Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
162s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 21:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2ba628780fb6de28e7a6790f5b1c5c43_JC.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
2ba628780fb6de28e7a6790f5b1c5c43_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
2ba628780fb6de28e7a6790f5b1c5c43_JC.exe
-
Size
56KB
-
MD5
2ba628780fb6de28e7a6790f5b1c5c43
-
SHA1
108ddd9660dc417254432fb8c1a3c8fdb3c5860f
-
SHA256
d871d9d0b453be0e5122a4e618e8375a9729c559264c9ad2852fc7bdbeebacdf
-
SHA512
899d36b35d2a2b7991896aa8f961b2bcf5ea6f6e197ec38e5493b46e9cb742f39f10e926b02cf5159f6e1dbd3fbd4765f2d0eaf17623ddab0608c4b728f73069
-
SSDEEP
768:cES7JjWTjKIgeVldkSESXmGVtFx8c8DW5FdSaWDrM/LO/q3rcqh42n3m2p/1H5V7:nOj8KIgeVLrXmGLFyaqDSO/6+03m2Lph
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndmgnkja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jopiom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knlbipjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iipfgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phajgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcmeek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebimqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkmbbajb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeemop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlnnfghd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjejdglp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epikid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hknmgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbihdhhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjopmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hckeikcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flmqem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbdiecbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjeflc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgjicb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iocliecb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfomda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apnkfelb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nneboemj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddakdqff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Napjnfik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebfiqcjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kehojiej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fllplajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpagdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibape32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oofepe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqpoja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jleicg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhdlncnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mohingqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdiakp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iljpgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ininloda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mljmblae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hidpbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beefenie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnlhod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfgfkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbgeqmjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jedjkkmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljcldo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebpjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egqeckkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jacggh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfodmdni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Engjol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpclnof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpacqg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafgdfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcanfakf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foclpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeemop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jecejm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ammgifpn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bocoqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hagodlge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foghhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igmgji32.exe -
Executes dropped EXE 64 IoCs
pid Process 3464 Mbgeqmjp.exe 3672 Nijqcf32.exe 1052 Ofgdcipq.exe 3452 Obnehj32.exe 4456 Pmhbqbae.exe 828 Pbjddh32.exe 5076 Acccdj32.exe 3208 Bdlfjh32.exe 796 Bkmeha32.exe 3944 Ckbncapd.exe 220 Cpacqg32.exe 4440 Cmgqpkip.exe 4860 Dgbanq32.exe 4148 Dkpjdo32.exe 3596 Dpopbepi.exe 4412 Dpalgenf.exe 3152 Ekqckmfb.exe 1708 Fjeplijj.exe 3988 Fklcgk32.exe 3612 Gqkhda32.exe 3052 Gdiakp32.exe 2032 Hnhkdd32.exe 4208 Hejjanpm.exe 1596 Ilmedf32.exe 3684 Jbijgp32.exe 904 Kehojiej.exe 1212 Kdmlkfjb.exe 4124 Lbebilli.exe 1808 Mhiabbdi.exe 1292 Mojopk32.exe 1044 Ncjdki32.exe 2532 Nfknmd32.exe 4180 Ohncdobq.exe 2036 Obfhmd32.exe 4264 Okailj32.exe 2812 Pbbgicnd.exe 1680 Pfbmdabh.exe 2348 Pmmeak32.exe 3664 Pkabbgol.exe 3620 Aealll32.exe 3840 Afceko32.exe 2396 Afeban32.exe 936 Bflham32.exe 3408 Cfjeckpj.exe 2164 Ddcogo32.exe 3920 Dipgpf32.exe 992 Dlcmgqdd.exe 2456 Emioab32.exe 4804 Gphddlfp.exe 1844 Gdfmkjlg.exe 1932 Gcngafol.exe 3180 Hdppaidl.exe 212 Hmpnqj32.exe 1280 Hqmggi32.exe 776 Iggocbke.exe 4204 Imnjbhaa.exe 5008 Jgcooaah.exe 1940 Jmpgghoo.exe 4428 Jgjeppkp.exe 5004 Khonkogj.exe 2492 Lhadgmge.exe 1832 Mhhjhlqm.exe 3908 Maaoaa32.exe 1168 Meadlo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jamhflqq.exe Jefgak32.exe File created C:\Windows\SysWOW64\Apgppaga.dll Dkkcqj32.exe File opened for modification C:\Windows\SysWOW64\Ahpmckpn.exe Aafefq32.exe File created C:\Windows\SysWOW64\Enccibdi.dll Pocdba32.exe File created C:\Windows\SysWOW64\Lpelqj32.exe Kcgekjgp.exe File created C:\Windows\SysWOW64\Pcihbdla.dll Mnlfclip.exe File created C:\Windows\SysWOW64\Bdqoql32.dll Gehbcb32.exe File created C:\Windows\SysWOW64\Oilmckml.exe Nfnafpni.exe File opened for modification C:\Windows\SysWOW64\Ofqnlplf.exe Oofepe32.exe File opened for modification C:\Windows\SysWOW64\Ohncdobq.exe Nfknmd32.exe File created C:\Windows\SysWOW64\Igieoleg.exe Hcipcnac.exe File created C:\Windows\SysWOW64\Fghhpq32.dll Giofggia.exe File opened for modification C:\Windows\SysWOW64\Hbanfk32.exe Hidpbf32.exe File created C:\Windows\SysWOW64\Akhghk32.dll Ohgopgfj.exe File opened for modification C:\Windows\SysWOW64\Jglkfmmi.exe Jdnnjane.exe File opened for modification C:\Windows\SysWOW64\Foclpf32.exe Fndpfc32.exe File created C:\Windows\SysWOW64\Kmcnihan.dll Pllppnnm.exe File created C:\Windows\SysWOW64\Oibocbah.dll Qcppogqo.exe File created C:\Windows\SysWOW64\Eahhcd32.exe Egbdekcg.exe File created C:\Windows\SysWOW64\Oflkln32.dll Aoeleelp.exe File created C:\Windows\SysWOW64\Hjbajokj.dll Aklmjfad.exe File created C:\Windows\SysWOW64\Kjnbhkqp.exe Jpenoe32.exe File created C:\Windows\SysWOW64\Alfdca32.dll Imnjbhaa.exe File opened for modification C:\Windows\SysWOW64\Knhbflbp.exe Kdpmmf32.exe File created C:\Windows\SysWOW64\Fbkdjh32.exe Fkalmn32.exe File created C:\Windows\SysWOW64\Hkhbaj32.dll Kqknekjf.exe File opened for modification C:\Windows\SysWOW64\Lmpkkjcj.exe Lknocb32.exe File created C:\Windows\SysWOW64\Embdofop.exe Dgcoaock.exe File created C:\Windows\SysWOW64\Ibeqgdpf.exe Hkkhjj32.exe File opened for modification C:\Windows\SysWOW64\Dnmaog32.exe Dgbhbm32.exe File created C:\Windows\SysWOW64\Ganikk32.dll Dhnnoe32.exe File created C:\Windows\SysWOW64\Bcggpcmm.dll Lgamhjja.exe File created C:\Windows\SysWOW64\Hbanfk32.exe Hidpbf32.exe File created C:\Windows\SysWOW64\Nmajndjb.dll Lcmopeae.exe File created C:\Windows\SysWOW64\Qcppogqo.exe Pmfhbm32.exe File created C:\Windows\SysWOW64\Kkhpmigp.exe Kijcanhl.exe File created C:\Windows\SysWOW64\Fammoofd.dll Dgbhbm32.exe File created C:\Windows\SysWOW64\Khbhdn32.exe Knldfe32.exe File created C:\Windows\SysWOW64\Fiajfi32.exe Fmjjqhpn.exe File created C:\Windows\SysWOW64\Ogljcokf.exe Oqbagd32.exe File created C:\Windows\SysWOW64\Lbnibp32.dll Aodejohd.exe File created C:\Windows\SysWOW64\Lojmmi32.exe Lljdkn32.exe File created C:\Windows\SysWOW64\Bkmeha32.exe Bdlfjh32.exe File opened for modification C:\Windows\SysWOW64\Aglnnkid.exe Aamipe32.exe File created C:\Windows\SysWOW64\Hhjqec32.exe Haphiiee.exe File created C:\Windows\SysWOW64\Fmjjqhpn.exe Fbeeco32.exe File opened for modification C:\Windows\SysWOW64\Pabknbef.exe Peljha32.exe File created C:\Windows\SysWOW64\Gkdhcqcj.exe Gpodfh32.exe File created C:\Windows\SysWOW64\Daenfb32.dll Jhnocbfa.exe File created C:\Windows\SysWOW64\Iakllgni.dll Fhiphi32.exe File created C:\Windows\SysWOW64\Mplfll32.exe Lfgboc32.exe File created C:\Windows\SysWOW64\Dninliei.dll Faeihogj.exe File created C:\Windows\SysWOW64\Kdinpc32.dll Jflnafno.exe File opened for modification C:\Windows\SysWOW64\Megldcgd.exe Kbigajfc.exe File created C:\Windows\SysWOW64\Kmecqhcl.dll Ddngdj32.exe File created C:\Windows\SysWOW64\Chbjoe32.dll Ebpjjk32.exe File created C:\Windows\SysWOW64\Amibklml.exe Ahmjce32.exe File created C:\Windows\SysWOW64\Gdfmkjlg.exe Gphddlfp.exe File created C:\Windows\SysWOW64\Jpaekgph.dll Innfgb32.exe File created C:\Windows\SysWOW64\Ifjoma32.exe Ickcaf32.exe File opened for modification C:\Windows\SysWOW64\Pllnbh32.exe Ohlifj32.exe File created C:\Windows\SysWOW64\Nchfpmcd.dll Qkhjim32.exe File created C:\Windows\SysWOW64\Dmknog32.exe Dkjbgooi.exe File opened for modification C:\Windows\SysWOW64\Anjngp32.exe Adbiojfo.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gehbcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqkfapoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfiefp32.dll" Afceko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qolmplcl.dll" Nhfoocaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egbdekcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plokgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjobl32.dll" Oqbagd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oggjni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijpdnpib.dll" Jkfakb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpglno32.dll" Plokgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdiphhpk.dll" Ilmedf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbgdnelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedeli32.dll" Lfaqcclf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lckbje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppqdpilb.dll" Pmjpod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbjonepq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcanfakf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckbegmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khdedapj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhhjhlqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glbapoqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djndja32.dll" Aified32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifdccf32.dll" Eopbghnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmhjhh32.dll" Aojepe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofqnlplf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alaaajmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpmlhoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cppfgnlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eblpqono.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keonml32.dll" Ooqqmoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkigmiai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chkokq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpmhjfli.dll" Bgimjmfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Panhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkkdddh.dll" Gcbnopkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdlfonlf.dll" Ehifpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgcbbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acjbbk32.dll" Npabeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjambg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mecjbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blgiphni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onjebpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnkphffo.dll" Opgciodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpdkjdfa.dll" Dogfkpih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdfjcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kminhl32.dll" Cnlhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfkdkqeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onfbpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gllehj32.dll" Fdbked32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phdngljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odfmdoph.dll" Ahonbhig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjeflc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmdim32.dll" Henajkcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdmdjkpo.dll" Emioab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijipia32.dll" Ihjafd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aokmbh32.dll" Blchmdff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Holjjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nneboemj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkmjkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Necjpgbn.dll" Ladhkmno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oajccgmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdbked32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdqecc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fajgekol.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1716 wrote to memory of 3464 1716 2ba628780fb6de28e7a6790f5b1c5c43_JC.exe 88 PID 1716 wrote to memory of 3464 1716 2ba628780fb6de28e7a6790f5b1c5c43_JC.exe 88 PID 1716 wrote to memory of 3464 1716 2ba628780fb6de28e7a6790f5b1c5c43_JC.exe 88 PID 3464 wrote to memory of 3672 3464 Mbgeqmjp.exe 89 PID 3464 wrote to memory of 3672 3464 Mbgeqmjp.exe 89 PID 3464 wrote to memory of 3672 3464 Mbgeqmjp.exe 89 PID 3672 wrote to memory of 1052 3672 Nijqcf32.exe 90 PID 3672 wrote to memory of 1052 3672 Nijqcf32.exe 90 PID 3672 wrote to memory of 1052 3672 Nijqcf32.exe 90 PID 1052 wrote to memory of 3452 1052 Ofgdcipq.exe 91 PID 1052 wrote to memory of 3452 1052 Ofgdcipq.exe 91 PID 1052 wrote to memory of 3452 1052 Ofgdcipq.exe 91 PID 3452 wrote to memory of 4456 3452 Obnehj32.exe 92 PID 3452 wrote to memory of 4456 3452 Obnehj32.exe 92 PID 3452 wrote to memory of 4456 3452 Obnehj32.exe 92 PID 4456 wrote to memory of 828 4456 Pmhbqbae.exe 93 PID 4456 wrote to memory of 828 4456 Pmhbqbae.exe 93 PID 4456 wrote to memory of 828 4456 Pmhbqbae.exe 93 PID 828 wrote to memory of 5076 828 Pbjddh32.exe 94 PID 828 wrote to memory of 5076 828 Pbjddh32.exe 94 PID 828 wrote to memory of 5076 828 Pbjddh32.exe 94 PID 5076 wrote to memory of 3208 5076 Acccdj32.exe 95 PID 5076 wrote to memory of 3208 5076 Acccdj32.exe 95 PID 5076 wrote to memory of 3208 5076 Acccdj32.exe 95 PID 3208 wrote to memory of 796 3208 Bdlfjh32.exe 96 PID 3208 wrote to memory of 796 3208 Bdlfjh32.exe 96 PID 3208 wrote to memory of 796 3208 Bdlfjh32.exe 96 PID 796 wrote to memory of 3944 796 Bkmeha32.exe 97 PID 796 wrote to memory of 3944 796 Bkmeha32.exe 97 PID 796 wrote to memory of 3944 796 Bkmeha32.exe 97 PID 3944 wrote to memory of 220 3944 Ckbncapd.exe 98 PID 3944 wrote to memory of 220 3944 Ckbncapd.exe 98 PID 3944 wrote to memory of 220 3944 Ckbncapd.exe 98 PID 220 wrote to memory of 4440 220 Cpacqg32.exe 99 PID 220 wrote to memory of 4440 220 Cpacqg32.exe 99 PID 220 wrote to memory of 4440 220 Cpacqg32.exe 99 PID 4440 wrote to memory of 4860 4440 Cmgqpkip.exe 100 PID 4440 wrote to memory of 4860 4440 Cmgqpkip.exe 100 PID 4440 wrote to memory of 4860 4440 Cmgqpkip.exe 100 PID 4860 wrote to memory of 4148 4860 Dgbanq32.exe 101 PID 4860 wrote to memory of 4148 4860 Dgbanq32.exe 101 PID 4860 wrote to memory of 4148 4860 Dgbanq32.exe 101 PID 4148 wrote to memory of 3596 4148 Dkpjdo32.exe 102 PID 4148 wrote to memory of 3596 4148 Dkpjdo32.exe 102 PID 4148 wrote to memory of 3596 4148 Dkpjdo32.exe 102 PID 3596 wrote to memory of 4412 3596 Dpopbepi.exe 103 PID 3596 wrote to memory of 4412 3596 Dpopbepi.exe 103 PID 3596 wrote to memory of 4412 3596 Dpopbepi.exe 103 PID 4412 wrote to memory of 3152 4412 Dpalgenf.exe 104 PID 4412 wrote to memory of 3152 4412 Dpalgenf.exe 104 PID 4412 wrote to memory of 3152 4412 Dpalgenf.exe 104 PID 3152 wrote to memory of 1708 3152 Ekqckmfb.exe 105 PID 3152 wrote to memory of 1708 3152 Ekqckmfb.exe 105 PID 3152 wrote to memory of 1708 3152 Ekqckmfb.exe 105 PID 1708 wrote to memory of 3988 1708 Fjeplijj.exe 106 PID 1708 wrote to memory of 3988 1708 Fjeplijj.exe 106 PID 1708 wrote to memory of 3988 1708 Fjeplijj.exe 106 PID 3988 wrote to memory of 3612 3988 Fklcgk32.exe 107 PID 3988 wrote to memory of 3612 3988 Fklcgk32.exe 107 PID 3988 wrote to memory of 3612 3988 Fklcgk32.exe 107 PID 3612 wrote to memory of 3052 3612 Gqkhda32.exe 108 PID 3612 wrote to memory of 3052 3612 Gqkhda32.exe 108 PID 3612 wrote to memory of 3052 3612 Gqkhda32.exe 108 PID 3052 wrote to memory of 2032 3052 Gdiakp32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ba628780fb6de28e7a6790f5b1c5c43_JC.exe"C:\Users\Admin\AppData\Local\Temp\2ba628780fb6de28e7a6790f5b1c5c43_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Mbgeqmjp.exeC:\Windows\system32\Mbgeqmjp.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\Nijqcf32.exeC:\Windows\system32\Nijqcf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Ofgdcipq.exeC:\Windows\system32\Ofgdcipq.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Obnehj32.exeC:\Windows\system32\Obnehj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Pmhbqbae.exeC:\Windows\system32\Pmhbqbae.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\Pbjddh32.exeC:\Windows\system32\Pbjddh32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\Acccdj32.exeC:\Windows\system32\Acccdj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Bdlfjh32.exeC:\Windows\system32\Bdlfjh32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Bkmeha32.exeC:\Windows\system32\Bkmeha32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Ckbncapd.exeC:\Windows\system32\Ckbncapd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Cpacqg32.exeC:\Windows\system32\Cpacqg32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Cmgqpkip.exeC:\Windows\system32\Cmgqpkip.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Dgbanq32.exeC:\Windows\system32\Dgbanq32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Dkpjdo32.exeC:\Windows\system32\Dkpjdo32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\Dpopbepi.exeC:\Windows\system32\Dpopbepi.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\Dpalgenf.exeC:\Windows\system32\Dpalgenf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Ekqckmfb.exeC:\Windows\system32\Ekqckmfb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Fjeplijj.exeC:\Windows\system32\Fjeplijj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Fklcgk32.exeC:\Windows\system32\Fklcgk32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\Gqkhda32.exeC:\Windows\system32\Gqkhda32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Gdiakp32.exeC:\Windows\system32\Gdiakp32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Hnhkdd32.exeC:\Windows\system32\Hnhkdd32.exe23⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Hejjanpm.exeC:\Windows\system32\Hejjanpm.exe24⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Ilmedf32.exeC:\Windows\system32\Ilmedf32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Jbijgp32.exeC:\Windows\system32\Jbijgp32.exe26⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Kehojiej.exeC:\Windows\system32\Kehojiej.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Kdmlkfjb.exeC:\Windows\system32\Kdmlkfjb.exe28⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Lbebilli.exeC:\Windows\system32\Lbebilli.exe29⤵
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\Mhiabbdi.exeC:\Windows\system32\Mhiabbdi.exe30⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Mojopk32.exeC:\Windows\system32\Mojopk32.exe31⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Ncjdki32.exeC:\Windows\system32\Ncjdki32.exe32⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Nfknmd32.exeC:\Windows\system32\Nfknmd32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Ohncdobq.exeC:\Windows\system32\Ohncdobq.exe34⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Obfhmd32.exeC:\Windows\system32\Obfhmd32.exe35⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Okailj32.exeC:\Windows\system32\Okailj32.exe36⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\Pbbgicnd.exeC:\Windows\system32\Pbbgicnd.exe37⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Pfbmdabh.exeC:\Windows\system32\Pfbmdabh.exe38⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Pmmeak32.exeC:\Windows\system32\Pmmeak32.exe39⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Pkabbgol.exeC:\Windows\system32\Pkabbgol.exe40⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Aealll32.exeC:\Windows\system32\Aealll32.exe41⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Afceko32.exeC:\Windows\system32\Afceko32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:3840 -
C:\Windows\SysWOW64\Afeban32.exeC:\Windows\system32\Afeban32.exe43⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Bflham32.exeC:\Windows\system32\Bflham32.exe44⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Cfjeckpj.exeC:\Windows\system32\Cfjeckpj.exe45⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Ddcogo32.exeC:\Windows\system32\Ddcogo32.exe46⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Dipgpf32.exeC:\Windows\system32\Dipgpf32.exe47⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Dlcmgqdd.exeC:\Windows\system32\Dlcmgqdd.exe48⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Emioab32.exeC:\Windows\system32\Emioab32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Gphddlfp.exeC:\Windows\system32\Gphddlfp.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4804 -
C:\Windows\SysWOW64\Gdfmkjlg.exeC:\Windows\system32\Gdfmkjlg.exe51⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Gcngafol.exeC:\Windows\system32\Gcngafol.exe52⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Hdppaidl.exeC:\Windows\system32\Hdppaidl.exe53⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Hmpnqj32.exeC:\Windows\system32\Hmpnqj32.exe54⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Hqmggi32.exeC:\Windows\system32\Hqmggi32.exe55⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Iggocbke.exeC:\Windows\system32\Iggocbke.exe56⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Imnjbhaa.exeC:\Windows\system32\Imnjbhaa.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4204 -
C:\Windows\SysWOW64\Jgcooaah.exeC:\Windows\system32\Jgcooaah.exe58⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Jmpgghoo.exeC:\Windows\system32\Jmpgghoo.exe59⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Jgjeppkp.exeC:\Windows\system32\Jgjeppkp.exe60⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Khonkogj.exeC:\Windows\system32\Khonkogj.exe61⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Lhadgmge.exeC:\Windows\system32\Lhadgmge.exe62⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Mhhjhlqm.exeC:\Windows\system32\Mhhjhlqm.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Maaoaa32.exeC:\Windows\system32\Maaoaa32.exe64⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Meadlo32.exeC:\Windows\system32\Meadlo32.exe65⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Ndmgnkja.exeC:\Windows\system32\Ndmgnkja.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3184 -
C:\Windows\SysWOW64\Onjebpml.exeC:\Windows\system32\Onjebpml.exe67⤵
- Modifies registry class
PID:3492 -
C:\Windows\SysWOW64\Ohgopgfj.exeC:\Windows\system32\Ohgopgfj.exe68⤵
- Drops file in System32 directory
PID:3916 -
C:\Windows\SysWOW64\Pocdba32.exeC:\Windows\system32\Pocdba32.exe69⤵
- Drops file in System32 directory
PID:4768 -
C:\Windows\SysWOW64\Pgcbbc32.exeC:\Windows\system32\Pgcbbc32.exe70⤵
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Pnmjomlg.exeC:\Windows\system32\Pnmjomlg.exe71⤵PID:4636
-
C:\Windows\SysWOW64\Qoocnpag.exeC:\Windows\system32\Qoocnpag.exe72⤵PID:3936
-
C:\Windows\SysWOW64\Abbiej32.exeC:\Windows\system32\Abbiej32.exe73⤵PID:2560
-
C:\Windows\SysWOW64\Ailabddb.exeC:\Windows\system32\Ailabddb.exe74⤵PID:3820
-
C:\Windows\SysWOW64\Bejhhd32.exeC:\Windows\system32\Bejhhd32.exe75⤵PID:4512
-
C:\Windows\SysWOW64\Bnbmqjjo.exeC:\Windows\system32\Bnbmqjjo.exe76⤵PID:1404
-
C:\Windows\SysWOW64\Clpppmqn.exeC:\Windows\system32\Clpppmqn.exe77⤵PID:2692
-
C:\Windows\SysWOW64\Cnnllhpa.exeC:\Windows\system32\Cnnllhpa.exe78⤵PID:1392
-
C:\Windows\SysWOW64\Dbgdnelk.exeC:\Windows\system32\Dbgdnelk.exe79⤵
- Modifies registry class
PID:4716 -
C:\Windows\SysWOW64\Fefjanml.exeC:\Windows\system32\Fefjanml.exe80⤵PID:2656
-
C:\Windows\SysWOW64\Fghcqq32.exeC:\Windows\system32\Fghcqq32.exe81⤵PID:5028
-
C:\Windows\SysWOW64\Fhiphi32.exeC:\Windows\system32\Fhiphi32.exe82⤵
- Drops file in System32 directory
PID:1460 -
C:\Windows\SysWOW64\Fochecog.exeC:\Windows\system32\Fochecog.exe83⤵PID:772
-
C:\Windows\SysWOW64\Flghognq.exeC:\Windows\system32\Flghognq.exe84⤵PID:1820
-
C:\Windows\SysWOW64\Ghqeihbb.exeC:\Windows\system32\Ghqeihbb.exe85⤵PID:5136
-
C:\Windows\SysWOW64\Ggfobofl.exeC:\Windows\system32\Ggfobofl.exe86⤵PID:5180
-
C:\Windows\SysWOW64\Glchjedc.exeC:\Windows\system32\Glchjedc.exe87⤵PID:5224
-
C:\Windows\SysWOW64\Hfpenj32.exeC:\Windows\system32\Hfpenj32.exe88⤵PID:5268
-
C:\Windows\SysWOW64\Hcipcnac.exeC:\Windows\system32\Hcipcnac.exe89⤵
- Drops file in System32 directory
PID:5312 -
C:\Windows\SysWOW64\Igieoleg.exeC:\Windows\system32\Igieoleg.exe90⤵PID:5356
-
C:\Windows\SysWOW64\Ihjafd32.exeC:\Windows\system32\Ihjafd32.exe91⤵
- Modifies registry class
PID:5400 -
C:\Windows\SysWOW64\Iodjcnca.exeC:\Windows\system32\Iodjcnca.exe92⤵PID:5448
-
C:\Windows\SysWOW64\Igpkok32.exeC:\Windows\system32\Igpkok32.exe93⤵PID:5492
-
C:\Windows\SysWOW64\Jqhphq32.exeC:\Windows\system32\Jqhphq32.exe94⤵PID:5536
-
C:\Windows\SysWOW64\Jopiom32.exeC:\Windows\system32\Jopiom32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5580 -
C:\Windows\SysWOW64\Jflnafno.exeC:\Windows\system32\Jflnafno.exe96⤵
- Drops file in System32 directory
PID:5624 -
C:\Windows\SysWOW64\Jfokff32.exeC:\Windows\system32\Jfokff32.exe97⤵PID:5668
-
C:\Windows\SysWOW64\Kcgekjgp.exeC:\Windows\system32\Kcgekjgp.exe98⤵
- Drops file in System32 directory
PID:5712 -
C:\Windows\SysWOW64\Lpelqj32.exeC:\Windows\system32\Lpelqj32.exe99⤵PID:5752
-
C:\Windows\SysWOW64\Lfodmdni.exeC:\Windows\system32\Lfodmdni.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5800 -
C:\Windows\SysWOW64\Ladhkmno.exeC:\Windows\system32\Ladhkmno.exe101⤵
- Modifies registry class
PID:5840 -
C:\Windows\SysWOW64\Lfaqcclf.exeC:\Windows\system32\Lfaqcclf.exe102⤵
- Modifies registry class
PID:5888 -
C:\Windows\SysWOW64\Mmpbkm32.exeC:\Windows\system32\Mmpbkm32.exe103⤵PID:5928
-
C:\Windows\SysWOW64\Mdjjgggk.exeC:\Windows\system32\Mdjjgggk.exe104⤵PID:5976
-
C:\Windows\SysWOW64\Mpqklh32.exeC:\Windows\system32\Mpqklh32.exe105⤵PID:6020
-
C:\Windows\SysWOW64\Mfomda32.exeC:\Windows\system32\Mfomda32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6064 -
C:\Windows\SysWOW64\Ndhgie32.exeC:\Windows\system32\Ndhgie32.exe107⤵PID:6104
-
C:\Windows\SysWOW64\Nalgbi32.exeC:\Windows\system32\Nalgbi32.exe108⤵PID:5124
-
C:\Windows\SysWOW64\Nhfoocaa.exeC:\Windows\system32\Nhfoocaa.exe109⤵
- Modifies registry class
PID:4184 -
C:\Windows\SysWOW64\Oajccgmd.exeC:\Windows\system32\Oajccgmd.exe110⤵
- Modifies registry class
PID:5160 -
C:\Windows\SysWOW64\Pnjgog32.exeC:\Windows\system32\Pnjgog32.exe111⤵PID:5260
-
C:\Windows\SysWOW64\Aamipe32.exeC:\Windows\system32\Aamipe32.exe112⤵
- Drops file in System32 directory
PID:5320 -
C:\Windows\SysWOW64\Aglnnkid.exeC:\Windows\system32\Aglnnkid.exe113⤵PID:5412
-
C:\Windows\SysWOW64\Aqfolqna.exeC:\Windows\system32\Aqfolqna.exe114⤵PID:5444
-
C:\Windows\SysWOW64\Bkcjjhgp.exeC:\Windows\system32\Bkcjjhgp.exe115⤵PID:5528
-
C:\Windows\SysWOW64\Bkhceh32.exeC:\Windows\system32\Bkhceh32.exe116⤵PID:5556
-
C:\Windows\SysWOW64\Cbknhqbl.exeC:\Windows\system32\Cbknhqbl.exe117⤵PID:5636
-
C:\Windows\SysWOW64\Cghgpgqd.exeC:\Windows\system32\Cghgpgqd.exe118⤵PID:5692
-
C:\Windows\SysWOW64\Dioiki32.exeC:\Windows\system32\Dioiki32.exe119⤵PID:5760
-
C:\Windows\SysWOW64\Eihlahjd.exeC:\Windows\system32\Eihlahjd.exe120⤵PID:5824
-
C:\Windows\SysWOW64\Fblpflfg.exeC:\Windows\system32\Fblpflfg.exe121⤵PID:4276
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-