Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
186s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25/11/2022, 21:15
Static task
static1
Behavioral task
behavioral1
Sample
6de64d244e3f6881ac3c137281f66bcea1aa7e57d14e133e6ce8062efeeae893.exe
Resource
win7-20221111-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
6de64d244e3f6881ac3c137281f66bcea1aa7e57d14e133e6ce8062efeeae893.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
6de64d244e3f6881ac3c137281f66bcea1aa7e57d14e133e6ce8062efeeae893.exe
-
Size
92KB
-
MD5
1c4f783a6139698762cb7690d8618ab0
-
SHA1
bf2bed093661f8e4cc6993f21bac2aa1e02a86dd
-
SHA256
6de64d244e3f6881ac3c137281f66bcea1aa7e57d14e133e6ce8062efeeae893
-
SHA512
2cc0405bedec93902115db33039f7069910e8c34e99dc4760c02a701e80e26a64e4f47f9afaa1cdb6e0c295fd48dbf40d2498792ac06e4b4ec0338018000db49
-
SSDEEP
1536:V703Kg+58Fxz9wuxGhRPelhdlezBi3jLV3BGnMPJKEsztuJO:K3/+iv9wugrujLlBRh1sN
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnojcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padhoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfaagl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhfimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnofgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Melicpbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfbcbla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loldbifc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfaagl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bianep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cojfieep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpknopof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhcmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkdiel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haomcmhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaacig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekiifa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fklbkdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgobqdec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndblob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fppdjgop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qopeekdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbekj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnljakej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpgcpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfodalmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkneneme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obdofgpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bejocimm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcmaob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llpeknem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obclbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmnfie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlkolg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiildice.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niedmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aacpngnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eempck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkjkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neagpmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkikce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pddlak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlomdpgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Annemfqj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhmecdie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dajnmmmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjdace32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahjgdphj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeohgiia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kamadaqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbccpphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fddehe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjjkbidk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpbneneq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdcdkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bflggh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcqheqnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pidfoffc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqmjlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdjeioak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodoqj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neagpmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgffdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecgjpc32.exe -
Executes dropped EXE 64 IoCs
pid Process 1188 Kamadaqi.exe 1744 Kpbneneq.exe 520 Keaccdae.exe 1172 Loldbifc.exe 696 Llpeknem.exe 1980 Lhgepoka.exe 1852 Ldnfep32.exe 1468 Lnfknegf.exe 1336 Lkjkgi32.exe 888 Lpgcpp32.exe 1540 Mnkdid32.exe 632 Mlpaja32.exe 1792 Mjdace32.exe 1552 Mclfmk32.exe 1108 Mocgalbg.exe 1964 Mbacngaj.exe 1992 Ndblob32.exe 1940 Nkoaaldf.exe 1164 Nnojcg32.exe 1652 Njfjhhgk.exe 1780 Noccqoeb.exe 2028 Nfmkmimo.exe 2032 Ooepfo32.exe 364 Obclbj32.exe 268 Oipadd32.exe 1176 Oggjkp32.exe 2036 Pjhcmk32.exe 1616 Pmfpif32.exe 1812 Pcqheqnd.exe 1224 Pfodalmh.exe 1104 Pjjpbkea.exe 1756 Padhoe32.exe 1960 Pdcdkp32.exe 1424 Pfaagl32.exe 1736 Pipmcg32.exe 1348 Plnipb32.exe 1548 Pdeaqp32.exe 1528 Pfcnmk32.exe 1020 Pmnfie32.exe 612 Pbjnbl32.exe 1520 Pidfoffc.exe 1784 Qekgcg32.exe 876 Cgoefp32.exe 1240 Cmlnog32.exe 1768 Cfdbhmid.exe 1740 Nhanip32.exe 1148 Ddqhbaoh.exe 1932 Neagpmje.exe 2016 Nlkolg32.exe 1956 Neccemhb.exe 1300 Ncgdoa32.exe 296 Nhdmgh32.exe 1544 Nlpigfnl.exe 1472 Nciadq32.exe 1692 Nhfimg32.exe 584 Nkeeicbd.exe 1440 Naonem32.exe 1624 Ogkfnd32.exe 1752 Oaajkm32.exe 1356 Pkikce32.exe 1568 Pbccpphg.exe 1564 Phmllj32.exe 308 Pogdid32.exe 1444 Pddlak32.exe -
Loads dropped DLL 64 IoCs
pid Process 1192 6de64d244e3f6881ac3c137281f66bcea1aa7e57d14e133e6ce8062efeeae893.exe 1192 6de64d244e3f6881ac3c137281f66bcea1aa7e57d14e133e6ce8062efeeae893.exe 1188 Kamadaqi.exe 1188 Kamadaqi.exe 1744 Kpbneneq.exe 1744 Kpbneneq.exe 520 Keaccdae.exe 520 Keaccdae.exe 1172 Loldbifc.exe 1172 Loldbifc.exe 696 Llpeknem.exe 696 Llpeknem.exe 1980 Lhgepoka.exe 1980 Lhgepoka.exe 1852 Ldnfep32.exe 1852 Ldnfep32.exe 1468 Lnfknegf.exe 1468 Lnfknegf.exe 1336 Lkjkgi32.exe 1336 Lkjkgi32.exe 888 Lpgcpp32.exe 888 Lpgcpp32.exe 1540 Mnkdid32.exe 1540 Mnkdid32.exe 632 Mlpaja32.exe 632 Mlpaja32.exe 1792 Mjdace32.exe 1792 Mjdace32.exe 1552 Mclfmk32.exe 1552 Mclfmk32.exe 1108 Mocgalbg.exe 1108 Mocgalbg.exe 1964 Mbacngaj.exe 1964 Mbacngaj.exe 1992 Ndblob32.exe 1992 Ndblob32.exe 1940 Nkoaaldf.exe 1940 Nkoaaldf.exe 1164 Nnojcg32.exe 1164 Nnojcg32.exe 1652 Njfjhhgk.exe 1652 Njfjhhgk.exe 1780 Noccqoeb.exe 1780 Noccqoeb.exe 2028 Nfmkmimo.exe 2028 Nfmkmimo.exe 2032 Ooepfo32.exe 2032 Ooepfo32.exe 364 Obclbj32.exe 364 Obclbj32.exe 268 Oipadd32.exe 268 Oipadd32.exe 1176 Oggjkp32.exe 1176 Oggjkp32.exe 2036 Pjhcmk32.exe 2036 Pjhcmk32.exe 1616 Pmfpif32.exe 1616 Pmfpif32.exe 1812 Pcqheqnd.exe 1812 Pcqheqnd.exe 1224 Pfodalmh.exe 1224 Pfodalmh.exe 1104 Pjjpbkea.exe 1104 Pjjpbkea.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pddlak32.exe Pogdid32.exe File created C:\Windows\SysWOW64\Dciqgklf.dll Pogdid32.exe File opened for modification C:\Windows\SysWOW64\Fppdjgop.exe Fakgikjh.exe File created C:\Windows\SysWOW64\Lnfknegf.exe Ldnfep32.exe File created C:\Windows\SysWOW64\Anloia32.dll Pdeaqp32.exe File created C:\Windows\SysWOW64\Cmofkn32.exe Behnja32.exe File created C:\Windows\SysWOW64\Eqonqj32.dll Niedmb32.exe File opened for modification C:\Windows\SysWOW64\Cgffdo32.exe Cehjhc32.exe File created C:\Windows\SysWOW64\Ehkhnd32.exe Eellai32.exe File opened for modification C:\Windows\SysWOW64\Plnipb32.exe Pipmcg32.exe File opened for modification C:\Windows\SysWOW64\Cmlnog32.exe Cgoefp32.exe File created C:\Windows\SysWOW64\Mnfjppep.dll Nbbfbd32.exe File created C:\Windows\SysWOW64\Pmnfie32.exe Pfcnmk32.exe File created C:\Windows\SysWOW64\Melicpbb.exe Mgmefhmh.exe File created C:\Windows\SysWOW64\Gedbcm32.exe Gbcjab32.exe File opened for modification C:\Windows\SysWOW64\Ffcfdfac.exe Dcnhhhfl.exe File created C:\Windows\SysWOW64\Nijaio32.exe Melicpbb.exe File created C:\Windows\SysWOW64\Obgllgnp.exe Obdofgpb.exe File created C:\Windows\SysWOW64\Aakalo32.dll Cfplajjh.exe File created C:\Windows\SysWOW64\Dicbhe32.exe Dfeflj32.exe File created C:\Windows\SysWOW64\Dhfbcbla.exe Dicbhe32.exe File created C:\Windows\SysWOW64\Kehliine.exe Pcmaob32.exe File opened for modification C:\Windows\SysWOW64\Llpeknem.exe Loldbifc.exe File opened for modification C:\Windows\SysWOW64\Lkjkgi32.exe Lnfknegf.exe File created C:\Windows\SysWOW64\Apmdff32.dll Cojfieep.exe File opened for modification C:\Windows\SysWOW64\Boobdn32.exe Annemfqj.exe File created C:\Windows\SysWOW64\Kfincb32.dll Fedfdj32.exe File created C:\Windows\SysWOW64\Gcnmpe32.exe Gfjlfa32.exe File created C:\Windows\SysWOW64\Fcndhicn.dll Fiildice.exe File opened for modification C:\Windows\SysWOW64\Fmokhl32.exe Fcgfofko.exe File created C:\Windows\SysWOW64\Lcgjeb32.dll Kpbneneq.exe File created C:\Windows\SysWOW64\Pcqheqnd.exe Pmfpif32.exe File created C:\Windows\SysWOW64\Nkeeicbd.exe Nhfimg32.exe File created C:\Windows\SysWOW64\Mlbihibq.dll Dpknopof.exe File created C:\Windows\SysWOW64\Emkenici.exe Ekiifa32.exe File created C:\Windows\SysWOW64\Ecldkbdn.exe Efhcbnfd.exe File opened for modification C:\Windows\SysWOW64\Hhiepg32.exe Haomcmhn.exe File created C:\Windows\SysWOW64\Pbhmko32.exe Pkneneme.exe File created C:\Windows\SysWOW64\Bflggh32.exe Bgfjfk32.exe File created C:\Windows\SysWOW64\Dhpmchof.dll Fcgfofko.exe File created C:\Windows\SysWOW64\Fhhmpkmi.dll Pbccpphg.exe File created C:\Windows\SysWOW64\Ppcbdoem.exe Pmefhd32.exe File opened for modification C:\Windows\SysWOW64\Ppcbdoem.exe Pmefhd32.exe File created C:\Windows\SysWOW64\Iohlchhj.dll Cmlnog32.exe File created C:\Windows\SysWOW64\Eeokcd32.dll Pmgcmcdf.exe File opened for modification C:\Windows\SysWOW64\Cjebajij.exe Cgffdo32.exe File opened for modification C:\Windows\SysWOW64\Diaebegi.exe Cphajp32.exe File created C:\Windows\SysWOW64\Dloaoa32.exe Diaebegi.exe File created C:\Windows\SysWOW64\Ldnfep32.exe Lhgepoka.exe File created C:\Windows\SysWOW64\Iaihnp32.dll Pjjpbkea.exe File opened for modification C:\Windows\SysWOW64\Nlpigfnl.exe Nhdmgh32.exe File opened for modification C:\Windows\SysWOW64\Nkeeicbd.exe Nhfimg32.exe File created C:\Windows\SysWOW64\Cghpak32.dll Fakgikjh.exe File created C:\Windows\SysWOW64\Qqmjlk32.exe Pjcaoa32.exe File created C:\Windows\SysWOW64\Nkckjc32.dll Piijgenp.exe File created C:\Windows\SysWOW64\Opmapa32.exe Commldoo.exe File opened for modification C:\Windows\SysWOW64\Gbcjab32.exe Gcnmpe32.exe File created C:\Windows\SysWOW64\Gibkik32.exe Gakchn32.exe File created C:\Windows\SysWOW64\Dpknopof.exe Dloaoa32.exe File opened for modification C:\Windows\SysWOW64\Eeohgiia.exe Eodpjo32.exe File created C:\Windows\SysWOW64\Oajqnlbj.dll Eeohgiia.exe File created C:\Windows\SysWOW64\Qekgcg32.exe Pidfoffc.exe File created C:\Windows\SysWOW64\Pakcol32.dll Nkeeicbd.exe File created C:\Windows\SysWOW64\Jogedhlk.dll Dfeflj32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkoaaldf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnboieqh.dll" Oggjkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icbfoe32.dll" Pfodalmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlnfflcf.dll" Npmpdmii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndblob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnojcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecldkbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ealkkbqn.dll" Hdbbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdicef32.dll" Cioimfil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcpcfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladoelgg.dll" Cdfade32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcgfofko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnkdid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Padhoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piijgenp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfplajjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkhcbc32.dll" Dpfepdif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgoefp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhdmgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nblhpg32.dll" Ecgjpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eempck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gibkik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emkenici.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkjkgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdjeioak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boidkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Commldoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llapjjal.dll" Emkenici.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njnhkmdo.dll" Mgmefhmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmcnce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhiepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehlck32.dll" Nhdmgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nciadq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnbgflal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcpjbpbi.dll" Gibkik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abpion32.dll" Ldnfep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgmefhmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkocpd32.dll" Cjbekj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpfepdif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jncmfg32.dll" Qlomdpgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhcmeikf.dll" Adcdoqll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpblde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkjkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oggjkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjjpbkea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmlnog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omgijojj.dll" Bemlfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjdace32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddkhmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbfjhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgffdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcfggpkh.dll" Fcbiqmhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qicaoedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iamcpp32.dll" Mocgalbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnojcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfjjhp32.dll" Dkqfnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bflggh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgffdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpmdo32.dll" Nlkolg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecldkbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fakgikjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcmaob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkghpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimgnl32.dll" Hehlnlcj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1192 wrote to memory of 1188 1192 6de64d244e3f6881ac3c137281f66bcea1aa7e57d14e133e6ce8062efeeae893.exe 28 PID 1192 wrote to memory of 1188 1192 6de64d244e3f6881ac3c137281f66bcea1aa7e57d14e133e6ce8062efeeae893.exe 28 PID 1192 wrote to memory of 1188 1192 6de64d244e3f6881ac3c137281f66bcea1aa7e57d14e133e6ce8062efeeae893.exe 28 PID 1192 wrote to memory of 1188 1192 6de64d244e3f6881ac3c137281f66bcea1aa7e57d14e133e6ce8062efeeae893.exe 28 PID 1188 wrote to memory of 1744 1188 Kamadaqi.exe 29 PID 1188 wrote to memory of 1744 1188 Kamadaqi.exe 29 PID 1188 wrote to memory of 1744 1188 Kamadaqi.exe 29 PID 1188 wrote to memory of 1744 1188 Kamadaqi.exe 29 PID 1744 wrote to memory of 520 1744 Kpbneneq.exe 30 PID 1744 wrote to memory of 520 1744 Kpbneneq.exe 30 PID 1744 wrote to memory of 520 1744 Kpbneneq.exe 30 PID 1744 wrote to memory of 520 1744 Kpbneneq.exe 30 PID 520 wrote to memory of 1172 520 Keaccdae.exe 31 PID 520 wrote to memory of 1172 520 Keaccdae.exe 31 PID 520 wrote to memory of 1172 520 Keaccdae.exe 31 PID 520 wrote to memory of 1172 520 Keaccdae.exe 31 PID 1172 wrote to memory of 696 1172 Loldbifc.exe 32 PID 1172 wrote to memory of 696 1172 Loldbifc.exe 32 PID 1172 wrote to memory of 696 1172 Loldbifc.exe 32 PID 1172 wrote to memory of 696 1172 Loldbifc.exe 32 PID 696 wrote to memory of 1980 696 Llpeknem.exe 33 PID 696 wrote to memory of 1980 696 Llpeknem.exe 33 PID 696 wrote to memory of 1980 696 Llpeknem.exe 33 PID 696 wrote to memory of 1980 696 Llpeknem.exe 33 PID 1980 wrote to memory of 1852 1980 Lhgepoka.exe 34 PID 1980 wrote to memory of 1852 1980 Lhgepoka.exe 34 PID 1980 wrote to memory of 1852 1980 Lhgepoka.exe 34 PID 1980 wrote to memory of 1852 1980 Lhgepoka.exe 34 PID 1852 wrote to memory of 1468 1852 Ldnfep32.exe 35 PID 1852 wrote to memory of 1468 1852 Ldnfep32.exe 35 PID 1852 wrote to memory of 1468 1852 Ldnfep32.exe 35 PID 1852 wrote to memory of 1468 1852 Ldnfep32.exe 35 PID 1468 wrote to memory of 1336 1468 Lnfknegf.exe 36 PID 1468 wrote to memory of 1336 1468 Lnfknegf.exe 36 PID 1468 wrote to memory of 1336 1468 Lnfknegf.exe 36 PID 1468 wrote to memory of 1336 1468 Lnfknegf.exe 36 PID 1336 wrote to memory of 888 1336 Lkjkgi32.exe 37 PID 1336 wrote to memory of 888 1336 Lkjkgi32.exe 37 PID 1336 wrote to memory of 888 1336 Lkjkgi32.exe 37 PID 1336 wrote to memory of 888 1336 Lkjkgi32.exe 37 PID 888 wrote to memory of 1540 888 Lpgcpp32.exe 38 PID 888 wrote to memory of 1540 888 Lpgcpp32.exe 38 PID 888 wrote to memory of 1540 888 Lpgcpp32.exe 38 PID 888 wrote to memory of 1540 888 Lpgcpp32.exe 38 PID 1540 wrote to memory of 632 1540 Mnkdid32.exe 39 PID 1540 wrote to memory of 632 1540 Mnkdid32.exe 39 PID 1540 wrote to memory of 632 1540 Mnkdid32.exe 39 PID 1540 wrote to memory of 632 1540 Mnkdid32.exe 39 PID 632 wrote to memory of 1792 632 Mlpaja32.exe 40 PID 632 wrote to memory of 1792 632 Mlpaja32.exe 40 PID 632 wrote to memory of 1792 632 Mlpaja32.exe 40 PID 632 wrote to memory of 1792 632 Mlpaja32.exe 40 PID 1792 wrote to memory of 1552 1792 Mjdace32.exe 41 PID 1792 wrote to memory of 1552 1792 Mjdace32.exe 41 PID 1792 wrote to memory of 1552 1792 Mjdace32.exe 41 PID 1792 wrote to memory of 1552 1792 Mjdace32.exe 41 PID 1552 wrote to memory of 1108 1552 Mclfmk32.exe 42 PID 1552 wrote to memory of 1108 1552 Mclfmk32.exe 42 PID 1552 wrote to memory of 1108 1552 Mclfmk32.exe 42 PID 1552 wrote to memory of 1108 1552 Mclfmk32.exe 42 PID 1108 wrote to memory of 1964 1108 Mocgalbg.exe 43 PID 1108 wrote to memory of 1964 1108 Mocgalbg.exe 43 PID 1108 wrote to memory of 1964 1108 Mocgalbg.exe 43 PID 1108 wrote to memory of 1964 1108 Mocgalbg.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\6de64d244e3f6881ac3c137281f66bcea1aa7e57d14e133e6ce8062efeeae893.exe"C:\Users\Admin\AppData\Local\Temp\6de64d244e3f6881ac3c137281f66bcea1aa7e57d14e133e6ce8062efeeae893.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Kamadaqi.exeC:\Windows\system32\Kamadaqi.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Kpbneneq.exeC:\Windows\system32\Kpbneneq.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Keaccdae.exeC:\Windows\system32\Keaccdae.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\Loldbifc.exeC:\Windows\system32\Loldbifc.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Llpeknem.exeC:\Windows\system32\Llpeknem.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\Lhgepoka.exeC:\Windows\system32\Lhgepoka.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Ldnfep32.exeC:\Windows\system32\Ldnfep32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Lnfknegf.exeC:\Windows\system32\Lnfknegf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Lkjkgi32.exeC:\Windows\system32\Lkjkgi32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Lpgcpp32.exeC:\Windows\system32\Lpgcpp32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\Mnkdid32.exeC:\Windows\system32\Mnkdid32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Mlpaja32.exeC:\Windows\system32\Mlpaja32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Mjdace32.exeC:\Windows\system32\Mjdace32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Mclfmk32.exeC:\Windows\system32\Mclfmk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Mocgalbg.exeC:\Windows\system32\Mocgalbg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Mbacngaj.exeC:\Windows\system32\Mbacngaj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Ndblob32.exeC:\Windows\system32\Ndblob32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Nkoaaldf.exeC:\Windows\system32\Nkoaaldf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Nnojcg32.exeC:\Windows\system32\Nnojcg32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\Njfjhhgk.exeC:\Windows\system32\Njfjhhgk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Noccqoeb.exeC:\Windows\system32\Noccqoeb.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Nfmkmimo.exeC:\Windows\system32\Nfmkmimo.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\Ooepfo32.exeC:\Windows\system32\Ooepfo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Obclbj32.exeC:\Windows\system32\Obclbj32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:364 -
C:\Windows\SysWOW64\Oipadd32.exeC:\Windows\system32\Oipadd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:268 -
C:\Windows\SysWOW64\Oggjkp32.exeC:\Windows\system32\Oggjkp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1176 -
C:\Windows\SysWOW64\Pjhcmk32.exeC:\Windows\system32\Pjhcmk32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Pmfpif32.exeC:\Windows\system32\Pmfpif32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Pcqheqnd.exeC:\Windows\system32\Pcqheqnd.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Pfodalmh.exeC:\Windows\system32\Pfodalmh.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1224 -
C:\Windows\SysWOW64\Pjjpbkea.exeC:\Windows\system32\Pjjpbkea.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Padhoe32.exeC:\Windows\system32\Padhoe32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Pdcdkp32.exeC:\Windows\system32\Pdcdkp32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Pfaagl32.exeC:\Windows\system32\Pfaagl32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Pipmcg32.exeC:\Windows\system32\Pipmcg32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Plnipb32.exeC:\Windows\system32\Plnipb32.exe37⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Pdeaqp32.exeC:\Windows\system32\Pdeaqp32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Pfcnmk32.exeC:\Windows\system32\Pfcnmk32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Pmnfie32.exeC:\Windows\system32\Pmnfie32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Pbjnbl32.exeC:\Windows\system32\Pbjnbl32.exe41⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Pidfoffc.exeC:\Windows\system32\Pidfoffc.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Qekgcg32.exeC:\Windows\system32\Qekgcg32.exe43⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Cgoefp32.exeC:\Windows\system32\Cgoefp32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Cmlnog32.exeC:\Windows\system32\Cmlnog32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Cfdbhmid.exeC:\Windows\system32\Cfdbhmid.exe46⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Nhanip32.exeC:\Windows\system32\Nhanip32.exe47⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Ddqhbaoh.exeC:\Windows\system32\Ddqhbaoh.exe48⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Neagpmje.exeC:\Windows\system32\Neagpmje.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Nlkolg32.exeC:\Windows\system32\Nlkolg32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Neccemhb.exeC:\Windows\system32\Neccemhb.exe51⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Ncgdoa32.exeC:\Windows\system32\Ncgdoa32.exe52⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Nhdmgh32.exeC:\Windows\system32\Nhdmgh32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:296 -
C:\Windows\SysWOW64\Nlpigfnl.exeC:\Windows\system32\Nlpigfnl.exe54⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Nciadq32.exeC:\Windows\system32\Nciadq32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1472 -
C:\Windows\SysWOW64\Nhfimg32.exeC:\Windows\system32\Nhfimg32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Nkeeicbd.exeC:\Windows\system32\Nkeeicbd.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\Naonem32.exeC:\Windows\system32\Naonem32.exe58⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Ogkfnd32.exeC:\Windows\system32\Ogkfnd32.exe59⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Oaajkm32.exeC:\Windows\system32\Oaajkm32.exe60⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Pkikce32.exeC:\Windows\system32\Pkikce32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Pbccpphg.exeC:\Windows\system32\Pbccpphg.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Phmllj32.exeC:\Windows\system32\Phmllj32.exe63⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Pogdid32.exeC:\Windows\system32\Pogdid32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:308 -
C:\Windows\SysWOW64\Pddlak32.exeC:\Windows\system32\Pddlak32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Pkneneme.exeC:\Windows\system32\Pkneneme.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Pbhmko32.exeC:\Windows\system32\Pbhmko32.exe67⤵PID:564
-
C:\Windows\SysWOW64\Pciibgjp.exeC:\Windows\system32\Pciibgjp.exe68⤵PID:1452
-
C:\Windows\SysWOW64\Pjcaoa32.exeC:\Windows\system32\Pjcaoa32.exe69⤵
- Drops file in System32 directory
PID:756 -
C:\Windows\SysWOW64\Qqmjlk32.exeC:\Windows\system32\Qqmjlk32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1172 -
C:\Windows\SysWOW64\Qggbheqf.exeC:\Windows\system32\Qggbheqf.exe71⤵PID:1160
-
C:\Windows\SysWOW64\Bemlfm32.exeC:\Windows\system32\Bemlfm32.exe72⤵
- Modifies registry class
PID:1144 -
C:\Windows\SysWOW64\Bjlqdcln.exeC:\Windows\system32\Bjlqdcln.exe73⤵PID:888
-
C:\Windows\SysWOW64\Bianep32.exeC:\Windows\system32\Bianep32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:392 -
C:\Windows\SysWOW64\Behnja32.exeC:\Windows\system32\Behnja32.exe75⤵
- Drops file in System32 directory
PID:280 -
C:\Windows\SysWOW64\Cmofkn32.exeC:\Windows\system32\Cmofkn32.exe76⤵PID:1620
-
C:\Windows\SysWOW64\Cpnbgj32.exeC:\Windows\system32\Cpnbgj32.exe77⤵PID:960
-
C:\Windows\SysWOW64\Cojfieep.exeC:\Windows\system32\Cojfieep.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Cpkbam32.exeC:\Windows\system32\Cpkbam32.exe79⤵PID:1928
-
C:\Windows\SysWOW64\Dkqfnf32.exeC:\Windows\system32\Dkqfnf32.exe80⤵
- Modifies registry class
PID:900 -
C:\Windows\SysWOW64\Dakokpbq.exeC:\Windows\system32\Dakokpbq.exe81⤵PID:1504
-
C:\Windows\SysWOW64\Dclkbh32.exeC:\Windows\system32\Dclkbh32.exe82⤵PID:880
-
C:\Windows\SysWOW64\Difcob32.exeC:\Windows\system32\Difcob32.exe83⤵PID:1728
-
C:\Windows\SysWOW64\Dldpkn32.exeC:\Windows\system32\Dldpkn32.exe84⤵PID:300
-
C:\Windows\SysWOW64\Ddkhmk32.exeC:\Windows\system32\Ddkhmk32.exe85⤵
- Modifies registry class
PID:1392 -
C:\Windows\SysWOW64\Dcnhhhfl.exeC:\Windows\system32\Dcnhhhfl.exe86⤵
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\Ffcfdfac.exeC:\Windows\system32\Ffcfdfac.exe87⤵PID:1308
-
C:\Windows\SysWOW64\Khafei32.exeC:\Windows\system32\Khafei32.exe88⤵PID:1736
-
C:\Windows\SysWOW64\Lhqbdm32.exeC:\Windows\system32\Lhqbdm32.exe89⤵PID:1348
-
C:\Windows\SysWOW64\Mgmefhmh.exeC:\Windows\system32\Mgmefhmh.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Melicpbb.exeC:\Windows\system32\Melicpbb.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\Nijaio32.exeC:\Windows\system32\Nijaio32.exe92⤵PID:484
-
C:\Windows\SysWOW64\Nbbfbd32.exeC:\Windows\system32\Nbbfbd32.exe93⤵
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Neqbnp32.exeC:\Windows\system32\Neqbnp32.exe94⤵PID:536
-
C:\Windows\SysWOW64\Npmpdmii.exeC:\Windows\system32\Npmpdmii.exe95⤵
- Modifies registry class
PID:432 -
C:\Windows\SysWOW64\Niedmb32.exeC:\Windows\system32\Niedmb32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1020 -
C:\Windows\SysWOW64\Obpfkh32.exeC:\Windows\system32\Obpfkh32.exe97⤵PID:612
-
C:\Windows\SysWOW64\Opcfel32.exeC:\Windows\system32\Opcfel32.exe98⤵PID:1964
-
C:\Windows\SysWOW64\Obdofgpb.exeC:\Windows\system32\Obdofgpb.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Obgllgnp.exeC:\Windows\system32\Obgllgnp.exe100⤵PID:1580
-
C:\Windows\SysWOW64\Pdjeioak.exeC:\Windows\system32\Pdjeioak.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Piijgenp.exeC:\Windows\system32\Piijgenp.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Pmefhd32.exeC:\Windows\system32\Pmefhd32.exe103⤵
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Ppcbdoem.exeC:\Windows\system32\Ppcbdoem.exe104⤵PID:1780
-
C:\Windows\SysWOW64\Pmgcmcdf.exeC:\Windows\system32\Pmgcmcdf.exe105⤵
- Drops file in System32 directory
PID:992 -
C:\Windows\SysWOW64\Pljcip32.exeC:\Windows\system32\Pljcip32.exe106⤵PID:1224
-
C:\Windows\SysWOW64\Qlomdpgl.exeC:\Windows\system32\Qlomdpgl.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Qhemiq32.exeC:\Windows\system32\Qhemiq32.exe108⤵PID:2044
-
C:\Windows\SysWOW64\Qkdiel32.exeC:\Windows\system32\Qkdiel32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1712 -
C:\Windows\SysWOW64\Qopeekdm.exeC:\Windows\system32\Qopeekdm.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1824 -
C:\Windows\SysWOW64\Ahjgdphj.exeC:\Windows\system32\Ahjgdphj.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1768 -
C:\Windows\SysWOW64\Aodoqj32.exeC:\Windows\system32\Aodoqj32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1424 -
C:\Windows\SysWOW64\Adcdoqll.exeC:\Windows\system32\Adcdoqll.exe113⤵
- Modifies registry class
PID:604 -
C:\Windows\SysWOW64\Annemfqj.exeC:\Windows\system32\Annemfqj.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1772 -
C:\Windows\SysWOW64\Boobdn32.exeC:\Windows\system32\Boobdn32.exe115⤵PID:1588
-
C:\Windows\SysWOW64\Bgfjfk32.exeC:\Windows\system32\Bgfjfk32.exe116⤵
- Drops file in System32 directory
PID:696 -
C:\Windows\SysWOW64\Bflggh32.exeC:\Windows\system32\Bflggh32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Bhjccc32.exeC:\Windows\system32\Bhjccc32.exe118⤵PID:844
-
C:\Windows\SysWOW64\Bofhempp.exeC:\Windows\system32\Bofhempp.exe119⤵PID:1840
-
C:\Windows\SysWOW64\Bnihqj32.exeC:\Windows\system32\Bnihqj32.exe120⤵PID:1740
-
C:\Windows\SysWOW64\Boidkm32.exeC:\Windows\system32\Boidkm32.exe121⤵
- Modifies registry class
PID:776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-