Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
105s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 07:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8688f6f15738ccc2102daab2565a05d0N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
8688f6f15738ccc2102daab2565a05d0N.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
8688f6f15738ccc2102daab2565a05d0N.exe
-
Size
376KB
-
MD5
8688f6f15738ccc2102daab2565a05d0
-
SHA1
5c2e889ab502a8ddcf1c2f067415caa9dea603a1
-
SHA256
8e2068c404b64f8239646ffa5ebadf91426a980c879b212a00857fcd4373d8cd
-
SHA512
6843d5a59cf4b715c7f2c4fbce6b19749b3dc4eda8ab5b87077e29f191b738f4ddb541503761724a550754ea92706ff095167f6380ce72030909a8e2f54826c7
-
SSDEEP
3072:VfSvI/m5Qz3ZRQVAURfE+HXAB0kCySYo0CkkhHs4WfO7:lSw+IQRs+HXc0uo0CkkW1fs
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiaglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qepkbpak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njefqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pomgjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oidhlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkjgegae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iliinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogpmjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpqkad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohpkmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcjhkdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpnfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipoheakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jocefm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdkcde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjdjoane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kijjbofj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niklpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcepkfld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmndpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njefqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjpckf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbdoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmdemd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcpnhfhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpnnle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najmjokc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpbecod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igajal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcgffqei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgccinoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhkjej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njmhhefi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbohpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpglnhad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifmqfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpggamqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjmehkqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emaedo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlqqcnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odkjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qqijje32.exe -
Executes dropped EXE 64 IoCs
pid Process 1624 Llemdo32.exe 944 Ldleel32.exe 2224 Llgjjnlj.exe 1512 Likjcbkc.exe 1524 Lljfpnjg.exe 1036 Lebkhc32.exe 4604 Lllcen32.exe 5076 Medgncoe.exe 1876 Mdehlk32.exe 928 Megdccmb.exe 2256 Mdhdajea.exe 2884 Miemjaci.exe 1020 Mcmabg32.exe 748 Mmbfpp32.exe 1240 Mcpnhfhf.exe 4268 Mnebeogl.exe 964 Npcoakfp.exe 3904 Nilcjp32.exe 3828 Ndaggimg.exe 1688 Nebdoa32.exe 2012 Nlmllkja.exe 2860 Ncfdie32.exe 3884 Neeqea32.exe 1216 Nnlhfn32.exe 704 Npjebj32.exe 216 Nnneknob.exe 2344 Nckndeni.exe 1944 Njefqo32.exe 2772 Odkjng32.exe 3500 Oflgep32.exe 4116 Odmgcgbi.exe 1476 Ofnckp32.exe 2124 Opdghh32.exe 3608 Ofqpqo32.exe 4696 Onhhamgg.exe 5068 Odapnf32.exe 3092 Ogpmjb32.exe 2508 Onjegled.exe 848 Oqhacgdh.exe 3604 Ocgmpccl.exe 4076 Ogbipa32.exe 2744 Ojaelm32.exe 1732 Pmoahijl.exe 2036 Pcijeb32.exe 508 Pfhfan32.exe 3272 Pnonbk32.exe 2292 Pqmjog32.exe 3044 Pclgkb32.exe 3640 Pfjcgn32.exe 2920 Pmdkch32.exe 4156 Pdkcde32.exe 4364 Pflplnlg.exe 3420 Pjhlml32.exe 3832 Pqbdjfln.exe 5100 Pcppfaka.exe 4664 Pqdqof32.exe 3584 Pgnilpah.exe 3556 Pjmehkqk.exe 4856 Qgqeappe.exe 2776 Qqijje32.exe 5116 Qcgffqei.exe 3136 Qffbbldm.exe 724 Aqkgpedc.exe 3012 Ageolo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jfnbdecg.exe Jodjhkkj.exe File created C:\Windows\SysWOW64\Lhbhlgio.dll Gnjjfegi.exe File opened for modification C:\Windows\SysWOW64\Phedhmhi.exe Pakllc32.exe File opened for modification C:\Windows\SysWOW64\Jcgnbaeo.exe Jqhafffk.exe File created C:\Windows\SysWOW64\Jjlogcip.dll Banllbdn.exe File opened for modification C:\Windows\SysWOW64\Nbadcpbh.exe Npchgdcd.exe File created C:\Windows\SysWOW64\Gpkchqdj.exe Gahcmd32.exe File created C:\Windows\SysWOW64\Ekfkeh32.dll Process not Found File created C:\Windows\SysWOW64\Imiehfao.exe Iinjhh32.exe File created C:\Windows\SysWOW64\Jicchk32.dll Process not Found File created C:\Windows\SysWOW64\Ehapfiem.exe Dahhio32.exe File created C:\Windows\SysWOW64\Gpijjo32.dll Jiaglp32.exe File created C:\Windows\SysWOW64\Cgdgna32.dll Iojbpo32.exe File created C:\Windows\SysWOW64\Pjdpelnc.exe Process not Found File created C:\Windows\SysWOW64\Ijilflah.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ikaggmii.exe Iickkbje.exe File opened for modification C:\Windows\SysWOW64\Idjlpc32.exe Inpccihl.exe File created C:\Windows\SysWOW64\Aonoao32.exe Alpbecod.exe File created C:\Windows\SysWOW64\Fkngke32.dll Jpaekqhh.exe File opened for modification C:\Windows\SysWOW64\Dmgbnq32.exe Dkifae32.exe File created C:\Windows\SysWOW64\Bbgeno32.exe Bkmmaeap.exe File opened for modification C:\Windows\SysWOW64\Dfglfdkb.exe Dnpdegjp.exe File opened for modification C:\Windows\SysWOW64\Coknoaic.exe Ckpbnb32.exe File created C:\Windows\SysWOW64\Dokmlmhl.dll Hlcjhkdp.exe File opened for modification C:\Windows\SysWOW64\Bmeandma.exe Process not Found File created C:\Windows\SysWOW64\Gmnagpbq.dll Jpkphjeb.exe File created C:\Windows\SysWOW64\Dedaad32.dll Ojnblg32.exe File created C:\Windows\SysWOW64\Fjjdgc32.dll Injcmc32.exe File opened for modification C:\Windows\SysWOW64\Micoed32.exe Malgcg32.exe File created C:\Windows\SysWOW64\Aphblj32.dll Bkaobnio.exe File opened for modification C:\Windows\SysWOW64\Onapdl32.exe Process not Found File created C:\Windows\SysWOW64\Ahmjjoig.exe Process not Found File created C:\Windows\SysWOW64\Gffnlmnd.dll Gnhdkl32.exe File opened for modification C:\Windows\SysWOW64\Ajqgidij.exe Agbkmijg.exe File created C:\Windows\SysWOW64\Ealkjh32.exe Ejbbmnnb.exe File opened for modification C:\Windows\SysWOW64\Oklkdi32.exe Ohnohn32.exe File opened for modification C:\Windows\SysWOW64\Ipdndloi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pqmjog32.exe Pnonbk32.exe File opened for modification C:\Windows\SysWOW64\Djdmffnn.exe Dhfajjoj.exe File opened for modification C:\Windows\SysWOW64\Kkconn32.exe Kclgmq32.exe File created C:\Windows\SysWOW64\Ipaooi32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Opdghh32.exe Ofnckp32.exe File opened for modification C:\Windows\SysWOW64\Jqlefl32.exe Jnmijq32.exe File created C:\Windows\SysWOW64\Ncmhko32.exe Process not Found File created C:\Windows\SysWOW64\Ooibkpmi.exe Process not Found File created C:\Windows\SysWOW64\Mdpmoppk.dll Pkbjjbda.exe File created C:\Windows\SysWOW64\Gceegdko.dll Cnahdi32.exe File opened for modification C:\Windows\SysWOW64\Fndpmndl.exe Process not Found File created C:\Windows\SysWOW64\Cfpnph32.exe Cdabcm32.exe File opened for modification C:\Windows\SysWOW64\Khpgckkb.exe Keakgpko.exe File created C:\Windows\SysWOW64\Cpchnbbb.dll Ljkifn32.exe File created C:\Windows\SysWOW64\Kaaial32.dll Njghbl32.exe File created C:\Windows\SysWOW64\Johggfha.exe Process not Found File opened for modification C:\Windows\SysWOW64\Plagcbdn.exe Pjbkgfej.exe File created C:\Windows\SysWOW64\Qljcoj32.exe Qepkbpak.exe File created C:\Windows\SysWOW64\Ncbafoge.exe Process not Found File opened for modification C:\Windows\SysWOW64\Chagok32.exe Ceckcp32.exe File created C:\Windows\SysWOW64\Kmdjdl32.dll Ddakjkqi.exe File created C:\Windows\SysWOW64\Pjbkgfej.exe Pgdokkfg.exe File opened for modification C:\Windows\SysWOW64\Jdpkflfe.exe Jbaojpgb.exe File created C:\Windows\SysWOW64\Bqbodd32.dll Qgqeappe.exe File created C:\Windows\SysWOW64\Gbchdp32.exe Glipgf32.exe File created C:\Windows\SysWOW64\Lfqedp32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Emaedo32.exe Ehdmlhcj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11940 12520 Process not Found 1491 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdbnjdfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbiipkjk.dll" Maggnali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cndepccb.dll" Palbgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glcaambb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hginecde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igjngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aknifq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhkgkgoe.dll" Kflnfcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajcdnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gijekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifaohg32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmlcbbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibffhhek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgepom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpkibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbhfhgch.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpchk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkglja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igleoo32.dll" Caienjfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pefabkej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amodep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knalji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kglmio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phlacbfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhbkinel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acddcaom.dll" Lieccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qeodhjmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fechomko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdlpneli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfifmo32.dll" Dfjpfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojigdcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqopkcbn.dll" Fpbflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbbokdlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqbkfkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmmaqlm.dll" Hildmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmhand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiihahme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmkjpibb.dll" Oadfkdgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlgcl32.dll" Qkjgegae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqcjepfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddnnfbmk.dll" Ijcahd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckmehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hphlgp32.dll" Cikglnkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdecba32.dll" Dheibpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcpfdbd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idahjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcokoohi.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkonb32.dll" Gfdfgiid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igjeanmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maodigil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fadggj32.dll" Anmfbl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4236 wrote to memory of 1624 4236 8688f6f15738ccc2102daab2565a05d0N.exe 83 PID 4236 wrote to memory of 1624 4236 8688f6f15738ccc2102daab2565a05d0N.exe 83 PID 4236 wrote to memory of 1624 4236 8688f6f15738ccc2102daab2565a05d0N.exe 83 PID 1624 wrote to memory of 944 1624 Llemdo32.exe 84 PID 1624 wrote to memory of 944 1624 Llemdo32.exe 84 PID 1624 wrote to memory of 944 1624 Llemdo32.exe 84 PID 944 wrote to memory of 2224 944 Ldleel32.exe 85 PID 944 wrote to memory of 2224 944 Ldleel32.exe 85 PID 944 wrote to memory of 2224 944 Ldleel32.exe 85 PID 2224 wrote to memory of 1512 2224 Llgjjnlj.exe 86 PID 2224 wrote to memory of 1512 2224 Llgjjnlj.exe 86 PID 2224 wrote to memory of 1512 2224 Llgjjnlj.exe 86 PID 1512 wrote to memory of 1524 1512 Likjcbkc.exe 87 PID 1512 wrote to memory of 1524 1512 Likjcbkc.exe 87 PID 1512 wrote to memory of 1524 1512 Likjcbkc.exe 87 PID 1524 wrote to memory of 1036 1524 Lljfpnjg.exe 88 PID 1524 wrote to memory of 1036 1524 Lljfpnjg.exe 88 PID 1524 wrote to memory of 1036 1524 Lljfpnjg.exe 88 PID 1036 wrote to memory of 4604 1036 Lebkhc32.exe 89 PID 1036 wrote to memory of 4604 1036 Lebkhc32.exe 89 PID 1036 wrote to memory of 4604 1036 Lebkhc32.exe 89 PID 4604 wrote to memory of 5076 4604 Lllcen32.exe 91 PID 4604 wrote to memory of 5076 4604 Lllcen32.exe 91 PID 4604 wrote to memory of 5076 4604 Lllcen32.exe 91 PID 5076 wrote to memory of 1876 5076 Medgncoe.exe 92 PID 5076 wrote to memory of 1876 5076 Medgncoe.exe 92 PID 5076 wrote to memory of 1876 5076 Medgncoe.exe 92 PID 1876 wrote to memory of 928 1876 Mdehlk32.exe 93 PID 1876 wrote to memory of 928 1876 Mdehlk32.exe 93 PID 1876 wrote to memory of 928 1876 Mdehlk32.exe 93 PID 928 wrote to memory of 2256 928 Megdccmb.exe 95 PID 928 wrote to memory of 2256 928 Megdccmb.exe 95 PID 928 wrote to memory of 2256 928 Megdccmb.exe 95 PID 2256 wrote to memory of 2884 2256 Mdhdajea.exe 96 PID 2256 wrote to memory of 2884 2256 Mdhdajea.exe 96 PID 2256 wrote to memory of 2884 2256 Mdhdajea.exe 96 PID 2884 wrote to memory of 1020 2884 Miemjaci.exe 97 PID 2884 wrote to memory of 1020 2884 Miemjaci.exe 97 PID 2884 wrote to memory of 1020 2884 Miemjaci.exe 97 PID 1020 wrote to memory of 748 1020 Mcmabg32.exe 99 PID 1020 wrote to memory of 748 1020 Mcmabg32.exe 99 PID 1020 wrote to memory of 748 1020 Mcmabg32.exe 99 PID 748 wrote to memory of 1240 748 Mmbfpp32.exe 100 PID 748 wrote to memory of 1240 748 Mmbfpp32.exe 100 PID 748 wrote to memory of 1240 748 Mmbfpp32.exe 100 PID 1240 wrote to memory of 4268 1240 Mcpnhfhf.exe 101 PID 1240 wrote to memory of 4268 1240 Mcpnhfhf.exe 101 PID 1240 wrote to memory of 4268 1240 Mcpnhfhf.exe 101 PID 4268 wrote to memory of 964 4268 Mnebeogl.exe 102 PID 4268 wrote to memory of 964 4268 Mnebeogl.exe 102 PID 4268 wrote to memory of 964 4268 Mnebeogl.exe 102 PID 964 wrote to memory of 3904 964 Npcoakfp.exe 103 PID 964 wrote to memory of 3904 964 Npcoakfp.exe 103 PID 964 wrote to memory of 3904 964 Npcoakfp.exe 103 PID 3904 wrote to memory of 3828 3904 Nilcjp32.exe 104 PID 3904 wrote to memory of 3828 3904 Nilcjp32.exe 104 PID 3904 wrote to memory of 3828 3904 Nilcjp32.exe 104 PID 3828 wrote to memory of 1688 3828 Ndaggimg.exe 105 PID 3828 wrote to memory of 1688 3828 Ndaggimg.exe 105 PID 3828 wrote to memory of 1688 3828 Ndaggimg.exe 105 PID 1688 wrote to memory of 2012 1688 Nebdoa32.exe 106 PID 1688 wrote to memory of 2012 1688 Nebdoa32.exe 106 PID 1688 wrote to memory of 2012 1688 Nebdoa32.exe 106 PID 2012 wrote to memory of 2860 2012 Nlmllkja.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\8688f6f15738ccc2102daab2565a05d0N.exe"C:\Users\Admin\AppData\Local\Temp\8688f6f15738ccc2102daab2565a05d0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\Llemdo32.exeC:\Windows\system32\Llemdo32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Ldleel32.exeC:\Windows\system32\Ldleel32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Llgjjnlj.exeC:\Windows\system32\Llgjjnlj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Likjcbkc.exeC:\Windows\system32\Likjcbkc.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Lljfpnjg.exeC:\Windows\system32\Lljfpnjg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Lebkhc32.exeC:\Windows\system32\Lebkhc32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Lllcen32.exeC:\Windows\system32\Lllcen32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\Medgncoe.exeC:\Windows\system32\Medgncoe.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Mdehlk32.exeC:\Windows\system32\Mdehlk32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Megdccmb.exeC:\Windows\system32\Megdccmb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Mdhdajea.exeC:\Windows\system32\Mdhdajea.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Miemjaci.exeC:\Windows\system32\Miemjaci.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Mcmabg32.exeC:\Windows\system32\Mcmabg32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Mmbfpp32.exeC:\Windows\system32\Mmbfpp32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Mcpnhfhf.exeC:\Windows\system32\Mcpnhfhf.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Mnebeogl.exeC:\Windows\system32\Mnebeogl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Npcoakfp.exeC:\Windows\system32\Npcoakfp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Nilcjp32.exeC:\Windows\system32\Nilcjp32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Ndaggimg.exeC:\Windows\system32\Ndaggimg.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\Nebdoa32.exeC:\Windows\system32\Nebdoa32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Nlmllkja.exeC:\Windows\system32\Nlmllkja.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Ncfdie32.exeC:\Windows\system32\Ncfdie32.exe23⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Neeqea32.exeC:\Windows\system32\Neeqea32.exe24⤵
- Executes dropped EXE
PID:3884 -
C:\Windows\SysWOW64\Nnlhfn32.exeC:\Windows\system32\Nnlhfn32.exe25⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Npjebj32.exeC:\Windows\system32\Npjebj32.exe26⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Nnneknob.exeC:\Windows\system32\Nnneknob.exe27⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe28⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Njefqo32.exeC:\Windows\system32\Njefqo32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Odkjng32.exeC:\Windows\system32\Odkjng32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Oflgep32.exeC:\Windows\system32\Oflgep32.exe31⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Odmgcgbi.exeC:\Windows\system32\Odmgcgbi.exe32⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Ofnckp32.exeC:\Windows\system32\Ofnckp32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Opdghh32.exeC:\Windows\system32\Opdghh32.exe34⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Ofqpqo32.exeC:\Windows\system32\Ofqpqo32.exe35⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Onhhamgg.exeC:\Windows\system32\Onhhamgg.exe36⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Odapnf32.exeC:\Windows\system32\Odapnf32.exe37⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Onjegled.exeC:\Windows\system32\Onjegled.exe39⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Oqhacgdh.exeC:\Windows\system32\Oqhacgdh.exe40⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Ocgmpccl.exeC:\Windows\system32\Ocgmpccl.exe41⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Ogbipa32.exeC:\Windows\system32\Ogbipa32.exe42⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Ojaelm32.exeC:\Windows\system32\Ojaelm32.exe43⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Pmoahijl.exeC:\Windows\system32\Pmoahijl.exe44⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Pcijeb32.exeC:\Windows\system32\Pcijeb32.exe45⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Pfhfan32.exeC:\Windows\system32\Pfhfan32.exe46⤵
- Executes dropped EXE
PID:508 -
C:\Windows\SysWOW64\Pnonbk32.exeC:\Windows\system32\Pnonbk32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3272 -
C:\Windows\SysWOW64\Pqmjog32.exeC:\Windows\system32\Pqmjog32.exe48⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe49⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Pfjcgn32.exeC:\Windows\system32\Pfjcgn32.exe50⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe51⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Pdkcde32.exeC:\Windows\system32\Pdkcde32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\Pflplnlg.exeC:\Windows\system32\Pflplnlg.exe53⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe54⤵
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe55⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe56⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe57⤵
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\Pgnilpah.exeC:\Windows\system32\Pgnilpah.exe58⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Pjmehkqk.exeC:\Windows\system32\Pjmehkqk.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Qgqeappe.exeC:\Windows\system32\Qgqeappe.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4856 -
C:\Windows\SysWOW64\Qqijje32.exeC:\Windows\system32\Qqijje32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Qffbbldm.exeC:\Windows\system32\Qffbbldm.exe63⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe64⤵
- Executes dropped EXE
PID:724 -
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe65⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe66⤵PID:2956
-
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe67⤵PID:2952
-
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe68⤵PID:1948
-
C:\Windows\SysWOW64\Aglemn32.exeC:\Windows\system32\Aglemn32.exe69⤵PID:1340
-
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe70⤵PID:5072
-
C:\Windows\SysWOW64\Agoabn32.exeC:\Windows\system32\Agoabn32.exe71⤵PID:4760
-
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe72⤵PID:4788
-
C:\Windows\SysWOW64\Bebblb32.exeC:\Windows\system32\Bebblb32.exe73⤵PID:2372
-
C:\Windows\SysWOW64\Bcebhoii.exeC:\Windows\system32\Bcebhoii.exe74⤵PID:2196
-
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe75⤵PID:840
-
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe76⤵PID:3680
-
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe77⤵PID:2264
-
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe78⤵PID:1740
-
C:\Windows\SysWOW64\Bgehcmmm.exeC:\Windows\system32\Bgehcmmm.exe79⤵PID:4536
-
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe80⤵PID:4128
-
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe81⤵
- Drops file in System32 directory
PID:1284 -
C:\Windows\SysWOW64\Bclhhnca.exeC:\Windows\system32\Bclhhnca.exe82⤵PID:2132
-
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe83⤵PID:3612
-
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe84⤵PID:1768
-
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe85⤵PID:4532
-
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe86⤵PID:2832
-
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe87⤵PID:3460
-
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe88⤵
- Drops file in System32 directory
PID:5144 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5192 -
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe90⤵PID:5236
-
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe91⤵PID:5280
-
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe92⤵PID:5320
-
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe93⤵
- Modifies registry class
PID:5368 -
C:\Windows\SysWOW64\Cmlcbbcj.exeC:\Windows\system32\Cmlcbbcj.exe94⤵
- Modifies registry class
PID:5412 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe95⤵
- Drops file in System32 directory
PID:5456 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe96⤵PID:5500
-
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5544 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe98⤵PID:5584
-
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe99⤵PID:5628
-
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe100⤵PID:5672
-
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe101⤵PID:5716
-
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe102⤵PID:5760
-
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe103⤵
- Drops file in System32 directory
PID:5804 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe104⤵PID:5848
-
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe105⤵PID:5892
-
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe106⤵PID:5936
-
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe107⤵PID:5980
-
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe108⤵PID:6024
-
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe109⤵PID:6068
-
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6112 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe111⤵
- Drops file in System32 directory
PID:5136 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe112⤵PID:5168
-
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5252 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe114⤵PID:5364
-
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe115⤵PID:5400
-
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5476 -
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe117⤵PID:5540
-
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe118⤵PID:5612
-
C:\Windows\SysWOW64\Dahhio32.exeC:\Windows\system32\Dahhio32.exe119⤵
- Drops file in System32 directory
PID:5680 -
C:\Windows\SysWOW64\Ehapfiem.exeC:\Windows\system32\Ehapfiem.exe120⤵PID:5752
-
C:\Windows\SysWOW64\Emoinpcd.exeC:\Windows\system32\Emoinpcd.exe121⤵PID:5812
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-