4068 Idacmfkj.exe 4412 Ijkljp32.exe 4032 Iinlemia.exe 2776 Jaedgjjd.exe 4820 Jdcpcf32.exe 2472 Jfaloa32.exe 224 Jiphkm32.exe 3544 Jpjqhgol.exe 4772 Jibeql32.exe 1460 Jplmmfmi.exe 3820 Jfffjqdf.exe 2576 Jmpngk32.exe 2128 Jpojcf32.exe 3924 Jfhbppbc.exe 2560 Jmbklj32.exe 4472 Jfkoeppq.exe 4796 Jkfkfohj.exe 1588 Kmegbjgn.exe 3380 Kdopod32.exe 1100 Kgmlkp32.exe 4968 Kilhgk32.exe 1772 Kacphh32.exe 4504 Kdaldd32.exe 4620 Kbdmpqcb.exe 2232 Kmjqmi32.exe 1104 Kaemnhla.exe 964 Kbfiep32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hhapkbgi.dll Mpaifalo.exe File opened for modification C:\Windows\SysWOW64\Cogmkl32.exe Cliaoq32.exe File created C:\Windows\SysWOW64\Aeiofcji.exe Ambgef32.exe File opened for modification C:\Windows\SysWOW64\Dfpgffpm.exe Deokon32.exe File created C:\Windows\SysWOW64\Fqaeco32.exe Fflaff32.exe File created C:\Windows\SysWOW64\Ipqnahgf.exe Iannfk32.exe File created C:\Windows\SysWOW64\Mcklgm32.exe Mpmokb32.exe File created C:\Windows\SysWOW64\Bemlmgnp.exe Bbnpqk32.exe File opened for modification C:\Windows\SysWOW64\Icnpmp32.exe Ilghlc32.exe File opened for modification C:\Windows\SysWOW64\Mkpgck32.exe Mgekbljc.exe File created C:\Windows\SysWOW64\Nceonl32.exe Nqfbaq32.exe File created C:\Windows\SysWOW64\Fdmlkkap.dll Pnihcq32.exe File created C:\Windows\SysWOW64\Jfcibe32.dll Bemlmgnp.exe File created C:\Windows\SysWOW64\Hfbcpl32.dll Cahfmgoo.exe File opened for modification C:\Windows\SysWOW64\Fomhdg32.exe Fdgdgnbm.exe File created C:\Windows\SysWOW64\Lkiqbl32.exe Ldohebqh.exe File created C:\Windows\SysWOW64\Fibjjh32.dll Nceonl32.exe File created C:\Windows\SysWOW64\Alabgd32.exe Qnnanphk.exe File created C:\Windows\SysWOW64\Bclhoo32.dll Jpjqhgol.exe File created C:\Windows\SysWOW64\Nqmhbpba.exe Nbkhfc32.exe File opened for modification C:\Windows\SysWOW64\Faihkbci.exe Fhqcam32.exe File created C:\Windows\SysWOW64\Efjecajf.dll Kipkhdeq.exe File opened for modification C:\Windows\SysWOW64\Dhfajjoj.exe Calhnpgn.exe File created C:\Windows\SysWOW64\Njcqqgjb.dll Mamleegg.exe File opened for modification C:\Windows\SysWOW64\Pkfblfab.exe Pcojkhap.exe File created C:\Windows\SysWOW64\Nggdeh32.dll Aanjpk32.exe File created C:\Windows\SysWOW64\Dafbne32.exe Dohfbj32.exe File created C:\Windows\SysWOW64\Qnjnnj32.exe Qfcfml32.exe File created C:\Windows\SysWOW64\Bejkjg32.dll Hjhfnccl.exe File opened for modification C:\Windows\SysWOW64\Hibljoco.exe Hmklen32.exe File opened for modification C:\Windows\SysWOW64\Nnhfee32.exe Nkjjij32.exe File opened for modification C:\Windows\SysWOW64\Ipldfi32.exe Hibljoco.exe File created C:\Windows\SysWOW64\Bcoenmao.exe Bapiabak.exe File opened for modification C:\Windows\SysWOW64\Bcoenmao.exe Bapiabak.exe File created C:\Windows\SysWOW64\Jplifcqp.dll Kpmfddnf.exe File opened for modification C:\Windows\SysWOW64\Cdiooblp.exe Cajcbgml.exe File created C:\Windows\SysWOW64\Pfaigm32.exe Pcbmka32.exe File created C:\Windows\SysWOW64\Lmbnpm32.dll Nkncdifl.exe File opened for modification C:\Windows\SysWOW64\Pkceffcd.exe Pclneicb.exe File created C:\Windows\SysWOW64\Ffcnippo.dll Acnlgp32.exe File created C:\Windows\SysWOW64\Bfkedibe.exe Beihma32.exe File created C:\Windows\SysWOW64\Cabfga32.exe Cndikf32.exe File created C:\Windows\SysWOW64\Ekfnlmai.dll Ffjdqg32.exe File created C:\Windows\SysWOW64\Kbmebabl.dll Ibmmhdhm.exe File opened for modification C:\Windows\SysWOW64\Mcklgm32.exe Mpmokb32.exe File created C:\Windows\SysWOW64\Ingfla32.dll Cffdpghg.exe File created C:\Windows\SysWOW64\Pnihcq32.exe Pcccfh32.exe File created C:\Windows\SysWOW64\Ajkhdp32.exe Ahmlgd32.exe File opened for modification C:\Windows\SysWOW64\Cnicfe32.exe Cfbkeh32.exe File opened for modification C:\Windows\SysWOW64\Kmijbcpl.exe Kfoafi32.exe File opened for modification C:\Windows\SysWOW64\Kckbqpnj.exe Kpmfddnf.exe File opened for modification C:\Windows\SysWOW64\Nafokcol.exe Njogjfoj.exe File created C:\Windows\SysWOW64\Ebooppnl.dll Onholckc.exe File opened for modification C:\Windows\SysWOW64\Gfbploob.exe Ghopckpi.exe File created C:\Windows\SysWOW64\Baacma32.dll Anmjcieo.exe File created C:\Windows\SysWOW64\Anmklllo.dll Jfffjqdf.exe File opened for modification C:\Windows\SysWOW64\Jkfkfohj.exe Jfkoeppq.exe File created C:\Windows\SysWOW64\Oqdoboli.exe Onfbfc32.exe File created C:\Windows\SysWOW64\Jlkagbej.exe Jimekgff.exe File opened for modification C:\Windows\SysWOW64\Mgkjhe32.exe Mcpnhfhf.exe File created C:\Windows\SysWOW64\Mdkhapfj.exe Mamleegg.exe File created C:\Windows\SysWOW64\Eodpoobg.dll Abemjmgg.exe File opened for modification C:\Windows\SysWOW64\Fcmnpe32.exe Fkffog32.exe File opened for modification C:\Windows\SysWOW64\Ajneip32.exe Ajkhdp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10672 10596 WerFault.exe 510 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfnlmai.dll" Ffjdqg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbanme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnihcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll" Ijkljp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll" Kbfiep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okeieh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onmhgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abemjmgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcadgkl.dll" Ddmhja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjehk32.dll" Ecoangbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iehfdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll" Jfhbppbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll" Kajfig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcpebmkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmbdbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpablkhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iannfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll" Kgmlkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbpjhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajkhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cndikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipldfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll" Kaemnhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll" Kdffocib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laefdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onholckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkenegog.dll" Nilcjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acnlgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll" Mnocof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nceonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aldomc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjkjpgfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjhfnccl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iapjlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnkdhpjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjecajf.dll" Kipkhdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgcknmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnlhfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njefqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbfkbhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll" Pfjcgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dddhpjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hibljoco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lklnhlfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cacmah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnqmalhn.dll" Daolnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll" Ojjolnaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cffdpghg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deokon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkbkamnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcbahlip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcjapi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cabfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipqnahgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifjfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll" Idacmfkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcklgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okjbpglo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Docjlc32.dll" Hfcicmqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll" Iapjlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkqpjidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcojkhap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhgjblfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilkojc32.dll" Pclneicb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3048 wrote to memory of 3196 3048 virussign.com_d47c623ce911a4a02b262ff4b0842130.exe 80 PID 3048 wrote to memory of 3196 3048 virussign.com_d47c623ce911a4a02b262ff4b0842130.exe 80 PID 3048 wrote to memory of 3196 3048 virussign.com_d47c623ce911a4a02b262ff4b0842130.exe 80 PID 3196 wrote to memory of 100 3196 Fbllkh32.exe 81 PID 3196 wrote to memory of 100 3196 Fbllkh32.exe 81 PID 3196 wrote to memory of 100 3196 Fbllkh32.exe 81 PID 100 wrote to memory of 552 100 Fmapha32.exe 82 PID 100 wrote to memory of 552 100 Fmapha32.exe 82 PID 100 wrote to memory of 552 100 Fmapha32.exe 82 PID 552 wrote to memory of 2920 552 Fbnhphbp.exe 83 PID 552 wrote to memory of 2920 552 Fbnhphbp.exe 83 PID 552 wrote to memory of 2920 552 Fbnhphbp.exe 83 PID 2920 wrote to memory of 208 2920 Ffjdqg32.exe 84 PID 2920 wrote to memory of 208 2920 Ffjdqg32.exe 84 PID 2920 wrote to memory of 208 2920 Ffjdqg32.exe 84 PID 208 wrote to memory of 712 208 Fcnejk32.exe 85 PID 208 wrote to memory of 712 208 Fcnejk32.exe 85 PID 208 wrote to memory of 712 208 Fcnejk32.exe 85 PID 712 wrote to memory of 212 712 Fflaff32.exe 86 PID 712 wrote to memory of 212 712 Fflaff32.exe 86 PID 712 wrote to memory of 212 712 Fflaff32.exe 86 PID 212 wrote to memory of 1728 212 Fqaeco32.exe 87 PID 212 wrote to memory of 1728 212 Fqaeco32.exe 87 PID 212 wrote to memory of 1728 212 Fqaeco32.exe 87 PID 1728 wrote to memory of 3360 1728 Gbcakg32.exe 88 PID 1728 wrote to memory of 3360 1728 Gbcakg32.exe 88 PID 1728 wrote to memory of 3360 1728 Gbcakg32.exe 88 PID 3360 wrote to memory of 2684 3360 Gjjjle32.exe 89 PID 3360 wrote to memory of 2684 3360 Gjjjle32.exe 89 PID 3360 wrote to memory of 2684 3360 Gjjjle32.exe 89 PID 2684 wrote to memory of 4272 2684 Gbgkfg32.exe 90 PID 2684 wrote to memory of 4272 2684 Gbgkfg32.exe 90 PID 2684 wrote to memory of 4272 2684 Gbgkfg32.exe 90 PID 4272 wrote to memory of 1224 4272 Gfcgge32.exe 91 PID 4272 wrote to memory of 1224 4272 Gfcgge32.exe 91 PID 4272 wrote to memory of 1224 4272 Gfcgge32.exe 91 PID 1224 wrote to memory of 4636 1224 Gmmocpjk.exe 92 PID 1224 wrote to memory of 4636 1224 Gmmocpjk.exe 92 PID 1224 wrote to memory of 4636 1224 Gmmocpjk.exe 92 PID 4636 wrote to memory of 2548 4636 Gcggpj32.exe 93 PID 4636 wrote to memory of 2548 4636 Gcggpj32.exe 93 PID 4636 wrote to memory of 2548 4636 Gcggpj32.exe 93 PID 2548 wrote to memory of 4244 2548 Gfedle32.exe 94 PID 2548 wrote to memory of 4244 2548 Gfedle32.exe 94 PID 2548 wrote to memory of 4244 2548 Gfedle32.exe 94 PID 4244 wrote to memory of 3960 4244 Gmoliohh.exe 95 PID 4244 wrote to memory of 3960 4244 Gmoliohh.exe 95 PID 4244 wrote to memory of 3960 4244 Gmoliohh.exe 95 PID 3960 wrote to memory of 624 3960 Gfhqbe32.exe 96 PID 3960 wrote to memory of 624 3960 Gfhqbe32.exe 96 PID 3960 wrote to memory of 624 3960 Gfhqbe32.exe 96 PID 624 wrote to memory of 1032 624 Gifmnpnl.exe 97 PID 624 wrote to memory of 1032 624 Gifmnpnl.exe 97 PID 624 wrote to memory of 1032 624 Gifmnpnl.exe 97 PID 1032 wrote to memory of 1300 1032 Hpbaqj32.exe 98 PID 1032 wrote to memory of 1300 1032 Hpbaqj32.exe 98 PID 1032 wrote to memory of 1300 1032 Hpbaqj32.exe 98 PID 1300 wrote to memory of 1672 1300 Hbanme32.exe 99 PID 1300 wrote to memory of 1672 1300 Hbanme32.exe 99 PID 1300 wrote to memory of 1672 1300 Hbanme32.exe 99 PID 1672 wrote to memory of 3972 1672 Hjhfnccl.exe 100 PID 1672 wrote to memory of 3972 1672 Hjhfnccl.exe 100 PID 1672 wrote to memory of 3972 1672 Hjhfnccl.exe 100 PID 3972 wrote to memory of 2616 3972 Hmfbjnbp.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\virussign.com_d47c623ce911a4a02b262ff4b0842130.exe"C:\Users\Admin\AppData\Local\Temp\virussign.com_d47c623ce911a4a02b262ff4b0842130.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\Fmapha32.exeC:\Windows\system32\Fmapha32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Fcnejk32.exeC:\Windows\system32\Fcnejk32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\SysWOW64\Fqaeco32.exeC:\Windows\system32\Fqaeco32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Gbcakg32.exeC:\Windows\system32\Gbcakg32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\Gbgkfg32.exeC:\Windows\system32\Gbgkfg32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\Gmmocpjk.exeC:\Windows\system32\Gmmocpjk.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\Gcggpj32.exeC:\Windows\system32\Gcggpj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\Gfedle32.exeC:\Windows\system32\Gfedle32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Gifmnpnl.exeC:\Windows\system32\Gifmnpnl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Hmfbjnbp.exeC:\Windows\system32\Hmfbjnbp.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Hjjbcbqj.exeC:\Windows\system32\Hjjbcbqj.exe23⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe25⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4176 -
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:620 -
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe29⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe30⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe31⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:4180 -
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Imgkql32.exeC:\Windows\system32\Imgkql32.exe37⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe38⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4068 -
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:4412 -
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe41⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Jaedgjjd.exeC:\Windows\system32\Jaedgjjd.exe42⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Jdcpcf32.exeC:\Windows\system32\Jdcpcf32.exe43⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe44⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe45⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3544 -
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe47⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3820 -
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe50⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe51⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Jfhbppbc.exeC:\Windows\system32\Jfhbppbc.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:3924 -
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe53⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Jfkoeppq.exeC:\Windows\system32\Jfkoeppq.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4472 -
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe55⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe56⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe57⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe59⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Kacphh32.exeC:\Windows\system32\Kacphh32.exe60⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe61⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe62⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe63⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe66⤵PID:836
-
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe67⤵PID:2484
-
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe68⤵PID:2924
-
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe69⤵
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe70⤵PID:4464
-
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe71⤵PID:4900
-
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe72⤵
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe73⤵
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe74⤵PID:3944
-
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe75⤵
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe76⤵PID:3640
-
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe77⤵PID:4436
-
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe78⤵PID:1292
-
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe79⤵PID:3332
-
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe80⤵PID:3316
-
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe81⤵PID:872
-
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe82⤵PID:4640
-
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe83⤵PID:4492
-
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe84⤵PID:664
-
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe85⤵
- Drops file in System32 directory
PID:3892 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe86⤵PID:4588
-
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe87⤵PID:3308
-
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe88⤵PID:4824
-
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe89⤵PID:5092
-
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe90⤵
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe91⤵
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe92⤵PID:1376
-
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe93⤵PID:1324
-
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe94⤵PID:4556
-
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe95⤵PID:3120
-
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe96⤵PID:2100
-
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe97⤵
- Drops file in System32 directory
PID:3880 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe98⤵PID:5068
-
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe100⤵
- Drops file in System32 directory
PID:3164 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe101⤵
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe102⤵PID:1820
-
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe103⤵PID:1068
-
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe104⤵
- Drops file in System32 directory
PID:4052 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe105⤵PID:508
-
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe106⤵PID:4520
-
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe107⤵PID:1148
-
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2340 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe109⤵
- Drops file in System32 directory
PID:4792 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe110⤵
- Modifies registry class
PID:4996 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:436 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe112⤵PID:2056
-
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe113⤵PID:1372
-
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe114⤵PID:2596
-
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe115⤵PID:4780
-
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe116⤵
- Modifies registry class
PID:3448 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe117⤵
- Drops file in System32 directory
PID:3232 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe118⤵PID:5156
-
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe119⤵
- Drops file in System32 directory
PID:5224 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5280 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe121⤵PID:5320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-