Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
180s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
01/10/2023, 11:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe
-
Size
80KB
-
MD5
2fd15f2c3ad4d590b2afbf1bea06a530
-
SHA1
2413f9e9e9ddf63793ea77b2f89c31a3f38c4019
-
SHA256
8c1f00958fa7ba3dcb49289485690ae54f3ec7e71913d709ea6b992863b1adc7
-
SHA512
cdd18c46f4313c047ca1fe09aeaf55a5077fa6cee94c5f473b74ab9ce2ff888889213e79ff432acdd37831eb8bca61fa6d1d14b04c8b48fc04724f2183f9ebdc
-
SSDEEP
1536:tv5jvrfp4czE0sXKdSYUoY705YMkhohBE8VGh:PxBzts6xUjAUAEQGh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fennoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcfknooi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afjbecqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjmnfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abacjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peakkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbokoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cioohh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckilmfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeafgiai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aediaoae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Badlln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlkglm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chggdoee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amplklmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cncolfcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olobcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mahlgkgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haqnea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijgemok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbnajcig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnllppfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nojljcjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dboglhna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbaide32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdpfiekl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfhlbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Copobe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgpjpnhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cehlbihg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgclpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ingkdeak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ammmlcgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icoepohq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgndnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llomfpag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkeahf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pciiccbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlpdfjjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjpncii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbhejf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famcbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eplmflde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifcdbhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aebllocg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkgchckl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccjpfmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkdmneoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdmban32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peoanckj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pockoeeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgdbpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nncaejie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pafacd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddkgbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpedmhfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olhmnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pamnpahp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpjgag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abodlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beccgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pinnfonh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjckpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njchfc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2784 Feiddbbj.exe 1060 Fapeic32.exe 1636 Fleifl32.exe 2524 Fennoa32.exe 3044 Gkmbmh32.exe 2840 Ghacfmic.exe 2620 Gjbpne32.exe 2732 Gaihob32.exe 1960 Gkalhgfd.exe 2852 Gmeeepjp.exe 308 Godaakic.exe 1748 Ghlfjq32.exe 528 Hcajhi32.exe 2200 Hkmollme.exe 1500 Hnpdcf32.exe 1876 Hieiqo32.exe 2056 Hjgehgnh.exe 2484 Haqnea32.exe 1352 Ikfbbjdj.exe 944 Imgnjb32.exe 2004 Icafgmbe.exe 2300 Ingkdeak.exe 320 Imjkpb32.exe 1000 Iphgln32.exe 2432 Igoomk32.exe 1828 Ijnkifgp.exe 1808 Imlhebfc.exe 1648 Ipjdameg.exe 2836 Ibipmiek.exe 2532 Iichjc32.exe 2816 Iladfn32.exe 2548 Ibkmchbh.exe 1692 Iejiodbl.exe 2520 Imaapa32.exe 2556 Ipomlm32.exe 2884 Jelfdc32.exe 1948 Jlfnangf.exe 1824 Jbpfnh32.exe 2132 Jijokbfp.exe 1136 Jeqopcld.exe 2500 Jlkglm32.exe 2724 Joidhh32.exe 240 Jagpdd32.exe 1760 Jhahanie.exe 2052 Jdhifooi.exe 632 Jfgebjnm.exe 2968 Jieaofmp.exe 1756 Kbmfgk32.exe 816 Kdmban32.exe 848 Kmegjdad.exe 1148 Kpdcfoph.exe 1376 Kaglcgdc.exe 1992 Khadpa32.exe 1184 Keeeje32.exe 2268 Llomfpag.exe 864 Lonibk32.exe 1764 Lkdjglfo.exe 2936 Lanbdf32.exe 1812 Lhhkapeh.exe 2672 Padjmfdg.exe 2684 Joblkegc.exe 1608 Njchfc32.exe 2904 Ammmlcgi.exe 2944 Ajamfh32.exe -
Loads dropped DLL 64 IoCs
pid Process 2616 2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe 2616 2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe 2784 Feiddbbj.exe 2784 Feiddbbj.exe 1060 Fapeic32.exe 1060 Fapeic32.exe 1636 Fleifl32.exe 1636 Fleifl32.exe 2524 Fennoa32.exe 2524 Fennoa32.exe 3044 Gkmbmh32.exe 3044 Gkmbmh32.exe 2840 Ghacfmic.exe 2840 Ghacfmic.exe 2620 Gjbpne32.exe 2620 Gjbpne32.exe 2732 Gaihob32.exe 2732 Gaihob32.exe 1960 Gkalhgfd.exe 1960 Gkalhgfd.exe 2852 Gmeeepjp.exe 2852 Gmeeepjp.exe 308 Godaakic.exe 308 Godaakic.exe 1748 Ghlfjq32.exe 1748 Ghlfjq32.exe 528 Hcajhi32.exe 528 Hcajhi32.exe 2200 Hkmollme.exe 2200 Hkmollme.exe 1500 Hnpdcf32.exe 1500 Hnpdcf32.exe 1876 Hieiqo32.exe 1876 Hieiqo32.exe 2056 Hjgehgnh.exe 2056 Hjgehgnh.exe 2484 Haqnea32.exe 2484 Haqnea32.exe 1352 Ikfbbjdj.exe 1352 Ikfbbjdj.exe 944 Imgnjb32.exe 944 Imgnjb32.exe 2004 Icafgmbe.exe 2004 Icafgmbe.exe 2300 Ingkdeak.exe 2300 Ingkdeak.exe 320 Imjkpb32.exe 320 Imjkpb32.exe 1000 Iphgln32.exe 1000 Iphgln32.exe 2432 Igoomk32.exe 2432 Igoomk32.exe 1828 Ijnkifgp.exe 1828 Ijnkifgp.exe 1808 Imlhebfc.exe 1808 Imlhebfc.exe 1648 Ipjdameg.exe 1648 Ipjdameg.exe 2836 Ibipmiek.exe 2836 Ibipmiek.exe 2532 Iichjc32.exe 2532 Iichjc32.exe 2816 Iladfn32.exe 2816 Iladfn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Niligfhh.dll Qifpqi32.exe File created C:\Windows\SysWOW64\Gcpdip32.exe Qfbcae32.exe File created C:\Windows\SysWOW64\Gqpoindi.dll Gcpdip32.exe File created C:\Windows\SysWOW64\Hieiqo32.exe Hnpdcf32.exe File created C:\Windows\SysWOW64\Dlpdfjjp.exe Dibhjokm.exe File created C:\Windows\SysWOW64\Glanhbmn.dll Pbaide32.exe File created C:\Windows\SysWOW64\Oqcffi32.exe Onejjm32.exe File opened for modification C:\Windows\SysWOW64\Nogodcli.exe Nmfblk32.exe File created C:\Windows\SysWOW64\Lddcfl32.dll Fqpbpo32.exe File created C:\Windows\SysWOW64\Gampaipe.exe Goocenaa.exe File created C:\Windows\SysWOW64\Aakhkj32.exe Amplklmj.exe File created C:\Windows\SysWOW64\Bhbpahan.exe Bojkib32.exe File created C:\Windows\SysWOW64\Eclfhgaf.exe Ejdaoa32.exe File opened for modification C:\Windows\SysWOW64\Nqdjge32.exe Nhmbfhfd.exe File created C:\Windows\SysWOW64\Fhojbk32.dll Onejjm32.exe File created C:\Windows\SysWOW64\Kedbbm32.dll Fpgpjdnf.exe File created C:\Windows\SysWOW64\Cleaebna.exe Chiedc32.exe File created C:\Windows\SysWOW64\Ohifch32.exe Odnjbibf.exe File created C:\Windows\SysWOW64\Gkalhgfd.exe Gaihob32.exe File created C:\Windows\SysWOW64\Jhahanie.exe Jagpdd32.exe File created C:\Windows\SysWOW64\Mjpdkq32.dll Einebddd.exe File created C:\Windows\SysWOW64\Mdehcgni.dll Icoepohq.exe File created C:\Windows\SysWOW64\Bppknhnn.dll Pockoeeg.exe File created C:\Windows\SysWOW64\Ghkabpbh.dll Daibfa32.exe File created C:\Windows\SysWOW64\Afhklj32.dll Popkeh32.exe File created C:\Windows\SysWOW64\Bokcom32.exe Bmmgbbeq.exe File opened for modification C:\Windows\SysWOW64\Nhmbfhfd.exe Ngkfnp32.exe File created C:\Windows\SysWOW64\Jhbikcdn.dll Djhnmj32.exe File created C:\Windows\SysWOW64\Pgpjpnhk.exe Pafacd32.exe File opened for modification C:\Windows\SysWOW64\Ambnlmja.exe Ajcbpbkn.exe File created C:\Windows\SysWOW64\Bojkib32.exe Bimbql32.exe File created C:\Windows\SysWOW64\Mpjgag32.exe Iilalc32.exe File opened for modification C:\Windows\SysWOW64\Cbagdq32.exe Ckgogfmg.exe File opened for modification C:\Windows\SysWOW64\Opoocb32.exe Onacgf32.exe File opened for modification C:\Windows\SysWOW64\Bgbemjqh.exe Aediaoae.exe File opened for modification C:\Windows\SysWOW64\Bbqkeioh.exe Bemkle32.exe File created C:\Windows\SysWOW64\Baboljno.dll Donojm32.exe File created C:\Windows\SysWOW64\Iemalkgd.exe Icoepohq.exe File created C:\Windows\SysWOW64\Mdekjmob.dll Pjndca32.exe File created C:\Windows\SysWOW64\Efoied32.dll Aldfcpjn.exe File opened for modification C:\Windows\SysWOW64\Pgkqeo32.exe Pemdic32.exe File created C:\Windows\SysWOW64\Knjfogkd.dll Ehphdf32.exe File created C:\Windows\SysWOW64\Oejfld32.dll Paagkq32.exe File created C:\Windows\SysWOW64\Diaalggp.dll Djoeki32.exe File opened for modification C:\Windows\SysWOW64\Pbjkop32.exe Pmmcfi32.exe File opened for modification C:\Windows\SysWOW64\Ejadibmh.exe Dgalhgpg.exe File opened for modification C:\Windows\SysWOW64\Jeafgiai.exe Injnfl32.exe File created C:\Windows\SysWOW64\Apapcnaf.exe Agilkijf.exe File created C:\Windows\SysWOW64\Baakem32.exe Bkgchckl.exe File created C:\Windows\SysWOW64\Aafmic32.dll Fbflfomj.exe File created C:\Windows\SysWOW64\Mmelnghf.dll Djfagjai.exe File opened for modification C:\Windows\SysWOW64\Meakbjaj.exe Madbll32.exe File opened for modification C:\Windows\SysWOW64\Ingkdeak.exe Icafgmbe.exe File created C:\Windows\SysWOW64\Fmfalg32.exe Fhjhdp32.exe File created C:\Windows\SysWOW64\Bdmklico.exe Bncboo32.exe File opened for modification C:\Windows\SysWOW64\Bpdkajic.exe Baakem32.exe File created C:\Windows\SysWOW64\Bngdkkof.dll Nhmbfhfd.exe File opened for modification C:\Windows\SysWOW64\Lifqbjpk.exe Lfhdeoqh.exe File created C:\Windows\SysWOW64\Cmpppdfa.dll Khadpa32.exe File created C:\Windows\SysWOW64\Ncpjnahm.exe Nqamaeii.exe File created C:\Windows\SysWOW64\Eijhke32.dll Efolib32.exe File created C:\Windows\SysWOW64\Mjeodhmf.dll Aediaoae.exe File created C:\Windows\SysWOW64\Mahbhjpe.dll Ckilmfke.exe File created C:\Windows\SysWOW64\Pemdic32.exe Pncllifp.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gegaeabe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omaepoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poibmdmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcoip32.dll" Nhffikob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmopge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icaipj32.dll" Bemkle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bogljj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epnkip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clneaj32.dll" Bimbql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ingmoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkmbmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chickknc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpgpjdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjghbbmo.dll" Ddmchcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkjkcfjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmeagdlp.dll" Gegaeabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnjipn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chiedc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eincmega.dll" Baakem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodbfd32.dll" Fgjnpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqllghon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdehpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmmgbbeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbcdjpba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnncip32.dll" Bpbadcbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnhhpaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iokofcne.dll" Kdmban32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcajpjoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odnjbibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnlnkk32.dll" Pciiccbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emkggfkj.dll" Bkbjmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jakoae32.dll" Bhiglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bikcbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afcghbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedeohin.dll" Dcjmcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deiipp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqajqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhnahl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkeoongd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mamcfo32.dll" Eocfmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngkfnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Injnfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pconjjql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fennoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlboca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcppbl32.dll" Hcjldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llkamfnj.dll" Ppbfmdfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcedbefd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kanafj32.dll" Igbqdlea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfegjknm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogkbmcba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjaieoko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkbcjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipjdameg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhhkapeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neojknfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aflmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcgmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baboljno.dll" Donojm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gibmep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnofng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oddmokoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpjgag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keeeje32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2616 wrote to memory of 2784 2616 2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe 28 PID 2616 wrote to memory of 2784 2616 2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe 28 PID 2616 wrote to memory of 2784 2616 2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe 28 PID 2616 wrote to memory of 2784 2616 2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe 28 PID 2784 wrote to memory of 1060 2784 Feiddbbj.exe 29 PID 2784 wrote to memory of 1060 2784 Feiddbbj.exe 29 PID 2784 wrote to memory of 1060 2784 Feiddbbj.exe 29 PID 2784 wrote to memory of 1060 2784 Feiddbbj.exe 29 PID 1060 wrote to memory of 1636 1060 Fapeic32.exe 30 PID 1060 wrote to memory of 1636 1060 Fapeic32.exe 30 PID 1060 wrote to memory of 1636 1060 Fapeic32.exe 30 PID 1060 wrote to memory of 1636 1060 Fapeic32.exe 30 PID 1636 wrote to memory of 2524 1636 Fleifl32.exe 31 PID 1636 wrote to memory of 2524 1636 Fleifl32.exe 31 PID 1636 wrote to memory of 2524 1636 Fleifl32.exe 31 PID 1636 wrote to memory of 2524 1636 Fleifl32.exe 31 PID 2524 wrote to memory of 3044 2524 Fennoa32.exe 32 PID 2524 wrote to memory of 3044 2524 Fennoa32.exe 32 PID 2524 wrote to memory of 3044 2524 Fennoa32.exe 32 PID 2524 wrote to memory of 3044 2524 Fennoa32.exe 32 PID 3044 wrote to memory of 2840 3044 Gkmbmh32.exe 33 PID 3044 wrote to memory of 2840 3044 Gkmbmh32.exe 33 PID 3044 wrote to memory of 2840 3044 Gkmbmh32.exe 33 PID 3044 wrote to memory of 2840 3044 Gkmbmh32.exe 33 PID 2840 wrote to memory of 2620 2840 Ghacfmic.exe 35 PID 2840 wrote to memory of 2620 2840 Ghacfmic.exe 35 PID 2840 wrote to memory of 2620 2840 Ghacfmic.exe 35 PID 2840 wrote to memory of 2620 2840 Ghacfmic.exe 35 PID 2620 wrote to memory of 2732 2620 Gjbpne32.exe 36 PID 2620 wrote to memory of 2732 2620 Gjbpne32.exe 36 PID 2620 wrote to memory of 2732 2620 Gjbpne32.exe 36 PID 2620 wrote to memory of 2732 2620 Gjbpne32.exe 36 PID 2732 wrote to memory of 1960 2732 Gaihob32.exe 37 PID 2732 wrote to memory of 1960 2732 Gaihob32.exe 37 PID 2732 wrote to memory of 1960 2732 Gaihob32.exe 37 PID 2732 wrote to memory of 1960 2732 Gaihob32.exe 37 PID 1960 wrote to memory of 2852 1960 Gkalhgfd.exe 39 PID 1960 wrote to memory of 2852 1960 Gkalhgfd.exe 39 PID 1960 wrote to memory of 2852 1960 Gkalhgfd.exe 39 PID 1960 wrote to memory of 2852 1960 Gkalhgfd.exe 39 PID 2852 wrote to memory of 308 2852 Gmeeepjp.exe 38 PID 2852 wrote to memory of 308 2852 Gmeeepjp.exe 38 PID 2852 wrote to memory of 308 2852 Gmeeepjp.exe 38 PID 2852 wrote to memory of 308 2852 Gmeeepjp.exe 38 PID 308 wrote to memory of 1748 308 Godaakic.exe 40 PID 308 wrote to memory of 1748 308 Godaakic.exe 40 PID 308 wrote to memory of 1748 308 Godaakic.exe 40 PID 308 wrote to memory of 1748 308 Godaakic.exe 40 PID 1748 wrote to memory of 528 1748 Ghlfjq32.exe 41 PID 1748 wrote to memory of 528 1748 Ghlfjq32.exe 41 PID 1748 wrote to memory of 528 1748 Ghlfjq32.exe 41 PID 1748 wrote to memory of 528 1748 Ghlfjq32.exe 41 PID 528 wrote to memory of 2200 528 Hcajhi32.exe 42 PID 528 wrote to memory of 2200 528 Hcajhi32.exe 42 PID 528 wrote to memory of 2200 528 Hcajhi32.exe 42 PID 528 wrote to memory of 2200 528 Hcajhi32.exe 42 PID 2200 wrote to memory of 1500 2200 Hkmollme.exe 43 PID 2200 wrote to memory of 1500 2200 Hkmollme.exe 43 PID 2200 wrote to memory of 1500 2200 Hkmollme.exe 43 PID 2200 wrote to memory of 1500 2200 Hkmollme.exe 43 PID 1500 wrote to memory of 1876 1500 Hnpdcf32.exe 44 PID 1500 wrote to memory of 1876 1500 Hnpdcf32.exe 44 PID 1500 wrote to memory of 1876 1500 Hnpdcf32.exe 44 PID 1500 wrote to memory of 1876 1500 Hnpdcf32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe"C:\Users\Admin\AppData\Local\Temp\2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Feiddbbj.exeC:\Windows\system32\Feiddbbj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Fapeic32.exeC:\Windows\system32\Fapeic32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Fleifl32.exeC:\Windows\system32\Fleifl32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Fennoa32.exeC:\Windows\system32\Fennoa32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Gkmbmh32.exeC:\Windows\system32\Gkmbmh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Ghacfmic.exeC:\Windows\system32\Ghacfmic.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Gjbpne32.exeC:\Windows\system32\Gjbpne32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Gaihob32.exeC:\Windows\system32\Gaihob32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Gkalhgfd.exeC:\Windows\system32\Gkalhgfd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Gmeeepjp.exeC:\Windows\system32\Gmeeepjp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Godaakic.exeC:\Windows\system32\Godaakic.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\Ghlfjq32.exeC:\Windows\system32\Ghlfjq32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Hcajhi32.exeC:\Windows\system32\Hcajhi32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\Hkmollme.exeC:\Windows\system32\Hkmollme.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Hnpdcf32.exeC:\Windows\system32\Hnpdcf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Hieiqo32.exeC:\Windows\system32\Hieiqo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1876 -
C:\Windows\SysWOW64\Hjgehgnh.exeC:\Windows\system32\Hjgehgnh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Haqnea32.exeC:\Windows\system32\Haqnea32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Ikfbbjdj.exeC:\Windows\system32\Ikfbbjdj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1352 -
C:\Windows\SysWOW64\Imgnjb32.exeC:\Windows\system32\Imgnjb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:944 -
C:\Windows\SysWOW64\Icafgmbe.exeC:\Windows\system32\Icafgmbe.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Ingkdeak.exeC:\Windows\system32\Ingkdeak.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Imjkpb32.exeC:\Windows\system32\Imjkpb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:320 -
C:\Windows\SysWOW64\Iphgln32.exeC:\Windows\system32\Iphgln32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1000 -
C:\Windows\SysWOW64\Igoomk32.exeC:\Windows\system32\Igoomk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1828 -
C:\Windows\SysWOW64\Imlhebfc.exeC:\Windows\system32\Imlhebfc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Ipjdameg.exeC:\Windows\system32\Ipjdameg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Ibipmiek.exeC:\Windows\system32\Ibipmiek.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Iichjc32.exeC:\Windows\system32\Iichjc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Ibkmchbh.exeC:\Windows\system32\Ibkmchbh.exe22⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Iejiodbl.exeC:\Windows\system32\Iejiodbl.exe23⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Imaapa32.exeC:\Windows\system32\Imaapa32.exe24⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Ipomlm32.exeC:\Windows\system32\Ipomlm32.exe25⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Jelfdc32.exeC:\Windows\system32\Jelfdc32.exe26⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Jlfnangf.exeC:\Windows\system32\Jlfnangf.exe27⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Jbpfnh32.exeC:\Windows\system32\Jbpfnh32.exe28⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Jijokbfp.exeC:\Windows\system32\Jijokbfp.exe29⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Jeqopcld.exeC:\Windows\system32\Jeqopcld.exe30⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Jlkglm32.exeC:\Windows\system32\Jlkglm32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Joidhh32.exeC:\Windows\system32\Joidhh32.exe32⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Jagpdd32.exeC:\Windows\system32\Jagpdd32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:240 -
C:\Windows\SysWOW64\Jhahanie.exeC:\Windows\system32\Jhahanie.exe34⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Jdhifooi.exeC:\Windows\system32\Jdhifooi.exe35⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Jfgebjnm.exeC:\Windows\system32\Jfgebjnm.exe36⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Jieaofmp.exeC:\Windows\system32\Jieaofmp.exe37⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Kbmfgk32.exeC:\Windows\system32\Kbmfgk32.exe38⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Kdmban32.exeC:\Windows\system32\Kdmban32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:816 -
C:\Windows\SysWOW64\Kmegjdad.exeC:\Windows\system32\Kmegjdad.exe40⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Kpdcfoph.exeC:\Windows\system32\Kpdcfoph.exe41⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Kaglcgdc.exeC:\Windows\system32\Kaglcgdc.exe42⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Khadpa32.exeC:\Windows\system32\Khadpa32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Keeeje32.exeC:\Windows\system32\Keeeje32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1184 -
C:\Windows\SysWOW64\Llomfpag.exeC:\Windows\system32\Llomfpag.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Lonibk32.exeC:\Windows\system32\Lonibk32.exe46⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Lkdjglfo.exeC:\Windows\system32\Lkdjglfo.exe47⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Lanbdf32.exeC:\Windows\system32\Lanbdf32.exe48⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Lhhkapeh.exeC:\Windows\system32\Lhhkapeh.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Padjmfdg.exeC:\Windows\system32\Padjmfdg.exe50⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Joblkegc.exeC:\Windows\system32\Joblkegc.exe51⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Njchfc32.exeC:\Windows\system32\Njchfc32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Ammmlcgi.exeC:\Windows\system32\Ammmlcgi.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Ajamfh32.exeC:\Windows\system32\Ajamfh32.exe54⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Aldfcpjn.exeC:\Windows\system32\Aldfcpjn.exe55⤵
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Abnopj32.exeC:\Windows\system32\Abnopj32.exe56⤵PID:2508
-
C:\Windows\SysWOW64\Bemkle32.exeC:\Windows\system32\Bemkle32.exe57⤵
- Drops file in System32 directory
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Bbqkeioh.exeC:\Windows\system32\Bbqkeioh.exe58⤵PID:1320
-
C:\Windows\SysWOW64\Bikcbc32.exeC:\Windows\system32\Bikcbc32.exe59⤵
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Bogljj32.exeC:\Windows\system32\Bogljj32.exe60⤵
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Bimphc32.exeC:\Windows\system32\Bimphc32.exe61⤵PID:2856
-
C:\Windows\SysWOW64\Bhpqcpkm.exeC:\Windows\system32\Bhpqcpkm.exe62⤵PID:2280
-
C:\Windows\SysWOW64\Bojipjcj.exeC:\Windows\system32\Bojipjcj.exe63⤵PID:564
-
C:\Windows\SysWOW64\Bdfahaaa.exeC:\Windows\system32\Bdfahaaa.exe64⤵PID:1064
-
C:\Windows\SysWOW64\Chggdoee.exeC:\Windows\system32\Chggdoee.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:572 -
C:\Windows\SysWOW64\Cjhckg32.exeC:\Windows\system32\Cjhckg32.exe66⤵PID:1264
-
C:\Windows\SysWOW64\Cncolfcl.exeC:\Windows\system32\Cncolfcl.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:440 -
C:\Windows\SysWOW64\Cpbkhabp.exeC:\Windows\system32\Cpbkhabp.exe68⤵PID:1788
-
C:\Windows\SysWOW64\Cdngip32.exeC:\Windows\system32\Cdngip32.exe69⤵PID:2296
-
C:\Windows\SysWOW64\Cglcek32.exeC:\Windows\system32\Cglcek32.exe70⤵PID:768
-
C:\Windows\SysWOW64\Cnflae32.exeC:\Windows\system32\Cnflae32.exe71⤵PID:2180
-
C:\Windows\SysWOW64\Cccdjl32.exeC:\Windows\system32\Cccdjl32.exe72⤵PID:2324
-
C:\Windows\SysWOW64\Cfaqfh32.exeC:\Windows\system32\Cfaqfh32.exe73⤵PID:3064
-
C:\Windows\SysWOW64\Clkicbfa.exeC:\Windows\system32\Clkicbfa.exe74⤵PID:928
-
C:\Windows\SysWOW64\Cpgecq32.exeC:\Windows\system32\Cpgecq32.exe75⤵PID:2172
-
C:\Windows\SysWOW64\Cgqmpkfg.exeC:\Windows\system32\Cgqmpkfg.exe76⤵PID:2664
-
C:\Windows\SysWOW64\Chbihc32.exeC:\Windows\system32\Chbihc32.exe77⤵PID:2636
-
C:\Windows\SysWOW64\Djafaf32.exeC:\Windows\system32\Djafaf32.exe78⤵PID:2116
-
C:\Windows\SysWOW64\Dlpbna32.exeC:\Windows\system32\Dlpbna32.exe79⤵PID:2668
-
C:\Windows\SysWOW64\Donojm32.exeC:\Windows\system32\Donojm32.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Ddkgbc32.exeC:\Windows\system32\Ddkgbc32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2144 -
C:\Windows\SysWOW64\Dlboca32.exeC:\Windows\system32\Dlboca32.exe82⤵
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Dkeoongd.exeC:\Windows\system32\Dkeoongd.exe83⤵
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Dboglhna.exeC:\Windows\system32\Dboglhna.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:852 -
C:\Windows\SysWOW64\Ddmchcnd.exeC:\Windows\system32\Ddmchcnd.exe85⤵
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Dochelmj.exeC:\Windows\system32\Dochelmj.exe86⤵PID:2976
-
C:\Windows\SysWOW64\Dbadagln.exeC:\Windows\system32\Dbadagln.exe87⤵PID:1644
-
C:\Windows\SysWOW64\Dnhefh32.exeC:\Windows\system32\Dnhefh32.exe88⤵PID:392
-
C:\Windows\SysWOW64\Dqfabdaf.exeC:\Windows\system32\Dqfabdaf.exe89⤵PID:872
-
C:\Windows\SysWOW64\Dcemnopj.exeC:\Windows\system32\Dcemnopj.exe90⤵PID:2032
-
C:\Windows\SysWOW64\Djoeki32.exeC:\Windows\system32\Djoeki32.exe91⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Ecgjdong.exeC:\Windows\system32\Ecgjdong.exe92⤵PID:1740
-
C:\Windows\SysWOW64\Ejabqi32.exeC:\Windows\system32\Ejabqi32.exe93⤵PID:1804
-
C:\Windows\SysWOW64\Eqkjmcmq.exeC:\Windows\system32\Eqkjmcmq.exe94⤵PID:3012
-
C:\Windows\SysWOW64\Epnkip32.exeC:\Windows\system32\Epnkip32.exe95⤵
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Eqngcc32.exeC:\Windows\system32\Eqngcc32.exe96⤵PID:2780
-
C:\Windows\SysWOW64\Eclcon32.exeC:\Windows\system32\Eclcon32.exe97⤵PID:2544
-
C:\Windows\SysWOW64\Eikimeff.exeC:\Windows\system32\Eikimeff.exe98⤵PID:2696
-
C:\Windows\SysWOW64\Epeajo32.exeC:\Windows\system32\Epeajo32.exe99⤵PID:3036
-
C:\Windows\SysWOW64\Einebddd.exeC:\Windows\system32\Einebddd.exe100⤵
- Drops file in System32 directory
PID:1328 -
C:\Windows\SysWOW64\Fpgnoo32.exeC:\Windows\system32\Fpgnoo32.exe101⤵PID:2736
-
C:\Windows\SysWOW64\Fedfgejh.exeC:\Windows\system32\Fedfgejh.exe102⤵PID:1324
-
C:\Windows\SysWOW64\Fheoiqgi.exeC:\Windows\system32\Fheoiqgi.exe103⤵PID:760
-
C:\Windows\SysWOW64\Famcbf32.exeC:\Windows\system32\Famcbf32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2956 -
C:\Windows\SysWOW64\Feipbefb.exeC:\Windows\system32\Feipbefb.exe105⤵PID:1444
-
C:\Windows\SysWOW64\Fhglop32.exeC:\Windows\system32\Fhglop32.exe106⤵PID:1792
-
C:\Windows\SysWOW64\Fjfhkl32.exeC:\Windows\system32\Fjfhkl32.exe107⤵PID:1884
-
C:\Windows\SysWOW64\Fpbqcb32.exeC:\Windows\system32\Fpbqcb32.exe108⤵PID:976
-
C:\Windows\SysWOW64\Fhjhdp32.exeC:\Windows\system32\Fhjhdp32.exe109⤵
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Fmfalg32.exeC:\Windows\system32\Fmfalg32.exe110⤵PID:1696
-
C:\Windows\SysWOW64\Fdqiiaih.exeC:\Windows\system32\Fdqiiaih.exe111⤵PID:2044
-
C:\Windows\SysWOW64\Gminbfoh.exeC:\Windows\system32\Gminbfoh.exe112⤵PID:2776
-
C:\Windows\SysWOW64\Gbffjmmp.exeC:\Windows\system32\Gbffjmmp.exe113⤵PID:2552
-
C:\Windows\SysWOW64\Gipngg32.exeC:\Windows\system32\Gipngg32.exe114⤵PID:2948
-
C:\Windows\SysWOW64\Golgon32.exeC:\Windows\system32\Golgon32.exe115⤵PID:3048
-
C:\Windows\SysWOW64\Goocenaa.exeC:\Windows\system32\Goocenaa.exe116⤵
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Gampaipe.exeC:\Windows\system32\Gampaipe.exe117⤵PID:1360
-
C:\Windows\SysWOW64\Ghghnc32.exeC:\Windows\system32\Ghghnc32.exe118⤵PID:1928
-
C:\Windows\SysWOW64\Gbmlkl32.exeC:\Windows\system32\Gbmlkl32.exe119⤵PID:1004
-
C:\Windows\SysWOW64\Gleqdb32.exeC:\Windows\system32\Gleqdb32.exe120⤵PID:2488
-
C:\Windows\SysWOW64\Hofjem32.exeC:\Windows\system32\Hofjem32.exe121⤵PID:1116
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-