Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
03/10/2023, 18:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a3996412c4fa5853807fe36142a41219_JC.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
a3996412c4fa5853807fe36142a41219_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
a3996412c4fa5853807fe36142a41219_JC.exe
-
Size
80KB
-
MD5
a3996412c4fa5853807fe36142a41219
-
SHA1
2626ec258d1a22afb56e0e4a020c6ac4024e7f66
-
SHA256
b772ee4e66d230273ec6d68f2575835884d384ef75aad8ef6c5abffb153e37a9
-
SHA512
9a5b86cf970f7c64f4bd4ee0054023c5406a42346e0119abb9fe532a5023df24f71b20f36297e22512cde6e55987c7ba3aaa7b85f551fd28add0474e6209bce9
-
SSDEEP
1536:tI2ou1Dp/UuTn7c40WA0M614yjHyzDfWqdMVrlEFtyb7IYOOqw4Tv:tvNUuzw40WO614yzyzTWqAhELy1MTTv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kohnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amfognic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgcdki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndemjoae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbikgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lifbmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldokfakl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfabnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjdnlhco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djfdob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdldnomh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljigih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcghkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cllkin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhahanie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqokpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnghel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaimopli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifgicg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhilkege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnpmfqap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpqain32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddliip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgbcpq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjofo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqalaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbefcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koipglep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbdgqimc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmdeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdbmfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fchijone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbdjbaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdbahpec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkljdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhlqjone.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjfccn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Domqjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmljgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkicn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daacecfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfpfdeon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhdhefpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccngld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jimbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcknhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emdeok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gefmcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egajnfoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgeelf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nflchkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggnmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnejim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgciff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeenochi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Najpll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgldnkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcbfbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efcfga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpgajgeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdmban32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fppaej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoopae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjbmelgm.exe -
Executes dropped EXE 64 IoCs
pid Process 2344 Pgeefbhm.exe 2756 Pclfkc32.exe 2784 Pmdjdh32.exe 2844 Pjhknm32.exe 2496 Qbcpbo32.exe 2052 Qmicohqm.exe 1960 Qcbllb32.exe 2812 Aipddi32.exe 2404 Alpmfdcb.exe 800 Abjebn32.exe 2004 Aehboi32.exe 472 Abmbhn32.exe 1476 Ahikqd32.exe 2468 Aemkjiem.exe 2264 Ajjcbpdd.exe 2376 Bpgljfbl.exe 2352 Bioqclil.exe 2292 Bdgafdfp.exe 1740 Behnnm32.exe 1756 Bblogakg.exe 1872 Bhigphio.exe 1832 Bppoqeja.exe 1532 Coelaaoi.exe 2308 Cdbdjhmp.exe 1728 Cnkicn32.exe 1780 Cddaphkn.exe 3024 Cojema32.exe 1560 Chbjffad.exe 2892 Cnobnmpl.exe 2644 Cjfccn32.exe 1168 Cldooj32.exe 2512 Ccngld32.exe 2472 Dbkknojp.exe 2560 Dhdcji32.exe 2836 Enakbp32.exe 1612 Ekelld32.exe 2148 Eqbddk32.exe 1368 Eqdajkkb.exe 576 Enhacojl.exe 584 Eqgnokip.exe 1528 Efcfga32.exe 2284 Eibbcm32.exe 3068 Echfaf32.exe 1424 Fidoim32.exe 1128 Ffhpbacb.exe 680 Figlolbf.exe 1524 Fncdgcqm.exe 1324 Fpcqaf32.exe 920 Fepiimfg.exe 2320 Fljafg32.exe 1784 Fbdjbaea.exe 1340 Fhqbkhch.exe 2080 Fmmkcoap.exe 2872 Gffoldhp.exe 1584 Gmpgio32.exe 2640 Gpncej32.exe 2316 Gepehphc.exe 2960 Gpejeihi.exe 2832 Ginnnooi.exe 1672 Hpgfki32.exe 1984 Hdildlie.exe 1636 Hoopae32.exe 2480 Hkhnle32.exe 1384 Hpefdl32.exe -
Loads dropped DLL 64 IoCs
pid Process 652 a3996412c4fa5853807fe36142a41219_JC.exe 652 a3996412c4fa5853807fe36142a41219_JC.exe 2344 Pgeefbhm.exe 2344 Pgeefbhm.exe 2756 Pclfkc32.exe 2756 Pclfkc32.exe 2784 Pmdjdh32.exe 2784 Pmdjdh32.exe 2844 Pjhknm32.exe 2844 Pjhknm32.exe 2496 Qbcpbo32.exe 2496 Qbcpbo32.exe 2052 Qmicohqm.exe 2052 Qmicohqm.exe 1960 Qcbllb32.exe 1960 Qcbllb32.exe 2812 Aipddi32.exe 2812 Aipddi32.exe 2404 Alpmfdcb.exe 2404 Alpmfdcb.exe 800 Abjebn32.exe 800 Abjebn32.exe 2004 Aehboi32.exe 2004 Aehboi32.exe 472 Abmbhn32.exe 472 Abmbhn32.exe 1476 Ahikqd32.exe 1476 Ahikqd32.exe 2468 Aemkjiem.exe 2468 Aemkjiem.exe 2264 Ajjcbpdd.exe 2264 Ajjcbpdd.exe 2376 Bpgljfbl.exe 2376 Bpgljfbl.exe 2352 Bioqclil.exe 2352 Bioqclil.exe 2292 Bdgafdfp.exe 2292 Bdgafdfp.exe 1740 Behnnm32.exe 1740 Behnnm32.exe 1756 Bblogakg.exe 1756 Bblogakg.exe 1872 Bhigphio.exe 1872 Bhigphio.exe 1832 Bppoqeja.exe 1832 Bppoqeja.exe 1532 Coelaaoi.exe 1532 Coelaaoi.exe 2308 Cdbdjhmp.exe 2308 Cdbdjhmp.exe 1728 Cnkicn32.exe 1728 Cnkicn32.exe 1780 Cddaphkn.exe 1780 Cddaphkn.exe 3024 Cojema32.exe 3024 Cojema32.exe 1560 Chbjffad.exe 1560 Chbjffad.exe 2892 Cnobnmpl.exe 2892 Cnobnmpl.exe 2644 Cjfccn32.exe 2644 Cjfccn32.exe 1168 Cldooj32.exe 1168 Cldooj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jhmone32.dll Imoilo32.exe File created C:\Windows\SysWOW64\Diphbfdi.exe Dojddmec.exe File opened for modification C:\Windows\SysWOW64\Ehkhaqpk.exe Eelkeeah.exe File created C:\Windows\SysWOW64\Jkcfefdg.dll Qkghgpfi.exe File created C:\Windows\SysWOW64\Acicla32.exe Apkgpf32.exe File created C:\Windows\SysWOW64\Hkekhpob.dll Faonom32.exe File created C:\Windows\SysWOW64\Gcghbk32.dll Qbcpbo32.exe File opened for modification C:\Windows\SysWOW64\Pfgngh32.exe Pkidlk32.exe File opened for modification C:\Windows\SysWOW64\Deojci32.exe Dkiefp32.exe File created C:\Windows\SysWOW64\Cmmcpi32.exe Ciagojda.exe File opened for modification C:\Windows\SysWOW64\Gjbmelgm.exe Fkmqdpce.exe File created C:\Windows\SysWOW64\Goknhdma.dll Cbiiog32.exe File created C:\Windows\SysWOW64\Fnflke32.exe Fgldnkkf.exe File opened for modification C:\Windows\SysWOW64\Lgchgb32.exe Lqipkhbj.exe File created C:\Windows\SysWOW64\Enakbp32.exe Dhdcji32.exe File created C:\Windows\SysWOW64\Jfoagoic.dll Kiijnq32.exe File created C:\Windows\SysWOW64\Fgfhjcgg.exe Fqmpni32.exe File opened for modification C:\Windows\SysWOW64\Lbicoamh.exe Lmljgj32.exe File created C:\Windows\SysWOW64\Iediin32.exe Iebldo32.exe File created C:\Windows\SysWOW64\Cmgkfh32.dll Oldpnn32.exe File created C:\Windows\SysWOW64\Dkkcoogp.dll Nigafnck.exe File created C:\Windows\SysWOW64\Bjnalhgb.dll Cjlheehe.exe File opened for modification C:\Windows\SysWOW64\Pmjaohol.exe Pjleclph.exe File created C:\Windows\SysWOW64\Ojgfoglc.dll Cqdfehii.exe File created C:\Windows\SysWOW64\Mdnfkg32.dll Fcdopc32.exe File opened for modification C:\Windows\SysWOW64\Joihjfnl.exe Jgncfcaa.exe File opened for modification C:\Windows\SysWOW64\Dikogf32.exe Dgmbkk32.exe File created C:\Windows\SysWOW64\Mihdgkpp.exe Mfihkoal.exe File opened for modification C:\Windows\SysWOW64\Dogpdg32.exe Dfphcj32.exe File opened for modification C:\Windows\SysWOW64\Khkbbc32.exe Kpdjaecc.exe File created C:\Windows\SysWOW64\Gqlhkofn.exe Gjbpne32.exe File created C:\Windows\SysWOW64\Cmapaflf.dll Koipglep.exe File opened for modification C:\Windows\SysWOW64\Pdbmfb32.exe Ppfafcpb.exe File created C:\Windows\SysWOW64\Bhcool32.dll Dahkok32.exe File created C:\Windows\SysWOW64\Icifjk32.exe Ibhicbao.exe File created C:\Windows\SysWOW64\Blmfea32.exe Bbdallnd.exe File created C:\Windows\SysWOW64\Mfakaoam.dll Boogmgkl.exe File opened for modification C:\Windows\SysWOW64\Cgaaah32.exe Cebeem32.exe File created C:\Windows\SysWOW64\Dchdgl32.dll Mflgih32.exe File created C:\Windows\SysWOW64\Dhlqnh32.dll Hjndlqal.exe File created C:\Windows\SysWOW64\Ebmjlg32.dll Ibejdjln.exe File created C:\Windows\SysWOW64\Fblloc32.dll Keeeje32.exe File opened for modification C:\Windows\SysWOW64\Cehhdkjf.exe Ccgklc32.exe File opened for modification C:\Windows\SysWOW64\Fnqqgm32.exe Fgfhjcgg.exe File opened for modification C:\Windows\SysWOW64\Kllnhg32.exe Kfbfkmeh.exe File created C:\Windows\SysWOW64\Jieaofmp.exe Jhdegn32.exe File created C:\Windows\SysWOW64\Koipglep.exe Kilgoe32.exe File created C:\Windows\SysWOW64\Flfifa32.dll Addfkeid.exe File created C:\Windows\SysWOW64\Ccgklc32.exe Cmmcpi32.exe File opened for modification C:\Windows\SysWOW64\Qbcpbo32.exe Pjhknm32.exe File opened for modification C:\Windows\SysWOW64\Kicmdo32.exe Kiqpop32.exe File created C:\Windows\SysWOW64\Qiladcdh.exe Qqeicede.exe File created C:\Windows\SysWOW64\Gjngmmnp.exe Fcdopc32.exe File created C:\Windows\SysWOW64\Oegkqmai.dll Jolepe32.exe File created C:\Windows\SysWOW64\Pcaibd32.dll Cgcnghpl.exe File created C:\Windows\SysWOW64\Hfglml32.dll Bbllnlfd.exe File created C:\Windows\SysWOW64\Jipaip32.exe Jbfilffm.exe File opened for modification C:\Windows\SysWOW64\Kfjggo32.exe Jkebjf32.exe File opened for modification C:\Windows\SysWOW64\Lipecm32.exe Lpgajgeg.exe File created C:\Windows\SysWOW64\Neklbppb.exe Nbjcqe32.exe File opened for modification C:\Windows\SysWOW64\Qglmpi32.exe Qndigd32.exe File opened for modification C:\Windows\SysWOW64\Qjkjle32.exe Qglmpi32.exe File created C:\Windows\SysWOW64\Cchlkipc.dll Hfpdkl32.exe File created C:\Windows\SysWOW64\Nphgph32.dll Jfofol32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6496 6660 WerFault.exe 1004 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekddecnj.dll" Dhhhbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhcool32.dll" Dahkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmdjdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll" Ngkogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plolgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njpeip32.dll" Khkbbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlofgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdeaelok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngneph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkmqdpce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbepdhgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbqmhnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mneohj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdbmfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjedmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhpgfeao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chkmkacq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqfdfdee.dll" Bbjmpcab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nidmfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keeeje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hanogipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmidng32.dll" Plpopddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iefhhbef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mffimglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cllkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Innmlblo.dll" Fbbofjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkafj32.dll" Coelaaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enhacojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjleclph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifmocb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eppcmncq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egajnfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfoagoic.dll" Kiijnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plolgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qododfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkhabhbn.dll" Bnihdemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emifeqid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmeeepjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cehhdkjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmoqnhla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmomml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgflbcg.dll" Bccjdnbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbiiog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhahanie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lifcib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdmddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikqqfp32.dll" Ffqofohj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hndlem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fabaocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afbioogg.dll" Mggabaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkahgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmegjdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koipglep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efcfga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffqofohj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooclji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Endjaief.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnjicjbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfijlo32.dll" Bcbfbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpqain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blibjh32.dll" Bpqain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohniib32.dll" Oehdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjkclbf.dll" Opaebkmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibejdjln.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 652 wrote to memory of 2344 652 a3996412c4fa5853807fe36142a41219_JC.exe 28 PID 652 wrote to memory of 2344 652 a3996412c4fa5853807fe36142a41219_JC.exe 28 PID 652 wrote to memory of 2344 652 a3996412c4fa5853807fe36142a41219_JC.exe 28 PID 652 wrote to memory of 2344 652 a3996412c4fa5853807fe36142a41219_JC.exe 28 PID 2344 wrote to memory of 2756 2344 Pgeefbhm.exe 29 PID 2344 wrote to memory of 2756 2344 Pgeefbhm.exe 29 PID 2344 wrote to memory of 2756 2344 Pgeefbhm.exe 29 PID 2344 wrote to memory of 2756 2344 Pgeefbhm.exe 29 PID 2756 wrote to memory of 2784 2756 Pclfkc32.exe 30 PID 2756 wrote to memory of 2784 2756 Pclfkc32.exe 30 PID 2756 wrote to memory of 2784 2756 Pclfkc32.exe 30 PID 2756 wrote to memory of 2784 2756 Pclfkc32.exe 30 PID 2784 wrote to memory of 2844 2784 Pmdjdh32.exe 31 PID 2784 wrote to memory of 2844 2784 Pmdjdh32.exe 31 PID 2784 wrote to memory of 2844 2784 Pmdjdh32.exe 31 PID 2784 wrote to memory of 2844 2784 Pmdjdh32.exe 31 PID 2844 wrote to memory of 2496 2844 Pjhknm32.exe 32 PID 2844 wrote to memory of 2496 2844 Pjhknm32.exe 32 PID 2844 wrote to memory of 2496 2844 Pjhknm32.exe 32 PID 2844 wrote to memory of 2496 2844 Pjhknm32.exe 32 PID 2496 wrote to memory of 2052 2496 Qbcpbo32.exe 34 PID 2496 wrote to memory of 2052 2496 Qbcpbo32.exe 34 PID 2496 wrote to memory of 2052 2496 Qbcpbo32.exe 34 PID 2496 wrote to memory of 2052 2496 Qbcpbo32.exe 34 PID 2052 wrote to memory of 1960 2052 Qmicohqm.exe 33 PID 2052 wrote to memory of 1960 2052 Qmicohqm.exe 33 PID 2052 wrote to memory of 1960 2052 Qmicohqm.exe 33 PID 2052 wrote to memory of 1960 2052 Qmicohqm.exe 33 PID 1960 wrote to memory of 2812 1960 Qcbllb32.exe 35 PID 1960 wrote to memory of 2812 1960 Qcbllb32.exe 35 PID 1960 wrote to memory of 2812 1960 Qcbllb32.exe 35 PID 1960 wrote to memory of 2812 1960 Qcbllb32.exe 35 PID 2812 wrote to memory of 2404 2812 Aipddi32.exe 36 PID 2812 wrote to memory of 2404 2812 Aipddi32.exe 36 PID 2812 wrote to memory of 2404 2812 Aipddi32.exe 36 PID 2812 wrote to memory of 2404 2812 Aipddi32.exe 36 PID 2404 wrote to memory of 800 2404 Alpmfdcb.exe 38 PID 2404 wrote to memory of 800 2404 Alpmfdcb.exe 38 PID 2404 wrote to memory of 800 2404 Alpmfdcb.exe 38 PID 2404 wrote to memory of 800 2404 Alpmfdcb.exe 38 PID 800 wrote to memory of 2004 800 Abjebn32.exe 37 PID 800 wrote to memory of 2004 800 Abjebn32.exe 37 PID 800 wrote to memory of 2004 800 Abjebn32.exe 37 PID 800 wrote to memory of 2004 800 Abjebn32.exe 37 PID 2004 wrote to memory of 472 2004 Aehboi32.exe 39 PID 2004 wrote to memory of 472 2004 Aehboi32.exe 39 PID 2004 wrote to memory of 472 2004 Aehboi32.exe 39 PID 2004 wrote to memory of 472 2004 Aehboi32.exe 39 PID 472 wrote to memory of 1476 472 Abmbhn32.exe 40 PID 472 wrote to memory of 1476 472 Abmbhn32.exe 40 PID 472 wrote to memory of 1476 472 Abmbhn32.exe 40 PID 472 wrote to memory of 1476 472 Abmbhn32.exe 40 PID 1476 wrote to memory of 2468 1476 Ahikqd32.exe 42 PID 1476 wrote to memory of 2468 1476 Ahikqd32.exe 42 PID 1476 wrote to memory of 2468 1476 Ahikqd32.exe 42 PID 1476 wrote to memory of 2468 1476 Ahikqd32.exe 42 PID 2468 wrote to memory of 2264 2468 Aemkjiem.exe 41 PID 2468 wrote to memory of 2264 2468 Aemkjiem.exe 41 PID 2468 wrote to memory of 2264 2468 Aemkjiem.exe 41 PID 2468 wrote to memory of 2264 2468 Aemkjiem.exe 41 PID 2264 wrote to memory of 2376 2264 Ajjcbpdd.exe 43 PID 2264 wrote to memory of 2376 2264 Ajjcbpdd.exe 43 PID 2264 wrote to memory of 2376 2264 Ajjcbpdd.exe 43 PID 2264 wrote to memory of 2376 2264 Ajjcbpdd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3996412c4fa5853807fe36142a41219_JC.exe"C:\Users\Admin\AppData\Local\Temp\a3996412c4fa5853807fe36142a41219_JC.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Pclfkc32.exeC:\Windows\system32\Pclfkc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Alpmfdcb.exeC:\Windows\system32\Alpmfdcb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:800
-
-
-
-
C:\Windows\SysWOW64\Aehboi32.exeC:\Windows\system32\Aehboi32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Abmbhn32.exeC:\Windows\system32\Abmbhn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Windows\SysWOW64\Ahikqd32.exeC:\Windows\system32\Ahikqd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Aemkjiem.exeC:\Windows\system32\Aemkjiem.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468
-
-
-
-
C:\Windows\SysWOW64\Ajjcbpdd.exeC:\Windows\system32\Ajjcbpdd.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Bpgljfbl.exeC:\Windows\system32\Bpgljfbl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Bdgafdfp.exeC:\Windows\system32\Bdgafdfp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Behnnm32.exeC:\Windows\system32\Behnnm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Bblogakg.exeC:\Windows\system32\Bblogakg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Bhigphio.exeC:\Windows\system32\Bhigphio.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Bppoqeja.exeC:\Windows\system32\Bppoqeja.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1832 -
C:\Windows\SysWOW64\Coelaaoi.exeC:\Windows\system32\Coelaaoi.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Cdbdjhmp.exeC:\Windows\system32\Cdbdjhmp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Windows\SysWOW64\Cnkicn32.exeC:\Windows\system32\Cnkicn32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Cddaphkn.exeC:\Windows\system32\Cddaphkn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Cojema32.exeC:\Windows\system32\Cojema32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Chbjffad.exeC:\Windows\system32\Chbjffad.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Cjfccn32.exeC:\Windows\system32\Cjfccn32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Cldooj32.exeC:\Windows\system32\Cldooj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1168 -
C:\Windows\SysWOW64\Ccngld32.exeC:\Windows\system32\Ccngld32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Dbkknojp.exeC:\Windows\system32\Dbkknojp.exe19⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Dhdcji32.exeC:\Windows\system32\Dhdcji32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Enakbp32.exeC:\Windows\system32\Enakbp32.exe21⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Ekelld32.exeC:\Windows\system32\Ekelld32.exe22⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Eqbddk32.exeC:\Windows\system32\Eqbddk32.exe23⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Eqdajkkb.exeC:\Windows\system32\Eqdajkkb.exe24⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Enhacojl.exeC:\Windows\system32\Enhacojl.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:576 -
C:\Windows\SysWOW64\Eqgnokip.exeC:\Windows\system32\Eqgnokip.exe26⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Efcfga32.exeC:\Windows\system32\Efcfga32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Eibbcm32.exeC:\Windows\system32\Eibbcm32.exe28⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Echfaf32.exeC:\Windows\system32\Echfaf32.exe29⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Fidoim32.exeC:\Windows\system32\Fidoim32.exe30⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Ffhpbacb.exeC:\Windows\system32\Ffhpbacb.exe31⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Figlolbf.exeC:\Windows\system32\Figlolbf.exe32⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Fncdgcqm.exeC:\Windows\system32\Fncdgcqm.exe33⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Fpcqaf32.exeC:\Windows\system32\Fpcqaf32.exe34⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Fepiimfg.exeC:\Windows\system32\Fepiimfg.exe35⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Fljafg32.exeC:\Windows\system32\Fljafg32.exe36⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Fbdjbaea.exeC:\Windows\system32\Fbdjbaea.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Fhqbkhch.exeC:\Windows\system32\Fhqbkhch.exe38⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Fmmkcoap.exeC:\Windows\system32\Fmmkcoap.exe39⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Gffoldhp.exeC:\Windows\system32\Gffoldhp.exe40⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Gmpgio32.exeC:\Windows\system32\Gmpgio32.exe41⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Gpncej32.exeC:\Windows\system32\Gpncej32.exe42⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Gepehphc.exeC:\Windows\system32\Gepehphc.exe43⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Gpejeihi.exeC:\Windows\system32\Gpejeihi.exe44⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Ginnnooi.exeC:\Windows\system32\Ginnnooi.exe45⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Hpgfki32.exeC:\Windows\system32\Hpgfki32.exe46⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Hdildlie.exeC:\Windows\system32\Hdildlie.exe47⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Hoopae32.exeC:\Windows\system32\Hoopae32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Hkhnle32.exeC:\Windows\system32\Hkhnle32.exe49⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Hpefdl32.exeC:\Windows\system32\Hpefdl32.exe50⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Inifnq32.exeC:\Windows\system32\Inifnq32.exe51⤵PID:864
-
C:\Windows\SysWOW64\Idcokkak.exeC:\Windows\system32\Idcokkak.exe52⤵PID:2736
-
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe53⤵PID:1052
-
C:\Windows\SysWOW64\Iefhhbef.exeC:\Windows\system32\Iefhhbef.exe54⤵
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Iamimc32.exeC:\Windows\system32\Iamimc32.exe55⤵PID:1084
-
C:\Windows\SysWOW64\Ihgainbg.exeC:\Windows\system32\Ihgainbg.exe56⤵PID:892
-
C:\Windows\SysWOW64\Ileiplhn.exeC:\Windows\system32\Ileiplhn.exe57⤵PID:1736
-
C:\Windows\SysWOW64\Jocflgga.exeC:\Windows\system32\Jocflgga.exe58⤵PID:2196
-
C:\Windows\SysWOW64\Jqgoiokm.exeC:\Windows\system32\Jqgoiokm.exe59⤵PID:2324
-
C:\Windows\SysWOW64\Jgagfi32.exeC:\Windows\system32\Jgagfi32.exe60⤵PID:2796
-
C:\Windows\SysWOW64\Jchhkjhn.exeC:\Windows\system32\Jchhkjhn.exe61⤵PID:2648
-
C:\Windows\SysWOW64\Jgcdki32.exeC:\Windows\system32\Jgcdki32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2780 -
C:\Windows\SysWOW64\Jnmlhchd.exeC:\Windows\system32\Jnmlhchd.exe63⤵PID:2956
-
C:\Windows\SysWOW64\Jdgdempa.exeC:\Windows\system32\Jdgdempa.exe64⤵PID:2968
-
C:\Windows\SysWOW64\Jqnejn32.exeC:\Windows\system32\Jqnejn32.exe65⤵PID:1772
-
C:\Windows\SysWOW64\Jghmfhmb.exeC:\Windows\system32\Jghmfhmb.exe66⤵PID:2952
-
C:\Windows\SysWOW64\Kiijnq32.exeC:\Windows\system32\Kiijnq32.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Kmefooki.exeC:\Windows\system32\Kmefooki.exe68⤵PID:1108
-
C:\Windows\SysWOW64\Kilfcpqm.exeC:\Windows\system32\Kilfcpqm.exe69⤵PID:2552
-
C:\Windows\SysWOW64\Kincipnk.exeC:\Windows\system32\Kincipnk.exe70⤵PID:2896
-
C:\Windows\SysWOW64\Kfbcbd32.exeC:\Windows\system32\Kfbcbd32.exe71⤵PID:2356
-
C:\Windows\SysWOW64\Kiqpop32.exeC:\Windows\system32\Kiqpop32.exe72⤵
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Kicmdo32.exeC:\Windows\system32\Kicmdo32.exe73⤵PID:1520
-
C:\Windows\SysWOW64\Kbkameaf.exeC:\Windows\system32\Kbkameaf.exe74⤵PID:3016
-
C:\Windows\SysWOW64\Ljffag32.exeC:\Windows\system32\Ljffag32.exe75⤵PID:556
-
C:\Windows\SysWOW64\Lmebnb32.exeC:\Windows\system32\Lmebnb32.exe76⤵PID:1232
-
C:\Windows\SysWOW64\Ljibgg32.exeC:\Windows\system32\Ljibgg32.exe77⤵PID:2988
-
C:\Windows\SysWOW64\Lmgocb32.exeC:\Windows\system32\Lmgocb32.exe78⤵PID:2596
-
C:\Windows\SysWOW64\Ljkomfjl.exeC:\Windows\system32\Ljkomfjl.exe79⤵PID:3056
-
C:\Windows\SysWOW64\Laegiq32.exeC:\Windows\system32\Laegiq32.exe80⤵PID:2800
-
C:\Windows\SysWOW64\Liplnc32.exeC:\Windows\system32\Liplnc32.exe81⤵PID:3000
-
C:\Windows\SysWOW64\Llohjo32.exeC:\Windows\system32\Llohjo32.exe82⤵PID:1212
-
C:\Windows\SysWOW64\Lfdmggnm.exeC:\Windows\system32\Lfdmggnm.exe83⤵PID:2848
-
C:\Windows\SysWOW64\Mmneda32.exeC:\Windows\system32\Mmneda32.exe84⤵PID:2120
-
C:\Windows\SysWOW64\Mffimglk.exeC:\Windows\system32\Mffimglk.exe85⤵
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Mlcbenjb.exeC:\Windows\system32\Mlcbenjb.exe86⤵PID:3028
-
C:\Windows\SysWOW64\Mlfojn32.exeC:\Windows\system32\Mlfojn32.exe87⤵PID:1196
-
C:\Windows\SysWOW64\Mbpgggol.exeC:\Windows\system32\Mbpgggol.exe88⤵PID:2904
-
C:\Windows\SysWOW64\Maedhd32.exeC:\Windows\system32\Maedhd32.exe89⤵PID:2388
-
C:\Windows\SysWOW64\Mdcpdp32.exeC:\Windows\system32\Mdcpdp32.exe90⤵PID:2168
-
C:\Windows\SysWOW64\Ndemjoae.exeC:\Windows\system32\Ndemjoae.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:760 -
C:\Windows\SysWOW64\Ngdifkpi.exeC:\Windows\system32\Ngdifkpi.exe92⤵PID:868
-
C:\Windows\SysWOW64\Naimccpo.exeC:\Windows\system32\Naimccpo.exe93⤵PID:2200
-
C:\Windows\SysWOW64\Ndhipoob.exeC:\Windows\system32\Ndhipoob.exe94⤵PID:2624
-
C:\Windows\SysWOW64\Nlcnda32.exeC:\Windows\system32\Nlcnda32.exe95⤵PID:2256
-
C:\Windows\SysWOW64\Ncmfqkdj.exeC:\Windows\system32\Ncmfqkdj.exe96⤵PID:2668
-
C:\Windows\SysWOW64\Ngkogj32.exeC:\Windows\system32\Ngkogj32.exe97⤵
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Niikceid.exeC:\Windows\system32\Niikceid.exe98⤵PID:1356
-
C:\Windows\SysWOW64\Nhohda32.exeC:\Windows\system32\Nhohda32.exe99⤵PID:1812
-
C:\Windows\SysWOW64\Oohqqlei.exeC:\Windows\system32\Oohqqlei.exe100⤵PID:628
-
C:\Windows\SysWOW64\Oagmmgdm.exeC:\Windows\system32\Oagmmgdm.exe101⤵PID:2008
-
C:\Windows\SysWOW64\Ohaeia32.exeC:\Windows\system32\Ohaeia32.exe102⤵PID:2696
-
C:\Windows\SysWOW64\Ohcaoajg.exeC:\Windows\system32\Ohcaoajg.exe103⤵PID:2432
-
C:\Windows\SysWOW64\Odjbdb32.exeC:\Windows\system32\Odjbdb32.exe104⤵PID:1068
-
C:\Windows\SysWOW64\Onbgmg32.exeC:\Windows\system32\Onbgmg32.exe105⤵PID:2248
-
C:\Windows\SysWOW64\Odlojanh.exeC:\Windows\system32\Odlojanh.exe106⤵PID:2152
-
C:\Windows\SysWOW64\Ogkkfmml.exeC:\Windows\system32\Ogkkfmml.exe107⤵PID:2072
-
C:\Windows\SysWOW64\Ojigbhlp.exeC:\Windows\system32\Ojigbhlp.exe108⤵PID:2760
-
C:\Windows\SysWOW64\Oappcfmb.exeC:\Windows\system32\Oappcfmb.exe109⤵PID:2556
-
C:\Windows\SysWOW64\Oqcpob32.exeC:\Windows\system32\Oqcpob32.exe110⤵PID:1788
-
C:\Windows\SysWOW64\Pkidlk32.exeC:\Windows\system32\Pkidlk32.exe111⤵
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Pfgngh32.exeC:\Windows\system32\Pfgngh32.exe112⤵PID:240
-
C:\Windows\SysWOW64\Poocpnbm.exeC:\Windows\system32\Poocpnbm.exe113⤵PID:768
-
C:\Windows\SysWOW64\Pkfceo32.exeC:\Windows\system32\Pkfceo32.exe114⤵PID:2908
-
C:\Windows\SysWOW64\Qeohnd32.exeC:\Windows\system32\Qeohnd32.exe115⤵PID:1216
-
C:\Windows\SysWOW64\Qodlkm32.exeC:\Windows\system32\Qodlkm32.exe116⤵PID:1060
-
C:\Windows\SysWOW64\Qqeicede.exeC:\Windows\system32\Qqeicede.exe117⤵
- Drops file in System32 directory
PID:836 -
C:\Windows\SysWOW64\Qiladcdh.exeC:\Windows\system32\Qiladcdh.exe118⤵PID:600
-
C:\Windows\SysWOW64\Qjnmlk32.exeC:\Windows\system32\Qjnmlk32.exe119⤵PID:2740
-
C:\Windows\SysWOW64\Aecaidjl.exeC:\Windows\system32\Aecaidjl.exe120⤵PID:2692
-
C:\Windows\SysWOW64\Aganeoip.exeC:\Windows\system32\Aganeoip.exe121⤵PID:1700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-