Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
179s -
max time network
199s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 01:21
Static task
static1
Behavioral task
behavioral1
Sample
e68ee73e5a3b27a19aa4c40d9225a338_JC.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
e68ee73e5a3b27a19aa4c40d9225a338_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
e68ee73e5a3b27a19aa4c40d9225a338_JC.exe
-
Size
123KB
-
MD5
e68ee73e5a3b27a19aa4c40d9225a338
-
SHA1
56e43285a202b59b880e6fd4cfeeded80a49bc7d
-
SHA256
254f5581c00122d1967a215122922c0d094113d60ff43bef6b286f6a663c23d0
-
SHA512
8707935e04a911a2f8fdf0106ea41278f80e67b8aaa7dc0714d66a85d3568d94d7d9be0cb0ca0b8f784a54f1c916b6a4c3d2ae56374366cc1fc88904fe87b064
-
SSDEEP
3072:S+UepDtXxL2uRlGRdtDbf5qOzy5/qH1RYSa9rR85DEn5k7r8:S+UephXxy8OtDbUOzKiH14rQD85k/8
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkjmea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffaogm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhogkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgmnhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjnnoldm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hahcfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhehlhe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbhbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhdkig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkcjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkqdhnom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkencn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbikdbnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjcfmfpk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkpidl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbdmnbnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncgkma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdfilkbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceoillaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgdbgbof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbajlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keekci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npepdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggbmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeddfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpnbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjchjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmliem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmfchq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmhmmmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lejenhei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jeilgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pffghc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgodj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oihapg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgame32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnkbdqpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afpbenhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbgbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akihcfid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ephlnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbkagfba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdcjfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaomij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmnliijj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oddmhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalndaml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aepklffh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noihojgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poagfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjgncihp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cikgecag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gngllfol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oddmhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nacboi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceoillaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daiegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eipigqop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pafcjijo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkpbgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbhbkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akcjel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohiliof.exe -
Executes dropped EXE 64 IoCs
pid Process 2988 Pomncfge.exe 4484 Qfjcep32.exe 3552 Qpbgnecp.exe 2320 Akihcfid.exe 3596 Abemep32.exe 4264 Almanf32.exe 1816 Acgfec32.exe 884 Amoknh32.exe 3420 Bejobk32.exe 5016 Bppcpc32.exe 4284 Blgddd32.exe 2848 Bmimdg32.exe 1776 Bipnihgi.exe 976 Cefoni32.exe 4992 Clbdpc32.exe 1860 Cifdjg32.exe 2352 Clgmkbna.exe 3488 Emeffcid.exe 412 Eepkkefp.exe 4760 Ecdkdj32.exe 1660 Ephlnn32.exe 1812 Eeddfe32.exe 2472 Ecidpiad.exe 916 Flfbcndo.exe 3316 Ffnglc32.exe 3900 Fcbgfhii.exe 436 Fnglcqio.exe 1272 Gjnlha32.exe 2664 Gddqejni.exe 3768 Gjebiq32.exe 4176 Hfeoijbi.exe 1672 Qdflaa32.exe 1384 Iooimi32.exe 1856 Npqmipjq.exe 1540 Aeigilml.exe 4836 Jpjhlche.exe 4332 Coegih32.exe 2772 Dpnfjjla.exe 2748 Dapcab32.exe 3336 Dcopke32.exe 4392 Dpcpei32.exe 2908 Dfphmp32.exe 2092 Eoocfegl.exe 4268 Efikco32.exe 4248 Ehhgpj32.exe 760 Ecmlmcmb.exe 4300 Ejgdim32.exe 3776 Eodlad32.exe 3852 Ebbinp32.exe 4120 Emhmkh32.exe 60 Fofigd32.exe 604 Fqhbgf32.exe 2300 Fcfocb32.exe 840 Fmoclg32.exe 3672 Fomohc32.exe 4064 Ffggdmbi.exe 4388 Fifdqhal.exe 2680 Fckhnaab.exe 1504 Ffjdjmpf.exe 4292 Gqohge32.exe 1568 Gobicbgf.exe 1668 Gbqeonfj.exe 4200 Hmolbene.exe 3512 Jaljaoii.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pafcjijo.exe Plijbblh.exe File opened for modification C:\Windows\SysWOW64\Nfjofg32.exe Nnojad32.exe File created C:\Windows\SysWOW64\Qalkfl32.exe Pmpoemef.exe File created C:\Windows\SysWOW64\Mackpg32.exe Moeock32.exe File created C:\Windows\SysWOW64\Doilalka.exe Dimciemj.exe File created C:\Windows\SysWOW64\Efljmi32.dll Ojmcej32.exe File opened for modification C:\Windows\SysWOW64\Cjejdglp.exe Bciebm32.exe File created C:\Windows\SysWOW64\Fibocnnj.exe Fgdbgbof.exe File created C:\Windows\SysWOW64\Baocpnmf.exe Bopgdcnc.exe File created C:\Windows\SysWOW64\Dffmogji.exe Daiegp32.exe File created C:\Windows\SysWOW64\Hmolbene.exe Gbqeonfj.exe File created C:\Windows\SysWOW64\Hilkfajn.dll Ligglo32.exe File opened for modification C:\Windows\SysWOW64\Nacboi32.exe Ndpafe32.exe File created C:\Windows\SysWOW64\Ommjipel.exe Ojommdfh.exe File created C:\Windows\SysWOW64\Dhdmpapp.exe Diopoe32.exe File created C:\Windows\SysWOW64\Hoclajjj.dll Acgfec32.exe File created C:\Windows\SysWOW64\Fgfpal32.dll Fineho32.exe File created C:\Windows\SysWOW64\Blfnkb32.dll Qjijgead.exe File created C:\Windows\SysWOW64\Ikmcpbbo.dll Eeddfe32.exe File created C:\Windows\SysWOW64\Boipkd32.dll Bppcpc32.exe File created C:\Windows\SysWOW64\Dmjefkap.exe Cfqmjajc.exe File created C:\Windows\SysWOW64\Hladecfn.dll Dfjpppbh.exe File created C:\Windows\SysWOW64\Ehoegjcf.dll Okgabpgg.exe File created C:\Windows\SysWOW64\Acjhkgkp.dll Ognpilmp.exe File created C:\Windows\SysWOW64\Chokndbg.exe Ceaobicd.exe File opened for modification C:\Windows\SysWOW64\Plijbblh.exe Ooejhn32.exe File created C:\Windows\SysWOW64\Ajoknk32.dll Akcjel32.exe File created C:\Windows\SysWOW64\Hahjbbpj.dll Cleqoh32.exe File opened for modification C:\Windows\SysWOW64\Qoecol32.exe Qjijgead.exe File created C:\Windows\SysWOW64\Lekmoh32.dll Cpgjjhfe.exe File created C:\Windows\SysWOW64\Dpdoqp32.exe Dhmgob32.exe File opened for modification C:\Windows\SysWOW64\Ffjignde.exe Fldeie32.exe File created C:\Windows\SysWOW64\Kenebjof.exe Jeilgk32.exe File opened for modification C:\Windows\SysWOW64\Odpcmpnl.exe Oaagadoh.exe File created C:\Windows\SysWOW64\Plpqba32.exe Pefhfgoc.exe File created C:\Windows\SysWOW64\Bfghem32.exe Bbkleojh.exe File created C:\Windows\SysWOW64\Clbdpc32.exe Cefoni32.exe File created C:\Windows\SysWOW64\Cmdfpbkc.exe Cjejdglp.exe File created C:\Windows\SysWOW64\Fagbqjjm.dll Gpmgph32.exe File created C:\Windows\SysWOW64\Akcjel32.exe Afgame32.exe File created C:\Windows\SysWOW64\Jfigdl32.dll Abmbaf32.exe File created C:\Windows\SysWOW64\Oiihaf32.dll Cejahhki.exe File opened for modification C:\Windows\SysWOW64\Jpjhlche.exe Aeigilml.exe File created C:\Windows\SysWOW64\Godcfm32.dll Ccmgbf32.exe File created C:\Windows\SysWOW64\Idicqm32.exe Hcdmlk32.exe File created C:\Windows\SysWOW64\Hcodco32.dll Bbgbjo32.exe File created C:\Windows\SysWOW64\Jpkpnjhg.dll Dbnbaljc.exe File created C:\Windows\SysWOW64\Chbncg32.exe Cahffmel.exe File opened for modification C:\Windows\SysWOW64\Dejhgkgm.exe Dbllkohi.exe File opened for modification C:\Windows\SysWOW64\Efamkepl.exe Eaddcnad.exe File opened for modification C:\Windows\SysWOW64\Oafido32.exe Ofaeffpa.exe File created C:\Windows\SysWOW64\Hkhhfk32.dll Noledjel.exe File created C:\Windows\SysWOW64\Nkebokin.exe Nhffcpjj.exe File opened for modification C:\Windows\SysWOW64\Pnknbc32.exe Pgqefilj.exe File created C:\Windows\SysWOW64\Liiiei32.dll Ngpjgpec.exe File created C:\Windows\SysWOW64\Dbbjkf32.dll Ceoillaj.exe File opened for modification C:\Windows\SysWOW64\Mcnfhmcf.exe Gkfnnjnl.exe File created C:\Windows\SysWOW64\Ebcfnmcb.dll Fifdqhal.exe File created C:\Windows\SysWOW64\Fplmlp32.dll Lhogkc32.exe File created C:\Windows\SysWOW64\Npepdl32.exe Nmfchq32.exe File opened for modification C:\Windows\SysWOW64\Nmfchq32.exe Nqpccp32.exe File created C:\Windows\SysWOW64\Aalndaml.exe Anmagenh.exe File created C:\Windows\SysWOW64\Bjjjhifm.exe Bodfkpfg.exe File opened for modification C:\Windows\SysWOW64\Fdmjnajo.exe Flebmcil.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecefjckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaohihfd.dll" Fckaoneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejabgcdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eijglqoo.dll" Cmdfpbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clbdpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pafcjijo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plpqba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjjfae32.dll" Gideogil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdadip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qfjcep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abbiopbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afildo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amoknh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njghcg32.dll" Majjgmco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhmgob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjpaheio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfjpppbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oglcdlob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oeammbbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odnngclb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nkgmmpab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagbqjjm.dll" Gpmgph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjpjoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efoiko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcgfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfldfk32.dll" Pgjfdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlooef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdjilphb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjhaeklb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npepdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpmipa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Diffabgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jelhphdq.dll" Iacbbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndpafe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdfilkbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chhkmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bciebm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndddaahi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lelcbmcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epdaneff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifjohe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adiojl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehhgpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcfocb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hahcfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eniokh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkkoggp.dll" Gddqejni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcimpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffkpadga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfqmjajc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjgohf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kallhjoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldanedho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbmkleoe.dll" Dpnbhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dclknkfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abcghg32.dll" Iqklhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qoecol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhhklmj.dll" Gdjilphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcnaej32.dll" Bnmcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Genkfiha.dll" Ceehmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obdkfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjgohf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcodco32.dll" Bbgbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehepld32.dll" Blgddd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2984 wrote to memory of 2988 2984 e68ee73e5a3b27a19aa4c40d9225a338_JC.exe 88 PID 2984 wrote to memory of 2988 2984 e68ee73e5a3b27a19aa4c40d9225a338_JC.exe 88 PID 2984 wrote to memory of 2988 2984 e68ee73e5a3b27a19aa4c40d9225a338_JC.exe 88 PID 2988 wrote to memory of 4484 2988 Pomncfge.exe 89 PID 2988 wrote to memory of 4484 2988 Pomncfge.exe 89 PID 2988 wrote to memory of 4484 2988 Pomncfge.exe 89 PID 4484 wrote to memory of 3552 4484 Qfjcep32.exe 90 PID 4484 wrote to memory of 3552 4484 Qfjcep32.exe 90 PID 4484 wrote to memory of 3552 4484 Qfjcep32.exe 90 PID 3552 wrote to memory of 2320 3552 Qpbgnecp.exe 91 PID 3552 wrote to memory of 2320 3552 Qpbgnecp.exe 91 PID 3552 wrote to memory of 2320 3552 Qpbgnecp.exe 91 PID 2320 wrote to memory of 3596 2320 Akihcfid.exe 92 PID 2320 wrote to memory of 3596 2320 Akihcfid.exe 92 PID 2320 wrote to memory of 3596 2320 Akihcfid.exe 92 PID 3596 wrote to memory of 4264 3596 Abemep32.exe 93 PID 3596 wrote to memory of 4264 3596 Abemep32.exe 93 PID 3596 wrote to memory of 4264 3596 Abemep32.exe 93 PID 4264 wrote to memory of 1816 4264 Almanf32.exe 94 PID 4264 wrote to memory of 1816 4264 Almanf32.exe 94 PID 4264 wrote to memory of 1816 4264 Almanf32.exe 94 PID 1816 wrote to memory of 884 1816 Acgfec32.exe 95 PID 1816 wrote to memory of 884 1816 Acgfec32.exe 95 PID 1816 wrote to memory of 884 1816 Acgfec32.exe 95 PID 884 wrote to memory of 3420 884 Amoknh32.exe 96 PID 884 wrote to memory of 3420 884 Amoknh32.exe 96 PID 884 wrote to memory of 3420 884 Amoknh32.exe 96 PID 3420 wrote to memory of 5016 3420 Bejobk32.exe 97 PID 3420 wrote to memory of 5016 3420 Bejobk32.exe 97 PID 3420 wrote to memory of 5016 3420 Bejobk32.exe 97 PID 5016 wrote to memory of 4284 5016 Bppcpc32.exe 98 PID 5016 wrote to memory of 4284 5016 Bppcpc32.exe 98 PID 5016 wrote to memory of 4284 5016 Bppcpc32.exe 98 PID 4284 wrote to memory of 2848 4284 Blgddd32.exe 99 PID 4284 wrote to memory of 2848 4284 Blgddd32.exe 99 PID 4284 wrote to memory of 2848 4284 Blgddd32.exe 99 PID 2848 wrote to memory of 1776 2848 Bmimdg32.exe 100 PID 2848 wrote to memory of 1776 2848 Bmimdg32.exe 100 PID 2848 wrote to memory of 1776 2848 Bmimdg32.exe 100 PID 1776 wrote to memory of 976 1776 Bipnihgi.exe 101 PID 1776 wrote to memory of 976 1776 Bipnihgi.exe 101 PID 1776 wrote to memory of 976 1776 Bipnihgi.exe 101 PID 976 wrote to memory of 4992 976 Cefoni32.exe 102 PID 976 wrote to memory of 4992 976 Cefoni32.exe 102 PID 976 wrote to memory of 4992 976 Cefoni32.exe 102 PID 4992 wrote to memory of 1860 4992 Clbdpc32.exe 103 PID 4992 wrote to memory of 1860 4992 Clbdpc32.exe 103 PID 4992 wrote to memory of 1860 4992 Clbdpc32.exe 103 PID 1860 wrote to memory of 2352 1860 Cifdjg32.exe 104 PID 1860 wrote to memory of 2352 1860 Cifdjg32.exe 104 PID 1860 wrote to memory of 2352 1860 Cifdjg32.exe 104 PID 2352 wrote to memory of 3488 2352 Clgmkbna.exe 105 PID 2352 wrote to memory of 3488 2352 Clgmkbna.exe 105 PID 2352 wrote to memory of 3488 2352 Clgmkbna.exe 105 PID 3488 wrote to memory of 412 3488 Emeffcid.exe 106 PID 3488 wrote to memory of 412 3488 Emeffcid.exe 106 PID 3488 wrote to memory of 412 3488 Emeffcid.exe 106 PID 412 wrote to memory of 4760 412 Eepkkefp.exe 107 PID 412 wrote to memory of 4760 412 Eepkkefp.exe 107 PID 412 wrote to memory of 4760 412 Eepkkefp.exe 107 PID 4760 wrote to memory of 1660 4760 Ecdkdj32.exe 108 PID 4760 wrote to memory of 1660 4760 Ecdkdj32.exe 108 PID 4760 wrote to memory of 1660 4760 Ecdkdj32.exe 108 PID 1660 wrote to memory of 1812 1660 Ephlnn32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\e68ee73e5a3b27a19aa4c40d9225a338_JC.exe"C:\Users\Admin\AppData\Local\Temp\e68ee73e5a3b27a19aa4c40d9225a338_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Pomncfge.exeC:\Windows\system32\Pomncfge.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Qfjcep32.exeC:\Windows\system32\Qfjcep32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Qpbgnecp.exeC:\Windows\system32\Qpbgnecp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\Akihcfid.exeC:\Windows\system32\Akihcfid.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Abemep32.exeC:\Windows\system32\Abemep32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\Almanf32.exeC:\Windows\system32\Almanf32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\Acgfec32.exeC:\Windows\system32\Acgfec32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Amoknh32.exeC:\Windows\system32\Amoknh32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Bejobk32.exeC:\Windows\system32\Bejobk32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Bppcpc32.exeC:\Windows\system32\Bppcpc32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Blgddd32.exeC:\Windows\system32\Blgddd32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\Bmimdg32.exeC:\Windows\system32\Bmimdg32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Bipnihgi.exeC:\Windows\system32\Bipnihgi.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Cefoni32.exeC:\Windows\system32\Cefoni32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Clbdpc32.exeC:\Windows\system32\Clbdpc32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Cifdjg32.exeC:\Windows\system32\Cifdjg32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Clgmkbna.exeC:\Windows\system32\Clgmkbna.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Emeffcid.exeC:\Windows\system32\Emeffcid.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\Eepkkefp.exeC:\Windows\system32\Eepkkefp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\Ecdkdj32.exeC:\Windows\system32\Ecdkdj32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Ephlnn32.exeC:\Windows\system32\Ephlnn32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Eeddfe32.exeC:\Windows\system32\Eeddfe32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1812 -
C:\Windows\SysWOW64\Ecidpiad.exeC:\Windows\system32\Ecidpiad.exe24⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Flfbcndo.exeC:\Windows\system32\Flfbcndo.exe25⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Ffnglc32.exeC:\Windows\system32\Ffnglc32.exe26⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Fcbgfhii.exeC:\Windows\system32\Fcbgfhii.exe27⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Fnglcqio.exeC:\Windows\system32\Fnglcqio.exe28⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Gjnlha32.exeC:\Windows\system32\Gjnlha32.exe29⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Gddqejni.exeC:\Windows\system32\Gddqejni.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Gjebiq32.exeC:\Windows\system32\Gjebiq32.exe31⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Hfeoijbi.exeC:\Windows\system32\Hfeoijbi.exe32⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Qdflaa32.exeC:\Windows\system32\Qdflaa32.exe33⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Iooimi32.exeC:\Windows\system32\Iooimi32.exe34⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Npqmipjq.exeC:\Windows\system32\Npqmipjq.exe35⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Aeigilml.exeC:\Windows\system32\Aeigilml.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Jpjhlche.exeC:\Windows\system32\Jpjhlche.exe37⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Coegih32.exeC:\Windows\system32\Coegih32.exe38⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Dpnfjjla.exeC:\Windows\system32\Dpnfjjla.exe39⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Dapcab32.exeC:\Windows\system32\Dapcab32.exe40⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Dcopke32.exeC:\Windows\system32\Dcopke32.exe41⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Dpcpei32.exeC:\Windows\system32\Dpcpei32.exe42⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Dfphmp32.exeC:\Windows\system32\Dfphmp32.exe43⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Eoocfegl.exeC:\Windows\system32\Eoocfegl.exe44⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Efikco32.exeC:\Windows\system32\Efikco32.exe45⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Ehhgpj32.exeC:\Windows\system32\Ehhgpj32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:4248 -
C:\Windows\SysWOW64\Ecmlmcmb.exeC:\Windows\system32\Ecmlmcmb.exe47⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Ejgdim32.exeC:\Windows\system32\Ejgdim32.exe48⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Eodlad32.exeC:\Windows\system32\Eodlad32.exe49⤵
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Ebbinp32.exeC:\Windows\system32\Ebbinp32.exe50⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Emhmkh32.exeC:\Windows\system32\Emhmkh32.exe51⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Fofigd32.exeC:\Windows\system32\Fofigd32.exe52⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\Fqhbgf32.exeC:\Windows\system32\Fqhbgf32.exe53⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Fcfocb32.exeC:\Windows\system32\Fcfocb32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Fmoclg32.exeC:\Windows\system32\Fmoclg32.exe55⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Fomohc32.exeC:\Windows\system32\Fomohc32.exe56⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Ffggdmbi.exeC:\Windows\system32\Ffggdmbi.exe57⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Fifdqhal.exeC:\Windows\system32\Fifdqhal.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4388 -
C:\Windows\SysWOW64\Fckhnaab.exeC:\Windows\system32\Fckhnaab.exe59⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Ffjdjmpf.exeC:\Windows\system32\Ffjdjmpf.exe60⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Gqohge32.exeC:\Windows\system32\Gqohge32.exe61⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Gobicbgf.exeC:\Windows\system32\Gobicbgf.exe62⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Gbqeonfj.exeC:\Windows\system32\Gbqeonfj.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Hmolbene.exeC:\Windows\system32\Hmolbene.exe64⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Jaljaoii.exeC:\Windows\system32\Jaljaoii.exe65⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\Kabpan32.exeC:\Windows\system32\Kabpan32.exe66⤵PID:1776
-
C:\Windows\SysWOW64\Kmlmlo32.exeC:\Windows\system32\Kmlmlo32.exe67⤵PID:1272
-
C:\Windows\SysWOW64\Ligglo32.exeC:\Windows\system32\Ligglo32.exe68⤵
- Drops file in System32 directory
PID:3444 -
C:\Windows\SysWOW64\Lgkhec32.exeC:\Windows\system32\Lgkhec32.exe69⤵PID:4544
-
C:\Windows\SysWOW64\Mdaedgdb.exeC:\Windows\system32\Mdaedgdb.exe70⤵PID:1380
-
C:\Windows\SysWOW64\Mnjjmmkc.exeC:\Windows\system32\Mnjjmmkc.exe71⤵PID:3540
-
C:\Windows\SysWOW64\Mddbjg32.exeC:\Windows\system32\Mddbjg32.exe72⤵PID:2796
-
C:\Windows\SysWOW64\Mnochl32.exeC:\Windows\system32\Mnochl32.exe73⤵PID:4164
-
C:\Windows\SysWOW64\Mgidgakk.exeC:\Windows\system32\Mgidgakk.exe74⤵PID:4696
-
C:\Windows\SysWOW64\Maohdj32.exeC:\Windows\system32\Maohdj32.exe75⤵PID:2492
-
C:\Windows\SysWOW64\Ndmepe32.exeC:\Windows\system32\Ndmepe32.exe76⤵PID:3220
-
C:\Windows\SysWOW64\Nkgmmpab.exeC:\Windows\system32\Nkgmmpab.exe77⤵
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Naaejj32.exeC:\Windows\system32\Naaejj32.exe78⤵PID:316
-
C:\Windows\SysWOW64\Ndpafe32.exeC:\Windows\system32\Ndpafe32.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Nacboi32.exeC:\Windows\system32\Nacboi32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2844 -
C:\Windows\SysWOW64\Ngpjgpec.exeC:\Windows\system32\Ngpjgpec.exe81⤵
- Drops file in System32 directory
PID:772 -
C:\Windows\SysWOW64\Nnjbdj32.exeC:\Windows\system32\Nnjbdj32.exe82⤵PID:1316
-
C:\Windows\SysWOW64\Ncgkma32.exeC:\Windows\system32\Ncgkma32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:228 -
C:\Windows\SysWOW64\Njacikbd.exeC:\Windows\system32\Njacikbd.exe84⤵PID:1200
-
C:\Windows\SysWOW64\Ngedbp32.exeC:\Windows\system32\Ngedbp32.exe85⤵PID:1748
-
C:\Windows\SysWOW64\Ogjmnomi.exeC:\Windows\system32\Ogjmnomi.exe86⤵PID:3944
-
C:\Windows\SysWOW64\Onceji32.exeC:\Windows\system32\Onceji32.exe87⤵PID:3064
-
C:\Windows\SysWOW64\Odnngclb.exeC:\Windows\system32\Odnngclb.exe88⤵
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Okgfdm32.exeC:\Windows\system32\Okgfdm32.exe89⤵PID:1812
-
C:\Windows\SysWOW64\Occkhp32.exeC:\Windows\system32\Occkhp32.exe90⤵PID:836
-
C:\Windows\SysWOW64\Ojmcej32.exeC:\Windows\system32\Ojmcej32.exe91⤵
- Drops file in System32 directory
PID:1404 -
C:\Windows\SysWOW64\Obdkfg32.exeC:\Windows\system32\Obdkfg32.exe92⤵
- Modifies registry class
PID:3848 -
C:\Windows\SysWOW64\Ocegnoog.exeC:\Windows\system32\Ocegnoog.exe93⤵PID:1884
-
C:\Windows\SysWOW64\Ojopki32.exeC:\Windows\system32\Ojopki32.exe94⤵PID:1696
-
C:\Windows\SysWOW64\Peddhb32.exeC:\Windows\system32\Peddhb32.exe95⤵PID:4444
-
C:\Windows\SysWOW64\Pnmhqh32.exeC:\Windows\system32\Pnmhqh32.exe96⤵PID:2520
-
C:\Windows\SysWOW64\Pgemimck.exeC:\Windows\system32\Pgemimck.exe97⤵PID:2304
-
C:\Windows\SysWOW64\Pbkagfba.exeC:\Windows\system32\Pbkagfba.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3804 -
C:\Windows\SysWOW64\Pghiomqi.exeC:\Windows\system32\Pghiomqi.exe99⤵PID:5004
-
C:\Windows\SysWOW64\Pnaalghe.exeC:\Windows\system32\Pnaalghe.exe100⤵PID:400
-
C:\Windows\SysWOW64\Papnhbgi.exeC:\Windows\system32\Papnhbgi.exe101⤵PID:3100
-
C:\Windows\SysWOW64\Pgjfdm32.exeC:\Windows\system32\Pgjfdm32.exe102⤵
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Pabknbef.exeC:\Windows\system32\Pabknbef.exe103⤵PID:3036
-
C:\Windows\SysWOW64\Ajphagha.exeC:\Windows\system32\Ajphagha.exe104⤵PID:408
-
C:\Windows\SysWOW64\Aloekjod.exeC:\Windows\system32\Aloekjod.exe105⤵PID:3992
-
C:\Windows\SysWOW64\Anmagenh.exeC:\Windows\system32\Anmagenh.exe106⤵
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Aalndaml.exeC:\Windows\system32\Aalndaml.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2532 -
C:\Windows\SysWOW64\Anpnmele.exeC:\Windows\system32\Anpnmele.exe108⤵PID:4948
-
C:\Windows\SysWOW64\Acmfel32.exeC:\Windows\system32\Acmfel32.exe109⤵PID:1408
-
C:\Windows\SysWOW64\Ajfobfaj.exeC:\Windows\system32\Ajfobfaj.exe110⤵PID:1616
-
C:\Windows\SysWOW64\Adockl32.exeC:\Windows\system32\Adockl32.exe111⤵PID:4380
-
C:\Windows\SysWOW64\Ajikhfpg.exeC:\Windows\system32\Ajikhfpg.exe112⤵PID:452
-
C:\Windows\SysWOW64\Abpcicpi.exeC:\Windows\system32\Abpcicpi.exe113⤵PID:2588
-
C:\Windows\SysWOW64\Adapqk32.exeC:\Windows\system32\Adapqk32.exe114⤵PID:5040
-
C:\Windows\SysWOW64\Blhhaigj.exeC:\Windows\system32\Blhhaigj.exe115⤵PID:1980
-
C:\Windows\SysWOW64\Bhohfj32.exeC:\Windows\system32\Bhohfj32.exe116⤵PID:1544
-
C:\Windows\SysWOW64\Bdfilkbb.exeC:\Windows\system32\Bdfilkbb.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:436 -
C:\Windows\SysWOW64\Bjpaheio.exeC:\Windows\system32\Bjpaheio.exe118⤵
- Modifies registry class
PID:4092 -
C:\Windows\SysWOW64\Bajjeo32.exeC:\Windows\system32\Bajjeo32.exe119⤵PID:1356
-
C:\Windows\SysWOW64\Bhdbaihi.exeC:\Windows\system32\Bhdbaihi.exe120⤵PID:1196
-
C:\Windows\SysWOW64\Bjbnndgl.exeC:\Windows\system32\Bjbnndgl.exe121⤵PID:3836
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-